Wednesday 10 August 2016

GSoC Work Submission

Hello,

This is the direct link to all the work that is done during GSOC period :
PR Link: https://github.com/zscproject/OWASP-ZSC/pulls?utf8=%E2%9C%93&q=is%3Apr%20is%3Aclosed%20author%3APratik151%20created%3A2016-05-23..2016-08-15

Commits link : https://github.com/zscproject/OWASP-ZSC/commits?author=Pratik151&page=1

First part of my project was writing Windows Shellcode, It was great part to learn about shellcode as I didn't have much knowledge about shellcode before I started contributing to ZSC.

At first I created Opcoder which converts the assembly code to opcodes - https://github.com/zscproject/OWASP-ZSC/blob/master/lib/opcoder/windows_x86.py

Then I created Windows Execute Shellcode which takes parameter as filename to be executed to generate shellcode - https://github.com/zscproject/OWASP-ZSC/blob/master/lib/generator/windows_x86/exec.py

Next was create directory Shellcode - https://github.com/zscproject/OWASP-ZSC/blob/master/lib/generator/windows_x86/dir_create.py

The other Shellcode's which were done are :
creating file  - https://github.com/zscproject/OWASP-ZSC/pull/47
Downloading file - https://github.com/zscproject/OWASP-ZSC/pull/48
Download and Execute - https://github.com/zscproject/OWASP-ZSC/pull/49
Add Admin - https://github.com/zscproject/OWASP-ZSC/pull/50
Disable Firewall - https://github.com/zscproject/OWASP-ZSC/pull/51

Next I started working on obfuscation modules. Created Reverse hex and reverse base64 obfuscation modules for Ruby, Python, Perl, Javascript and php. Here are the PR's :
https://github.com/zscproject/OWASP-ZSC/pull/60
https://github.com/zscproject/OWASP-ZSC/pull/62
https://github.com/zscproject/OWASP-ZSC/pull/63

I had to work on other obfuscation modules but as ZSC tool got accepted in DEFCON we had to make Windows Shellcode part complete as that was to be presented. There were no encoding modules for Shellcode but as it was needed to complete Windows Shellcode part I started working on Encoding part.
Here are the Encoding module that were created :
Xor random - https://github.com/zscproject/OWASP-ZSC/pull/64  https://github.com/zscproject/OWASP-ZSC/pull/70
Add random - https://github.com/zscproject/OWASP-ZSC/pull/73
Sub random - https://github.com/zscproject/OWASP-ZSC/pull/78
xor yourvalue - https://github.com/zscproject/OWASP-ZSC/pull/79
inc and dec encodes - https://github.com/zscproject/OWASP-ZSC/pull/103/commits/e0364d3cda3b30caeabc06773586ec1914b96798
inc yourvalue and dec yourvalue - https://github.com/zscproject/OWASP-ZSC/pull/103/commits/4c49c10c29506ea9e49df6fcdcec86b1c5d26ee2
Add yourvalue and sub yourvalue - https://github.com/zscproject/OWASP-ZSC/pull/103/commits/61a5b2ff49c021bcb5b7bc65042547e71bf0a6d5

After Encoding modules part as I didn't have much time to add complex obfuscation module I started working on simple ascii obfuscation module  and here is the PR - https://github.com/zscproject/OWASP-ZSC/pull/103

If you are interested in contributing/learning more about the tool refer the documentation : https://ali-razmjoo.gitbooks.io/owasp-zsc/content/

It was great experience to work on ZSC tool as I learned many things about exploits, Shellcode etc., I would like to thanks OWASP Organizations, my mentors Brian for helping me to learn about shellcode and clearing my doubts, Johanna is great leader who is doing everything she can for ZSC and also Ali for helping me with project, also reviewing PR's and for creating this tool :). GSoC will be ending but I will still be contributing to ZSC tool. Next couple of months ZSC tool will be still having new changes as it is likely to participate in BlackHat Arsenal EU (Johanna applied for it already) and we can add some new features to the tool. Also we have working API and osx shellcode added to tool. Thanks to Akash Trehan for adding osx module.


