-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reverse TCP x64 RC4 via max3raza's rc4_x64 asm #9565
Reverse TCP x64 RC4 via max3raza's rc4_x64 asm #9565
Conversation
To round out the work done by mihi for x86 stages back in the day, this PR provides x64 Windows stage encryption in RC4 via assembly written/modified by max3raza during adjacent work on DNS tunneled transport. Stage encryption differs from encoding in that there is no decoder stub or key materiel carried with the stage which can be used by defensive systems to decode and identify the contents. Persistence payloads, oob-delivered stage0, and other contexts benefit heavily from this as their subsequent stage is difficult to detect/identify, and the chance of accidental execution of the wrong payload/stage is drastically reduced if separate keys are in play for individual targets - acquiring the wrong stage will result in decryption failure and prevent further execution. For historical context, all of the RC4 stagers implement in-place decryption via stage0 for the contents of stage1 using the provided passphrase converted to a key and embedded in stage0 as part of the payload. Testing: In-house testing with Max - we got sessions, loaded extensions. Notes: All credit for the work goes to Max3raza - big ups for getting this knocked out.
mov [r8+rax], dl | ||
add dl, [r8+rbx] ; DL = S[AL]+S[BL] | ||
mov dl, [r8+rdx] ; DL = S[DL] | ||
xor [r9], dl ; [EBP] ^= DL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That comment should be changed to refer to R9 instead of EBP. By the way, good idea to avoid clobbering EBP ....
pop rsi ; rsi = RC4 key | ||
#{asm_decrypt_rc4} | ||
pop rdi ; restrore socket handle | ||
pop rbp ; restore rbp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... but then you can remove this pop RBP and the associated push RBP in line 170 as well .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apart from that, I don't see any obvious mistakes. Did not test it though (and the payload creation changed a lot since I last touched it :D )
@schierlm: thanks for looking into it. Not much has changed under the skin, i just took your original shellcode and converted it to metasm a couple of years back; we repeated that pattern here. This is a bunch easier since we're not injecting values at offsets anymore, but actually assembling the interpolated strings of asm on the fly. |
Been using this a few days now, seems to work. Still seeing packet forwarding issues, but that's something in the windows bins (not just mine, upstream too) as it doesn't happen w mettle... @busterb: we should add mettle windows stagers for this too :-) |
I'm seeing failures across the board on x64 Windows for file creation (upload) using post/test/meterpreter. The error is present in reverse_tcp and reverse_tcp_rc4. It is not there on upstream/master. On this branch, the payload works great, but when running the tests, it hits this every time:
|
I had a few minutes to run the test, but I'm on something else currently. If no one runs this down before I get a chance, I'll try and figure out what's happening when I get some spare cycles. |
@bwatters-r7 note that upload was temporarily broken (like 24 hours), so you may need to rebase or merge master to get the fix. Probably unrelated to this PR, just bad timing! |
@bcook-r7 Thanks; that makes sense. I did a quick scan and was at a loss to explain why this code broke that functionality. |
Yeah we are all done executing any of this by the time you're in stdapi... I call gremlins. |
FYI, when merged with master (4b8a8fa), everything passes: |
Release NotesRC4 encryption support has been added for windows/x64/meterpreter/reverse_tcp payloads. |
…rc4_x64 asm"" Double revert....`
This reverts commit 7964868.
This reverts commit 7964868.
To round out the work done by mihi for x86 stages back in the day,
this PR provides x64 Windows stage encryption in RC4 via assembly
written/modified by max3raza during adjacent work on DNS tunneled
transport.
Stage encryption differs from encoding in that there is no decoder
stub or key materiel carried with the stage which can be used by
defensive systems to decode and identify the contents. Persistence
payloads, oob-delivered stage0, and other contexts benefit heavily
from this as their subsequent stage is difficult to detect/identify,
and the chance of accidental execution of the wrong payload/stage
is drastically reduced if separate keys are in play for individual
targets - acquiring the wrong stage will result in decryption
failure and prevent further execution.
For historical context, all of the RC4 stagers implement in-place
decryption via stage0 for the contents of stage1 using the provided
passphrase converted to a key and embedded in stage0 as part of the
payload.
Testing:
In-house testing with Max - we got sessions, loaded extensions.
Notes:
All credit for the work goes to Max3raza - big ups for getting
this knocked out.
Next steps:
ping @max3raza - the man of the hour, deserving of a beer or two if anyone's in his neck of the woods. The defconrussia guys (Max and Alex) are expanding our core functionality pretty significantly, hat's off to them both.
ping @busterb, @acammack-r7, @OJ, and @schierlm for review