Teaching Old Shellcode New Tricks

Video thumbnail (Frame 0) Video thumbnail (Frame 6835) Video thumbnail (Frame 12773) Video thumbnail (Frame 13998) Video thumbnail (Frame 16641) Video thumbnail (Frame 17394) Video thumbnail (Frame 18490) Video thumbnail (Frame 19600) Video thumbnail (Frame 33769) Video thumbnail (Frame 36239) Video thumbnail (Frame 37693) Video thumbnail (Frame 40381) Video thumbnail (Frame 41162) Video thumbnail (Frame 42896) Video thumbnail (Frame 44918) Video thumbnail (Frame 45942) Video thumbnail (Frame 47996) Video thumbnail (Frame 49387) Video thumbnail (Frame 50059) Video thumbnail (Frame 52217)
Video in TIB AV-Portal: Teaching Old Shellcode New Tricks

Formal Metadata

Teaching Old Shellcode New Tricks
Title of Series
Part Number
Number of Parts
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date
Production Place

Content Metadata

Subject Area
Metasploit x86 shellcode has been defeated by EMET and other techniques not only in exploit payloads but through using those payloads in non-exploit situations (e.g. binary payload generation, PowerShell deployment, etc..). This talk describes taking Metasploit payloads (minus Stephen Fewer’s hash API call), incorporating techniques to bypass Caller/EAF[+] checks (post ASLR/DEP bypass) and merging those techniques together with automation to make something better. There will be lots of fail and some win.
Code Transport Layer Security Multiplication sign Design by contract Mereology Rule of inference Graph coloring Theory Number Power (physics) Expected value Root Semiconductor memory Different (Kate Ryan album) Oval Operator (mathematics) Computer hardware Data structure Endliche Modelltheorie Metropolitan area network Address space Hydraulic jump Incidence algebra System call Computer animation Hash function Logic Information retrieval Configuration space Escape character Collision Table (information) Reading (process) Window Computer worm
Trail Slide rule Functional (mathematics) Context awareness Greatest element Code Patch (Unix) Multiplication sign Execution unit Set (mathematics) Web browser Computer font Graph coloring Portable communications device String (computer science) Computer hardware Office suite Information security Proxy server Address space Physical system Stability theory God Software developer Chemical equation Loop (music) Process (computing) Computer animation Personal digital assistant Blog Factory (trading post) File archiver Website output Lipschitz-Stetigkeit Right angle Table (information) Speicheradresse Library (computing) Probability density function Computer worm
Slide rule Code Real number Sign (mathematics) Population density Semiconductor memory File system Flag Endliche Modelltheorie Proxy server Module (mathematics) Addition Dependent and independent variables Constraint (mathematics) Structural load Binary code Peer-to-peer Process (computing) Computer animation Hash function Personal digital assistant Video game Right angle Collision Table (information) Window Library (computing)
Scripting language Server (computing) Information Translation memory Process (computing) Pointer (computer programming) Kernel (computing) Computer animation Endliche Modelltheorie Address space Window Library (computing) Spacetime Physical system
Computer virus Code Multiplication sign Sheaf (mathematics) Port scanner Function (mathematics) Mereology Food energy Computer programming Medical imaging Fluid statics Lattice (group) Semiconductor memory Different (Kate Ryan album) Computer configuration Stability theory Physical system Scripting language Arm Block (periodic table) Entire function Electronic signature Process (computing) Hash function output Right angle Pattern language Figurate number Reading (process) Point (geometry) Functional (mathematics) Identifiability Computer file Electronic program guide Motion capture Control flow Thresholding (image processing) Crash (computing) Programmschleife Term (mathematics) String (computer science) Gastropod shell Representation (politics) Address space Hydraulic jump Matching (graph theory) Demo (music) System call Symbol table Uniform resource locator Kernel (computing) Computer animation Personal digital assistant Logic Blog Statement (computer science) Table (information) Pressure Window Library (computing) Computer worm Disassembler
Module (mathematics) Graph coloring Binary file Electronic signature Process (computing) Computer animation Spherical cap Factory (trading post) String (computer science) Table (information) Address space Reverse engineering Library (computing) Physical system Computer worm
Computer animation Angle Hash function Computer-assisted translation Window
Code Function (mathematics) Raw image format Mereology Binary file Portable communications device Process (computing) Computer animation Semiconductor memory Software testing Recursion Table (information) Address space Computer worm Library (computing)
Kernel (computing) Process (computing) Computer animation Energy level Table (information) Address space
Implementation View (database) Web browser Graph coloring Portable communications device Computer programming Number Different (Kate Ryan album) Core dump Ideal (ethics) Booting Proxy server Address space Physical system Demo (music) Entire function Arithmetic mean Kernel (computing) Process (computing) Computer animation Personal digital assistant Table (information) Window Sinc function Library (computing)