Wednesday 20 July 2016

Shellcode Encoders and code obfuscation modules


So there are lots of things added to tools in last 2-3 weeks. Everyone is actively working for the tool. So in my last post I completed Download to file shellcode and after that I added couple of shellcodes like add admin and disable firewall. All the shellcodes in the tool can be seen here.

Then I started working on code obfuscation modules for some time. I added Reverse hex and reverse base64 modules to the tool. Here is the code for python and javascript. This module was also developed for perl, ruby. I tested the modules with different languages on both python 2 and 3 and it worked correctly.

As the org was selected for DEFCON 2016 we wanted to complete windows shellcode with encoders and also add osx shellcode. So in place of starting some complex obfuscation method I started working on encoders for windows shellcode. I added xor_random, add_random, sub_random and xor_yourvalue. I also have done add_yourvalue but we are trying to fix this issue before I add other encoders to the tool.

All the PR's made by me can be found here : https://github.com/zscproject/OWASP-ZSC/pulls?q=is%3Apr+is%3Aclosed+author%3APratik151 if you want to look at code.

Also zsc tool now has osx shellcode also thanks to Akash Trehan. He added osx shellcode to the tool. Also thanks to Ali, Brian and Johanna for helping me.

Tuesday 21 June 2016

GSoC project Status

Hello,

I didn't made post last week so I will be discussing about shellcodes which I did previous week also.

I started working on Create Directory shellcode in week 2 and completed it soon as It wasn't big as I used function CreateDirectoryA which is available in kernel32.dll so there was no need to load any dll's into process.

Then came the next shellcode Creating File, I thought it would be straightforward Load msvcrt.dll library > Find fopen to create file > find fprintf and use it to write to file > Close file . But when I started to work on it fopen was not working as usual, It was changing stack so I was not able to get the values like kernel32.dll address which I saved in stack for later use. I tried debugging it but couldn't find it as fopen was giving some error values and calling _wfopen and so stack was changing. Using fopen, file was created but stack was not same so I couldn't get values which I saved on stack. I was still able to write code which after creating file, exits successfully but it was getting long. So Ali said about system() which he used for creating linux create file Shellcode. system function is in msvcrt.dll so I loaded it first and then after finding address used it as system("echo data>file"). Here is create file shellcode : https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/47/files . It takes two values one is file name and other is content of file.

Next I started working on downloading file shellcode. This will be created as two shellcodes : 1. for downloading file 2. downloading and executing file. I completed both of them and PR of downloading file is merged https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/48  now I am pushing the shellcode of download and execute. For downloading I used URLDownloadToFileA function. The Shellcode takes values as url and filename. I spend one day on execution part after completing the download part and after lot of debugging I found that I was doing mistake where I was passing parameters in wrong order :P

I am on my schedule and next I will be working on Creating user and adding to admin. I will be using NetUserAdd method or do this part through command whichever would be short. 

Tuesday 7 June 2016

GSoC Week 2 : Opcoder and Windows Shellcode

Hello,

Completed 2nd week of GSOC and it was a good one :)

This week I made opcoder that converts the assembly code to opcodes. I worked mostly with the tool, adding windows options to the tool and all. It was made easy because of great tutorial by Ali here : https://ali-razmjoo.gitbooks.io/owasp-zsc/content/English/developers_s1.html . and the second thing that I did was converted static shellcode of calc.exe to dynamic so it can execute any file. First I started by writing that myself and I spent a day on it and then I came across generate function which was there in tool which does the same thing so used that for opcoder. I didn't interact daily with my mentor Brian this week as I was able to do most of my work but I interacted with Ali many times as I had questions with tool. Whenever I ask any doubts to Brian or Ali they reply very fast without taking much time though they are busy with their job. Good to have such active mentors :).Here are couple of screenshots from tool of the options and shellcode generated.


  
 (Ignore that line by line opcodes in 2nd ss it was print statement :P)


I have pushed changes to main repo here : https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/46/files I feel that the opcoder is messy currently but I will document it when I have all the shellcode covered, as with other shellcodes coming I think it will change a lot in coming weeks.

I started create directory shellcode yesterday. It was planned to be started at end of week 2 but started in week 3. So to keep going with schedule, this week I should complete Create Directory and Write to File shellcode. I almost completed create directory shellcode as it uses function CreateDirectory which is already in kernel32.dll so I hope remaining time will be enough to compete file shellcode as it is slightly complicated as it requires functions like fopen,fwrite which are present in other dll which needs to be loaded into process.

