LT - Cross Platform Metasploit Payloads - B Perry

sure about that you sure about the oh there it goes so I'm going to talk about um C metlo payloads basically taking um using metas sploit uh msf payload to generate uh x86 Shell Code that's going to be run uh from managed code and because you can use um things like mono on Linux mono comes pre-installed on like most Linux modern Linux installations now go to fedora uh Seuss things like that um and uh all modern Windows have theed framework installed too so you can uh uh run these executables that you compile with that are net executables on Linux or Windows with no issue and so uh just a really really high overview of what it does is um I added support to

msf payload to generate uh C pay uh sh uh buffers let's see oh I need to

sorry sorry um so basically you can use msf payload and then you specify it's kind of hard to read but you use the letter H instead of like so C would generate a c buffer for a c Shell Code um I think P does Python and things like that so you use H H was the only thing we could think of that was in C that wasn't in all the other ones to to den it's going to be a c payload and so it spits out a buffer like that and all of those bites right there are the x86 Shell Code that you're going to want to do so um that would that's a Windows executable or

Windows x86 Shell Code to execute cal. exe and what I did was I've got this C program right here that basically I've defined um I go so does anyone not know what c is they don't know what net is managed code so basically managed code is kind of like a a Java pipe code it's uh uh it runs in a virtual machine which is The NET Framework or the mono virtual machine um and so it's it's crossplatform it's not it just it's not reliant on the architecture that you're running it on um and so basically what I do here is I've I uh I've got a program that it will check the OS version to see

what OS version what OS you're running um so if it's windows I do all this stuff down here um there's this uh type that you have available to your you have a lot of ways to interact with native code from C so at the very bottom of this class right here I'm actually defining a bunch of methods that are um that interface with Native libraries so see I've got I'm importing some functions from Lit C so imp protect postex MIM line free um from Colonel 32 I'm getting uh virtual Alex that I can allocate memory that's going to be rewritable and executable um and then I declare these delegat which are in C uh they're kind of like function pointers

in C++ so you can uh you can dynamic assign them to functions that are going to be called again um and so you can specify the calling convention so you'll see the Linux one you're going to be calling the function pointer a CD cdcl um the windows one is going to be standard call or win API calling when API calling convention and so basically what I'm going to do is I'm going to do this essentially the way you would do it in a c program uh you allocate the memory you fill the memory buffer with the Shell Code and then you execute the Shell Code um and and both of these ways the Linux one is obviously more complicated

uh Windows is it's like three lines that's the three lines right there you you allocate it copy it over um but basically what you do is um you have to figure out what operating system you're going to be running the Shell Code on uh that's that's you get the environment. version I use the in pointer size to figure out if I'm on x86 or x64 so if it's an x86 machine the end pointer size is four um the end pointer size on x86 is 8 so if it's equal to 4 then it's x86 if not then it's going to be an X8 x64 so I have my here these are all x86 Shell Code it's it's native Shell Code

that's going to be run on it um I don't have a Windows Virtual Machine so I'm not going to get to show you running on Windows but I mean the windows one is super easy you use Virtual allocate to um allocate a a memory buffer the size of the payload you use uh you can specify the modes so at the very end you see I've got an in pointer of a ox40 which is read write execute P it's a read writable executable page um right underneath it I copy my payload into the uh memory buffer itself and then I used the uh get delicate for function pointer um method that's available in the system. interop uh Services name space

to get a function pointer that I assigned to the delegate which I created I declared the very bottom which I just showed you and then I just call the method and that basically takes it it calls it as an unmanaged function pointer and your shell code gets run can you go back to the line 64 right at the end of the screen I scrolled off that one yeah can you go back to the inter

it oh yeah that's just comment so basically so Ox 1000 is M commit that's the M commit and then uh page read write execute is the ox40 so if you keep going down so basically I'm detecting which my what my architecture is deciding which Shell Code I'm going to run all of these Shell Code that I used was generated with msf payload um so I do the same thing for Linux as you would in a c program I use a postex m line to allocate my page um I check to make sure that I'm actually allocating successfully um and then I do this mode right here which is read write execute you have to be careful with this on

Linux for SE Linux and stuff and I'm actually going to show you something uh to get around that I didn't implement it but I I found a really neat way to get around uh allocating rable and executable memory on SC Linux uh it doesn't work on packs though um so basically I use postex line to get to uh allocate my memory I use inet to change the uh to change it to read writable and executable I finally use uh I copy my payload in there I'd used the same Marshall delicate uh function pointer method that I use on the Windows one and I call it and if I run it you'll see that sucks um oh what the hell this just worked I

just ran it I don't know what that's doing umy this basically the command that uh I'm trying to that the the shell code is running as who am I so it should print out my uh

username payLo can't read it

why is that doing

that well usually this works I have no idea why this is failing to work it's because I'm doing a demo um well I wish I knew why it wasn't working so I guess give any comments in the bottom um I don't really have any comments on the bottom this is all on GitHub um there's no real I mean this is just the the Declarations for the methods that I'm going to be using for PlayOn manag code um I wish it were running I wish I have no idea I was just running it when I was over there so I don't know why this isn't running um so let me open up a with the caveat that I found with

um running it on SE Linux there's actually a way I don't have internet so this is living it out of the cash there's this guy who uh drepper uh something his first name starts with the D his last name is uh repper or something he came up with this technique to uh you basically create one file pointer and then you map it twice you map it first read read write and then execute and read on the second one um and then you do it uh so that way you're not having to do uh re write execute on one thing so that's what looks for right looking for if you're allocating memory that's rable and executable to tr soft

so he takes he takes the same file pointer um and he he makes a right one right here which is read uh right makes another one that's executable read and executes the same file pointer is just mapping it twice and then he writes the stuff using one file pointer and then the executes it using the other file pointer and he actually gets around executing Shell Code on SE Linux by using this technique and this is um you can Google drer SE Linux and this P come up I really really wish my demo work because it's really awesome but um does that message down at the bottom me anything no so it says cannot open assembly because it's not a valid s um

let me try I'm going to try rebuilding cleaning it rebuilding it maybe for some reason it got up yeah there it goes okay so that's my username so the Shell Code that's running is just Linux x86 exac Who Am I userb who am I and that was the x86 probably the 64-bit one yeah so it's this one right here and that's that's just Shell Code that met generated for me um I uploaded this to um virus total and only four of the virus total people picked it up and it wasn't they none of them picked it up for Metate a lot of times if you upload a Metate payload it will say this is a

Metate payload they just understood that there was shell inside of it so you could totally op to skip the Shell Code inside using like an encryption method or something like that and then decrypt it right before you want to load it into memory um this is uh let me I don't have internet on my on this machine but uh if you go to github.com brandenberry with no e in the last name uh it's in a gist that you can just download and play with and stuff like that so that's any questions on running that kind of stuff all right [Applause]