Area Greatest element Arm Computer animation Right angle Proxy server
Scripting language Binary code Electronic mailing list Function (mathematics) Web browser System call Mathematics Kernel (computing) Pointer (computer programming) Process (computing) Computer animation Semiconductor memory Term (mathematics) Core dump Ideal (ethics) Codierung <Programmierung> Booting Physical system Library (computing) Computer worm
Computer animation Right angle
Scripting language Point (geometry) Dataflow Code Student's t-test Revision control Goodness of fit Computer animation Hash function Interpreter (computing) Right angle God Computer worm
how bad memory man come rule down from did our home I theory on resulting thousand 17 the
so why this talk I I think writing showcas fond of intuitive it for a number years now and it is time updates on the publicly available I show code ideas that we have out there and so there's basically 2 parts a stock as background and then when they go into some actual more fun topics so that there would be chart turning us to years hash API uh it's it's either called the Ohashi BIO this void payload hash into the way we to that what that is up there anybody hands problems but it so it uses it for my passion and mislead 13 that the war structure simply rotate and it has roots they go back to 2003 from escapes and understanding Wintershall paper In its it's really Compaq really efficient it's actually often cause it passes this 4 table and it works like this just go to explain to so what does the the call over the actual hash API it goes into the actual payload logic and then it will be there there's a very strict API how this works it will pop out of the of the return address into EBP in so it'll push everything for x 86 a push everything onto the stack and then all make a call the DP so goes into the hash API itself that is going to pass the export had a stable but they jump into the Windows API of In the return back to the up a the logic it will continue until there's no more pedologic and you have a them whatever you wanted to do so and have you just did there been some defeats by now remember out of an incident but the other hash API came out in August 2009 OK so just keep that in mind that you can defeat the hash API with and that but there's many many obligations in and right and if you can get to the payload you have to bypass a number of things there's going to be a couple things a stopping Morgan going to that there's also a picture of a binary i and i but names that's my job on but this Frank articles great his talks about a hash collisions In there's actually tool that came out called halting attacks the obstructing configurations in the DARPA contract I tool that was made by Digital operatives in what it does it will inject a deal in the 1st unloading models lost in it will contain all precomputed I collisions so that once you start a walking next for table you would crashed instead of getting successful expectation and then there's control-flow guy retrieval guarding we're not really gonna talk about that in this talk because this is a different beast so I specifically at think that they have more than color were introduced to stop the hash API call that the if you if you see here it was introduced in 2010 you know like very quickly after the end of it basically stops the reading of this 4 tables the hardware of breakpoints the In is pretty cool I it worked pretty well for a couple years but not in the in the added then 2014 up the plus and that includes promise so other colors that was introduced in 2013 what that does is it it blocks the readers per jumps directly into a of Windows API so it's more of an entire up but if you remember I wanna quickly explain how that be works it does they jumped from the hash API into the payload so these 2 protections actually but mitigates against the the hash API itself because of but it does a jump into the other is so technically you eat a matter in that I I pronounce it 2 different ways of power going but it is considered in the light of it is going to end July 31st 20 2018 but it still works and you can see I say it depends on the threat model because this is the recent for
browser exploit versus mn so if you from these people that are doing this the things that they shouldn't doing had and that they would gotten to payload because this is a step that depended on mitigation right so it may be the reason seconded to get to the payload so if if if they had a better up payload her pay more for the the payload they when have this issue right so then it does still work and in this kind the case where it's like the the iPhone in your pocket but because it's easy to implement 1st control-flow God where but developers have to compile it and I think edges only browser that has a right now the the so how do you do this in several bypasses for and that is plus In a skyline on the sky for blogger had actually go to archive . org the bottom up and said but is a great was a great blog and then he described a rat to lips C-style style I bypass using MTT alone I believe those hardcoded addresses in my side you be available