Saturday 28 May 2016

Windows Shellcode for executing file - Week 1

Hello,

Its time for blog post :). This week was good learning experience. In last couple of post I forgot to thank my mentors for helping me :P. Thank you Brian, Johanna and Ali for accepting me to the project.

This week I learned a lot about Shellcode part. My mentor Brian was helping me with all my doubts. Whenever I had any doubts even if its small doubt and I couldn't understand after googling for sometime then I use to ask Brian and he was very helpful. He is always responsive and gives best descriptive answers. So first I started by learning Shellcode in general from The Shellcoder's Handbook and some other resources. I learned about Linux shellcode first and it was good one. And When I switched to Windows Shellcode Part everything was different. It took sometime to slowly understand everything.  After reading lot of tutorial, papers and shellcodes I was able to write WinExec shellcode that spawns calc. It was amazing moment when calc spawned without any segfaults :).

The problem with writing shellcode for windows is that the base address of kernel32.dll changes from version to version of windows.So we can't hardcode the address of kernel32.dll. So the things that we have to do to write windows shellcode is :

1. Find kernel32.dll base address using Process Environment Block (PEB).
2. Parse it’s export table to locate GetProcAddress
3. Use GetProcAddress to locate LoadLibrary
4. Use LoadLibrary to load other dll into current address space
5. Then again use GetProcAddress to locate required functions which are needed for writing shellcode.

For writing Execute Shellcode we will require WinExec function which is in kernel32.dll. So first we have to find kernel32.dll and then we have to find GetProcAddress and using GetProcAddress we have to find WinExec address and then we can use WinExec and to exit we can use ExitProcess method which is also in kernel32.dll. So for this shellcode we don't need to load any other dll's.

First we have to find kernel32.dll base address. As described in skape paper and some other papers we can use PEB method to get kernel32.dll base address as :
xor ecx, ecx
mov eax, [fs:ecx + 0x30]  ; GET PEB
mov eax, [eax + 0xc]      ; PEB->Ldr
mov esi, [eax + 0x14]     ; PEB->Ldr.InMemOrder
lodsd                     ; Second module
xchg eax, esi
lodsd                     ; Third module(kernel)
mov ebx, [eax + 0x10]     ; base address of kernel32.dll
Now we have to find offset of GetProcAddress, as offset of functions vary from functions to functions so GetProcAddress is not loaded at same offset for all kernel32.dll. We can use Export Directory table as described in skape paper. The ESI pointer stores the address of exported function names.

mov edx, [ebx + 0x3c] ; DOS->e_lfanew
add edx, ebx          ; PE Header
mov edx, [edx + 0x78] ; Offset export table
add edx, ebx          ; Export table
mov esi, [edx + 0x20] ; Offset names table
add esi, ebx          ; Names table
Now we will find GetProcAddress as we will be using GetProcAddress to find address of other functions. I read about this method to find GetProcAddress by comparing name in securitycafe tutorial post about windows shellcode, it's comparing names of functions. There is also other method to find using hashes which Brian said and I will try to learn that also. Here is how we will get GetProcAddress :
xor ecx, ecx        
Get_Function:
inc ecx                              ; Increment the ordinal
lodsd                                ; Get name offset
add eax, ebx                         ; Get function name
cmp dword [eax], 0x50746547       ; GetP
jnz Get_Function
cmp dword [eax + 0x4], 0x41636f72 ; rocA
jnz Get_Function
cmp dword [eax + 0x8], 0x65726464 ; ddre
jnz Get_Function
mov esi, [edx + 0x24]    ; ESI = Offset ordinals
add esi, ebx             ; ESI = Ordinals table
mov cx, [esi + ecx * 2]  ; CX = Number of function
dec ecx
mov esi, [edx + 0x1c]    ; ESI = Offset address table
add esi, ebx             ; ESI = Address table
mov edx, [esi + ecx * 4] ; EDX = Pointer(offset)
add edx, ebx             ; EDX = GetProcAddress
Now we have GetProcAddress and we will use that to find WinExec function address.
push ebx  ; kernel32.dll base address
push edx ;GetProcAddress base address
xor ecx, ecx
push ecx
mov ecx, 0x61636578 ; xeca  a will be modified with null
push ecx
sub dword [esp + 0x3], 0x61 ;Modify last value as null
push 0x456e6957 ;WinE hex code
push esp ;pointer to string
push ebx ; kernel32.dll address
call edx  ; GetProcAddress(kernel32.dll, WinExec)
Now edx will contain WinExec base address and we can use that for Executing file. WinExec requires two parameters one we will store in ecx and one in ebx and push it to stack
add esp, 0x8 ; Move stack to 8 bytes so string "WinExec\0" will be removed
pop ecx
push eax ; eax contains WinExec address
xor ecx, ecx
push ecx
push 0x6578652e ; .exe hex value
push 0x636c6163 ;calc hex value
xor ebx, ebx
mov ebx, esp ;save pointer to string in ebx
xor ecx, ecx
push ecx
push ebx ; push pointer to string calc.exe
call eax  ; WinExec("calc.exe",0)
 Ok now we have spawned our calc and now we need to Exit. For that we will use GetProcAddress and find ExitProcess base address and execute ExitProcess(0) as :

