Common technique in Bypassing Stuff in Python.
-
Upload
shahriman- -
Category
Technology
-
view
434 -
download
6
Transcript of Common technique in Bypassing Stuff in Python.
![Page 1: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/1.jpg)
Bypass AV in Python by y0nd13.
![Page 2: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/2.jpg)
Quick introduction to Python
• By default exist in every major Linux Distribution
• Can be install or run as portable tools in Windows :
![Page 3: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/3.jpg)
How interpreter language work.
![Page 4: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/4.jpg)
Hello World in Python
Easy right!!
![Page 5: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/5.jpg)
So what’s the big deal?
• Python support Foreign Function Instruction • It supports Ctypes. • http://docs.python.org/2/library/ctypes.html • It provides C compatible data types, and allows
calling functions in DLLs or shared libraries. It can be used to wrap these libraries in pure Python
• Smell profits!!! • Alternative ways besides using import system • Good for Post Exploitation • Bypass AV
![Page 6: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/6.jpg)
Quick Introduction to Python FFI
![Page 7: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/7.jpg)
A Simple MessageBoxA
• From MSDN
• Required 4 argument,
![Page 8: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/8.jpg)
How to understand quickly
• HWND – A handle to the owner window of the message box to be created. If this parameter is NULL, the message box has no owner window. (SO we set to Null, in Python Null is None)
• LPCTSR lpText - It’s a string for a Text
• LPCTSR lpCaption – It’s a string for the MessageBox Title
• UINT - Unsigned Integer .
_in_opt_ is a SAL Annotation saying you can put NULL as a value
![Page 9: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/9.jpg)
SAL Annotation shortcut
Parameters are
required
Parameters are
optional
Input to called function _In_ _In_opt_
Input to called function, and output to
caller
_Inout_ _Inout_opt_
Output to caller _Out_ _Out_opt_
Output of pointer to caller _Outptr_ _Outptr_opt_
![Page 10: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/10.jpg)
How easy to pop up a MessageBox in python?
• Simple
from ctypes import * ctypes.windll.user32.MessageBoxA(None,"Hello World","Title",None)
![Page 11: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/11.jpg)
How to about WinExec?
• WinExec is a classical function since the age of Windows 16-bit . Only 2 Args are needed.
• From MSDN
• We know lpCmdLine is a string for the Exectuable path but what value should we place for uCmdShow?
![Page 12: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/12.jpg)
uCmdShow from MSDN
• http://msdn.microsoft.com/en-us/library/windows/desktop/ms633548(v=vs.85).aspx
![Page 13: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/13.jpg)
To Spawn a calc from ctypes import * ctypes.windll.kernel32.WinExec(“C:\Windows\system32\calc.exe”,1)
![Page 14: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/14.jpg)
Get CurrentProcessID
![Page 15: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/15.jpg)
How about Executing Shellcode?
• Many ways
– File Dropping Technique (BAD)
– Code Injection Technique(BAD)
– InMemory Technique (G000D)
• File Dropping Technique are bad , since antivirus/malware will immedietely catch it up and trigeger
• Code Injection , affects the integrity of a binary. HIPS might trigger alert.
• Why Shellcode? Becoz we can!!
![Page 16: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/16.jpg)
InMemory Technique
• We are going to chain 4 API to execute our shellcode .
– >VirtualAlloc()
– >WriteProcessMemory()
– >CreateThread()
– >WaitForSingleObject()
![Page 17: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/17.jpg)
VirtualAlloc()
• lpAddress = Null
• dwSize = length of shellcode can be use,
• flAllocation = MEM_COMMIT|MEM_RESERVED (0x3000)
• flProtect = PAGE_EXECUTE_READWRITE(0x40)
![Page 18: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/18.jpg)
WriteProcessMemory()
• hProcess = -1 * we writing in the same process
• lpBaseAddress = A Pointer to address return from VirtualALloc()
• lpBuffer = A pointer to our buffer
• nSize = we can use shellcode size and times 2 to be safe
• lpNUmberofBytesWritten = Null it..
![Page 19: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/19.jpg)
CreateThread()
• Everything is 0 except for (go figure it out yerself)
![Page 20: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/20.jpg)
WaitForSingleObject()
• -1 , -1 !!!
![Page 21: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/21.jpg)
P.O.C
• Inspired by SK Training.. Use \xcc !!!
![Page 22: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/22.jpg)
Using OllyDBG
Attached with Olly
![Page 23: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/23.jpg)
Executing native inside us heheheheh
![Page 24: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/24.jpg)
2nd POC is our calc
![Page 25: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/25.jpg)
![Page 26: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/26.jpg)
(Optional) Freeze it to exe
• Using pyinstaller
![Page 27: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/27.jpg)
Simple2
![Page 28: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/28.jpg)
Exercise
• Create a Reverse Shell is a piece of cake!
![Page 29: Common technique in Bypassing Stuff in Python.](https://reader034.fdocuments.in/reader034/viewer/2022052316/55a526711a28abd40e8b476f/html5/thumbnails/29.jpg)
Reference
• Understanding Win32Shellcode Skape:
• http://www.hick.org/code/skape/papers/win32-shellcode.pdf
• Advance Windows Shellcode, SK:
• http://www.phrack.org/issues.html?id=7&issue=62
• http://msdn.microsoft.com/en-US/