in the linked through the if you want to check it out and then there's uh Peter Potter Peter on he also had a blog post on reading the harbor breakpoints in using on science you continue and wouldn't you know you you know more harbor breakpoints war export address filtering that office of Security had very similar on the and a bypass in they would others and that function that would call a user context red which also 0 the the hardware breakpoints so in the caller check is much easier Gerd mark in 2014 he and he despite all appointed to do if you get the address a library i is moving to register and the reference it back into the registers in color directly so please now but after reading Gerrard's paper I decided to put this into PDF itself back a factory so I've made some Import Address Table of payloads that would use the actual fonts that were in the portable's directly In this bypassed the thought and that then I'm not the DF in checks in later on actually added by patching of the Import Address Table so that I could add whatever API as a movement time I think the but yeah this wasn't on everything I wanted do because I want actually had do some session-independent import at stable pillows to see what would happen so this is your 1st for December 2014 and site and use research and look around but you know what what's been done prior work In so skate Matt Miller I think it might be on the unit lecture I know worse Microsoft fund mitigation work better the he had in his paper he talked about 1 person Import Address Table and I'm bored addressable export addressable in the loading a deal I'll be the library would you deal so that you have everything needed in that 1 dealer like dubious 32 and you can just call the the API is directly that deal of and the couple issues with it if you look at it from the and that perspective because and yet the past X a stable so that was kind of I'm not a non-starter and then there was a p . p . having this guy has done a lot work is pretty amazing on the same track that article he talks about Import Address Table passes and knows enough to give the starting here's actual code and I don't know what operating system for the Latin XP Service Pack 1 or 2 on but it it got a them ahead going where can understand what I wanna do so I wrote my own stuff and they see what it does
is it finds speed the Pieta input to RDA in the loop through vine school 32 but used in the of string matching right of the then you go to the next slide I had up this so go through and find the Library Get process address what I added at the top is a set bounds check because it wanted if a looping through import portable's sometimes the memory address we're going to read is out bounce is so I added a on that at the 0 0 0 0 check to make sure that I did not go out of balance so so she worked pretty good it is very stable so bolted on a reverse TCP shown I i bypass politeia checks and of running and so that other a school our unit that out you know the limiting and this is the
response of pretty much and the so really they knew about import passes every they get they get named crashed and some of them share so that that they had no right and so my peers he was limited just to low library and get process addressed in the import table of the main modules the sudden everything really exciting so this is some 2014 I just put it like on a file system just let sit there it's you would back to real life and work then as as you look at where and K. Smith at 2 cases in that there's a lot of of the you execute he executes code in places that you're not expected and they're like sign binaries like and must spilled and so by density bypasses Whiteson solutions I seen talking about the of mitigations due flag in excel on I knew exactly what is problem was so I said in my i Import Address Table suddenly started collaborate depend on the slide you know today and is like the inner city when I release the code to in and so he went crazy this user my everywhere however we tried using PowerShell which not firstly was strange because if you're running partial you have full access to the Windows API anyway but sometimes Piercy's have small constraints from so didn't have the library the library in an important so we start talking about it and were any user loaded model another deal on memory so he wrote in addition to that used the same 4 bytes are hashed to find the all and in the load models so it's so you need return the the the
the borrow code from this if you're hash API step in the so the havoc protection you need to to defeat this because we did deal L . name was over using not just that the short I because of that would work you would actually have to throw up or not throw up that inserts many needy allows to cause a collision and what you see is there are many deals a work so we're real happy with so we had to
2 steps and we start talking about like we knew by this point that if you had get process address anywhere in a model space in the dealer you could get the library by did the kernel 30 to handle no and then calling the process address the stream of and then you can do you have full access to the Windows API so and then to bypass colorable we did is we know the libraries in the x and remove it would push on the stack and then the pointer TBX and would do we call through an indirect pointer so now we had 4 and said that we could use so that was pretty good Greece said about that but I