add esp, 0x10  ;skip 16bytes of stack : "calc.exe",0, WinExec address
pop edx ; GetProcAddress address
pop ebx ;kernel32.dll address
xor ecx, ecx
mov ecx, 0x61737365             ; essa
push ecx
sub dword [esp + 0x3], 0x61 ; "a" will be now null
push 0x636f7250                 ; Proc
push 0x74697845                 ; Exit
push esp     ;pointer to string
push ebx                        ; kernel32.dll base address
call edx                        ; GetProcAddress(kernel32.dll, ExitProcess)
xor ecx, ecx ;
push ecx     ;  0
call eax     ; ExitProcess(0)

So that's it. I tested this shellcode in Windows XP and 8.1. I think I can still reduce few bytes as I see that I saved some base address like for WinExec which I saved on stack but didn't use later. Here is the code with shellcode in Visual Studio to test it :
#include <Windows.h>
#include <stdio.h>
int main()
{
unsigned char shellcode[] = "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58"
"\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81"
"\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65"
"\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31"
"\xc9\x53\x52\x51\xb9\x78\x65\x63\x61\x51\x83\x6c\x24\x03\x61\x68\x57\x69\x6e\x45\x54\x53\xff"
"\xd2\x83\xc4\x08\x59\x50\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x31\xdb\x89\xe3"
"\x31\xc9\x51\x53\xff\xd0\x83\xc4\x10\x5a\x5b\x31\xc9\xb9\x65\x73\x73\x61\x51\x83\x6c\x24\x03"
"\x61\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x53\xff\xd2\x31\xc9\x51\xff\xd0";
printf("Executing Shellcode...\n");
void *page = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(page, shellcode, sizeof(shellcode));
((void(*)())page)();
return 0;

I have to make this shellcode work so that it should execute any file not only calc.exe. I will discuss that with Brian and implement it. I have to also write opcoder now as I got code I can write opcoder and test it. I and Brian are thinking to use some libraries but I have to test library with shellcode and see if it works and discuess with Ali if we can use that library in tool.

P.S : Today is my Birthday :)

Thanks for reading. Have a Good day :)

Wednesday 18 May 2016

Some details about Windows Shellcode part of GSoC project

Completed my final exams and now its time to focus on GSoC project :).


In my last blog I posted timeline which was in my proposal and in this post I will add details about Shellcode part of project which I will be completing before mid evaluation if everything goes as planned.

Shellcode for Windows

For Windows there is no direct kernel interface like int 0x80. Windows provide kernel32.dll but we cannot find functions loaded at same address for different versions of windows so it's hard to use hardcoded address to write shellcode. Skape paper on Windows Shellcode describes how we can find address of function using PEB. I am not going to write the details which are there in paper here. So in summary it is like this:

1. Find kernel32.dll base address using Process Environment Block (PEB)
2. Parse it’s export table to locate GetProcAddress
3. Use GetProcAddress to locate LoadLibrary
4. Use LoadLibrary to load other dll into current address space
5. Then again use GetProcAddress to locate required functions which are needed for
writing shellcode.