wanna know where I could use that services scripts that would have to go through and find anywhere in the library process status was on when the system these were please systems nothing really installed there's gonna be some overlap is yes despite all kind of system 32 and I but but there's a lot in C that Microsoft has made a concerned or it is somewhat of an effort to decrease the library and the process address important which is this is you know sprinkle in so we we have a lot of information with others to school so we're going to us in the 2 conference in this was but may you were like got the race that and then June
and the world fell apart there was the I think the explicate that I get process addressed user 32 Import Address Table the fire I published it then I was retired the so I was pretty depressed but we decided to go ahead with a blog post
because we want release the pew seeing what were the things that we had in the PAC is we had Dependency Walker style but what would you do this for the strip you give a binary that your target as it would they use the output from my my my my scans of a library across all the systems and you get operating system and it will go through in recursively look at what is loaded and every deal well and it would give you an option of what you're not option that would tell you what deals to use is so it would into the statically right so that was actually kind of cool but would really we left on the chemical bond we I did but x a function reversed UCB shell what's a function so the crash right away and that was deftly by design so we talk about it like you know I there there we want more payloads will be able to the basically reusable Metasploit has nonsensical or work and it nice that you know I'm in a religious I got some ideas and that brings us to the fun part and I had to ideas 1st was in removed this you hear hash API said replace it with something that you know what OK or I could build something that would rewrite all the pillars for me then and unfortunately a forcefully I cite rewrite all the things With automation been done so but payloads follow a specific pattern it basically works where you push everything onto the stack this is this is for the x 86 ID x 64 size very similar but just different different calling right so the lessee pushed is the actual hash and the new colony became pressure for and so advise this workflow I much script would take input either be a stand and were from file how disassemble use capstone as I use capsule to be up really easy to use right arm the not capture the blocks of instructions and so every instruction we tagged with you needed the fire saying I so this is part of this block so I had everything all captured API is I would die and capture control flow I would actually go through and when I see a control flow statement I'll give a unique identifier and then I would go back through and find a location where there was an ad slap a unique identifier on the 2nd half was going on without having to to relation on in a having protect Low Library a process edges from being clobbered throughout the entire appeal and figure out how to do that with automation and I and I went out of for 5 days straight 12 15 hour days and when I solve the problem more part of because there were some payloads had other were very straightforward that conditional statements they would have uh conditional loops in there that I was crossing the threshold where if I just sat down and wrote this payloads out probably monotonic probably can knock out you know 15 to 20 at least because I could have some efficiencies can understanding repeat processes so I decided to burn down on the conductor revered and we go to the original idea that I had the 1st idea and I was too but replacing here's hash API with something else so when I came up with was the original right you have the hash at the i plus the actual payload logic I and use Import Address Table stub and then offset table and because you have to translate the the 4 by hash to of something if you use the export table you have to figure out what it is so what is it to call the API has and that I mean it and put the ministry so that I has requirements and I had to had to keep it really had had a useful guide in read execute memory not just read write execute in case I put into an executable where the the the section was only read execute right so no no of encoding within the payload itself without moving at stack of some of the location of the which energy the smallest possible now import a table person is much more expensive than exportable overseas and I had a support any Metasploit show that use the former hash API so the the the 1st 4 steps are the same right take input this symbol capture blocks through the eyes so I reusing code so that was good but then I had to build a lookup table and find the appropriate Import Address Table for that's cable and then I have to have program output for whatever he for so the asset table approach works as follows you can see here you have 4 by sections followed by 2 by by 1 by 2 blocks the 1st 2 2 bytes is the deal over the location from