There is another way we can do this, by hardcoding the address but we will find the address of modules dynamically using python ctypes.
Something like this to get address of module.
import ctypes
dll = u'kernel32.dll'
module = 'WinExec'
kernel32 = ctypes.windll.kernel32
handle = kernel32.LoadLibraryW(dll)
address = kernel32.GetProcAddress(handle,module)

Here is script that I wrote sometimes back to generate asm code that executes cmd.exe using functions WinExec and ExitProcess - https://gist.github.com/Pratik151/58fd921116ce314d796b

Here is rough timeline on what I am planning to do:

Week 1 and Week 2 (May 23 - June 5) 
Add opcoder for windows like this one which is for linux - https://github.com/Ali-Razmjoo/OWASP-ZSC/blob/master/lib/opcoder/linux_x86.py
Add Execute Shellcode - It requires two functions WinExec and ExitProcess
Start Writing to file Shellcode- It requires fopen, fclose and ExitProcess

If I will be able to add the address of module dynamically using ctypes and if it works then I think the shellcode can be developed before time. But If that won't work then I have to use PEB method to get address of required functions.

Week 3 (June 6 - June 12)
Complete Writing to file SC if it is not completed yet.
Add Create directory shellcode. If I am able to complete it before time then I can work start next week work or If more time is left then I can start other new shellcode.

Week 4 & Week 5(Junt 13 - June 26)
Add shellcode Download and Executing a file - This requires URLDownloadToFile function which is there in Urlmon.dll. But Urlmon.dll is not loaded in process when it is started so we will be needing to load the dll into process first and then only we can use URLDownloadToFile function. So we have to load Urlmon.dll into process using LoadLibrary. We can first find address of LoadLibrary dynamically using ctypes and then with that we can load Urlmon.dll and then we can use the UrlDownloadToFile function. The dll can be loaded something like this:

GetUrlmonLibrary:
call LoadUrlmon
db ‘Urlmon.dllN’ ;N will be replaced with Null character
LoadUrlmon:
pop ecx ;get the ‘Urlmon.dllN’ string
mov [ecx + 10], dl ;insert NULL for string termination
mov ebx, 0x7639a820 ; Base address of LoadLibraryW as we got from ctypes
push ecx
call ebx
Add shellcode for creating user and adding user to admin group - we can use WinExec and execute cmd.exe and directly use the command “net user
USERNAME PASSWORD /ADD” and “net localgroup administrators USERNAME /ADD” or other way is to use NetUserAdd and NetLocalGroupAddMembers which is in Netapi32.dll


This schedule is till mid term and after that I will spend one more week for adding one or two shellcode which are in proposal. I will post timeline for Code Obfuscation modules part while doing the project when I have time in between.


Thanks for Reading this long post,  Have a Good day :)

Sunday 1 May 2016

Timeline for GSoC project

Hello,

I got accepted into GSoC this year and I am so excited to work with open source organization :). This summer I will be working on my project with OWASP ZSC and here is the link to my project on gsoc site. The project is Windows Shellcode and Code Obfuscation modules. So in my summer time I will be creating windows shellcode and code obfuscation modules for ZSC tool. The coding period officially starts from 23rd May and we are currently in community bonding period. In this period I have to familiarize my self with the organiszation, code base and interact with mentors and make plan about project before the full time coding begins. 

Here is my proposed timeline that I will be working on during coding period. So basically this project has two parts one is developing shellcodes for windows and second part is to add code obfuscation modules for different languages. I will be working first on shellcode part as I mentioned in my proposal most likely. I didn't write technical details of my projects which are on my proposal about shellcodes and modules on this post but I will write the technical details in next post after discussing with mentors and also more detailed timeline if possible. I will discuss with brian about shellcode part and which way I should go to develop shellcodes as in my proposal I mentioned two ways. I will try to make that discussion on mailing list mostly and if I have discussion on skype/telegram then I will post details on mailing list so that it can be helpful for others also.

My exams starts from 3rd May. So I will be less active from May 2 - 10 but I will check mailing list regularly and I have one more exam on 16th May(it was on 7th but was postponed) but I will be available from May 11 - May 15th. After my exams I will be able to work full time and I hope to complete project successfully and learn many things :)

In next blog I will add technical details for shellcode part and also add more details to timeline.