that point to the ASCII resiliency rich representation of of what should be called In the API the same thing so this example of a string is all these are null-terminated it makes it very easy which oppression onto the stack and you can see you get some code reuse as because a unique the the the strain so the there's no reconstruction so you see here so this is called kernel 32 the next API is an exact them conqueror the 3 to again the next API as such a threat so on so forth so the summaries and about those going pretty well so this is decoded and in pretty straightforward I think thereby understand the by now but so that the whole worked was you jump over table I checked the 1st hashing lookup table and I continue until is a match is found by move the deal offset to a L I normalized user library a to get the actual article of deal memory and then I will say the deal handle up with the API offset in part they'll unnormalized these get process addressed to be the Windows API handled and then I have to repair call the Windows API so clear the stack I say DAX down the stack so that when I do a pop immediately ends up back in the x I I save the return address TVP because it's not covered in that I call the Windows API by Collins EX on the term may come back I fix Sepedi peter . back to the beginning of imported most of it I return back to the pay logic so if you look at it from kind of like uh just image you can see here I'm gonna do a call over I just like to use actually I over the that's why pillars I do a call over and I poppy people that this is at this point is the Metasploit the actual logic programming the show so then I return back into the Import Address Table stub then I try to not go back to the beginning of the star every time I tried to stay within just go to look up table and but with all the different payloads data even if I got it down to 1 register where I could I could push the 2 values of little delivering across lattice onto the stack and I call from 1 value just do an offset plus one plus 4 the problem the problem was is that which is he clobbered when I went to more complicated payload so I have to go back to the beginning of the import of addressed table finding stuff so then you will call out actually to a columns of a jump to the Windows API return back into the lookup table and then do a I returned to the of logic then continue until there's a market logic right so the initial POC only to 12 hours to make offset table design and everything to about 12 hours adding to the workflow static about another 12 finalizing the tool you don't talk about about it took a lot of but i'm happy were where it's going and what's really what's really fun about this is that and now the the API hashes there that besides getting the 1st time now they API hashes are completely meaningless after I figure out what API 0 or I can do whatever I want with and become to find out that in a viruses of depend on them for signatures yeah and you know anything about what happens if we make of the so I I added and stability to mingle the hashes cilia show demo
that the the so the 1st thing I'm going to do is just
grind acetophenone do reverse TCP Sheldon put it into a straight binary files the just normal binary topic right now I'm going to use Fido colorful Fido minute cap the up with the other the binary format into fighting and I'm going to call the library a process address that's for the main modules in the design and targeting certain binary I know that the library at process addresses in the the import Table of executable that target so you see here I stripped off signatures hash ABI Colour Distance system the payload and I pronounce would API they're being used and then I show the string table just kind of a check and then I go through and into all the rest now many use outbacker factory to attend the section and throw it on on the the and of course
the finds it right away this is Windows Defender we do the same thing is upon on reuse dash M from angle In see go through and show that mingling each fresh and what I do is I go into the actual pay the logical update hashes to match and the you did not catch its right away so I set up a are a cats listeners listener there you have the
and and
and right so as you get your you know this is called Fido to scan a
convenient anything creative so it accepts stand and it will pass the payload based on target executable and I'll be in the next amount or you can you can divide if you know about the target executable you write what you want to use so if you want you know it has to get process address you say GPA and then I you can actually with slashed the you can provide the target binary no go through and do a Tennessee Walker cial recursive look well the Delos into the target OS because it does matter and I have XP Vista 7 they contend with all the is depend like with all the libraries of I you need updated based stuff I found I with the last couple days which is pretty and then you can either take stand entering the code I and I'll show you would D N. L stand for a 2nd but yeah what will go over there and then you have different you can you can mingle with a showed you have different output such as a C Python sharp output in the normal output is stand out in a binary format raw binary format and you take your Pasha stubs in so you have have the the GPA L. GPA elaborate across a set S and you have extern Severini use an extra need to know what deal lol returning that's in memory and what import tables or what part of the Portable's there's only 2 options and so I with testing I had a
lot of issues with some Cordier levels Michael Windows 7 and I was building a black this just to avoid them and they kept growing in our started worry what was going on and it was only like I said when the 7 to 10 then if you if you look the see
kernel 32 there I thought it was where the kernel 32 had the process address In its import tables so I just ignored by just about the I'm gonna find out his
API and this when core ideals and these are the expose implementation of the Windows API and there existed since Windows 7 and get process address is implemented as as well as low library going that 2nd but that process address is implemented in the library loader and there's there's only like some letters and numbers behind in the deal and normally use system the A-Laws because it's for portability reasons and I'm in there it's in every process like these are in every process in its predictable they are they and you can use them if they're in the importable a deal the items that it's such a pretty cool it's everywhere it is and if I can say this enough it's in every process because it's in kernel 32 I so there's a view of kernel 32 you can see the API and this when voters and or when core library loaded or you see get process and as an important so just explain and what what we're
talking about here all we need is get process addressed in any deal import tabled access entire Windows API through important person since Windows 7 there's been get process addressing kernel 32 or table so we had a very stable he met Iaughing color bypass opportunity since Windows 7 just I I I haven't heard anyone using those that so the this is critical have by the way the process that is not the only 1 because within the library motor but ideal all there's also a library on those library EX extended having a means extended not yet stay in the difference they're basically the same the Low Library a is low library EX a with with a 0 as the 3rd 5 so that's what you might call the library that's that's what's being handled and this is completely reliable 1 7 I found I have I don't when is a ammonia right now I can tested but is not reliable on Windows tends not yet and then yes but you can you can actually use assistance program so I have a demo that with core browser the recent 1
this the right so 1st I want
to show you here is I went ahead disabled the arms 2nd the check and around the original exploit shaded area of targets find the but they can see at the bottom there now if you're bypass the at
the coloring applied on the steward completely bypasses change so this pointers are a quick so what I did is I get a I took the Firefox and executable that's what poor browser using I did a slash the and what he did what much of doing right now is checking for when the 7 that ability and and I'm going through an and actually doing the recursive person to figure out what would be loaded in memory now is not going to look at the and the custom delos that come with so far looking at what is in the system so the output as you can see your show the um and what low library know library process of minors available so these Delos have these 2 API is they're important role and then you see GPA but binaries available and you can see that I've I've outlined the DPI and this when core ideals on this even using and I think this 1 and next in the US somebody's kernel 32 and I I am the that using
kernel 32 it is using X. term GPA some use in the get process addressed in kernel 32 in the API and that's 1 loader ideal of as an important long and what I'm pushing that through a a call the Tor Browser encoder it's because of at a news via Java Script Object and so I'm just it happens to be a Python lest insiders spread the Python must and and what I on what I did here next is I just put the the but the list there in a job script script and then I body copy over some that a common uncommon it and then execute and the payload to demonstrate that EDF efforts bypassed the ethical
they don't that that mn right
so there are some
issues nanosilver with my script good at so if you're using Metasploit you using idea here we have an right so my my my of my API is compatible with interpreter with of stage payloads to not have stunned the hash API call the problem is that right so when every get stage payload coming back over and the 2nd stage of years you do multistage is going to have student here essentially I so we will fail so that's what needs to be due to to make this fully compatible you run run your own version of Metasploit or re uptake Metasploit and it will take a lot of work also acted you compare you had to do and as x 64 sigh the house of so yeah that so that's pretty much all I had was as control-flow God return flow god of the implications of I cannot make in a Tellegen assessment on that at this point I I don't know enough about what the impact of the so and the code is going to be there and when you release it here the next couple minutes any questions that the now thanks be fat