![[0x00000001]> Let's get some context
REF: https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/ (OJ Reeves)](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-3-320.jpg)
![[0x00000002]> What is a Stager?
• Shellcode responsible for fetching and executing the next Stage (malware/implant,
intermediate stage).
• They arise as a need due to the nature of certain exploits (space restrictions).
However, they can be very useful even when we have the option to use a stageless
approach ("Data Contraception“, “Profiling”).
• They are usually hand-made to take the less space possible and to be used by a
greater number of exploits. Compiling from languages such as C is another viable
option, however, some issues have to be resolved: : PIC (Position-independent
code), WinAPI resolution, stack strings, removing unneeded code, etc. *
• Frameworks like Metasploit implement a large number of stagers that we can use to
run our own payloads/implants
REF: http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-4-320.jpg)
![[0x00000003]> Pazuzu (reusing stagers for your implants)
REF: https://github.com/BorjaMerino/Pazuzu](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-5-320.jpg)
![[0x00000004]> Amber (reusing stagers for your implants)
REF: https://github.com/EgeBalci/Amber (Ege Balcı)
Memory Mapping
File](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-6-320.jpg)
![[0x00000005]> Stager skeleton
https://github.com/rsmudge/metasploit-loader/blob/master/src/main.c (Raphael Mudge) Shellcode/windows/x86/src/block/block_recv.asm (Metasploit)](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-7-320.jpg)
![[0x00000006]> Other useful uses
Intermediate stage that
checks if the objective is
a potencial victim and if
it meets certain criteria
(domain?, language?,
country? virtualized?,
sandbox?)
Stager as a persistence
method to recover and
execute the implant in
memory (no disk
artifacts)
REF: http://phrack.org/issues/62/8.html (the grugq)](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-8-320.jpg)
![[0x00000007]> Stager building
REF: https://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/
*](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-9-320.jpg)
![[0x00000008]> HTTP / HTTPS Transports
*
WinINet
• Oriented to desktop applications
• Sometimes WinINet is filtered by endpoint protection products
WinHTTP
• Oriented to services (used by BITS and Windows Update)
• Allows SSL validation/Certificate Pinning (Useful to avoid MiTM attacks)
• Require “Keep-alive” (this is a problem with proxys HTTP 1.0). If there is enough
room we can fallback to WinINet
REF: https://github.com/rapid7/metasploit-framework/wiki/The-ins-and-outs-of-HTTP-and-HTTPS-communications-in-Meterpreter-and-Metasploit-Stagers](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-10-320.jpg)
![[0x00000009]> No protocol limitations: Modbus Stager
REF: https://www.shelliscoming.com/2016/12/modbus-stager-using-plcs-as.html
*
< 500 bytes](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-11-320.jpg)
![[0x0000000A]> No protocol limitations: Modbus Stager
REF: https://www.shelliscoming.com/2016/12/modbus-stager-using-plcs-as.html](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-12-320.jpg)
![[0x0000000B]> Drawbacks of “universal” stagers
REF: http://phrack.org/issues/62/7.html
Useful Stagers:
• Reverse Hop HTTP
• Reverse TCP All Ports
• DNS TXT Record Payload
Option: Socket hunting
• Manual search
• Rebinding ports *
• Brute-force socket handles
• FindTag (need recv() length argument)
• FindPort (No PAT/NAT Immune)
• Out-Of-Band Data *
• Socket's lifetime *
IMP! Just useful when the process owns the socket (some services like DCOM, SMB, etc. are proxied through
a central service and there is no socket to steal)](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-13-320.jpg)
![[0x0000000C]> Handles Table
REF: https://blogs.technet.microsoft.com/markrussinovich/2009/09/29/pushing-the-limits-of-windows-handles/](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-14-320.jpg)
![[0x0000000D]> APT1 Owned (Malware.lu CERT)
REF: https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-15-320.jpg)
![[0x0000000E]> Veritas Backup Exploit (H.D. Moore)
REF: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/backupexec/name_service.rb](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-16-320.jpg)
![[0x0000000F]> Microsoft IIS 4.0/5.0 Exploit (Yuange)
https://www.exploit-db.com/exploits/21371
REF: https://cybersecpolitics.blogspot.com/2018/04/stealing-socket-for-policy-and-profit.html](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-17-320.jpg)
![[0x00000010]> Socket Hunting (manual approach)
Windows Preview quite useful!
- TTD (Time Travel Debugging)
- Taint Analysis
- Code-Flow / Coverage
REF: https://github.com/microsoft/WinDbg-Samples](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-18-320.jpg)
![[0x00000011]> Shellcode based on socket's lifetime
REF: https://www.shelliscoming.com/2018/06/windows-reuse-shellcode-based-on.html](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-19-320.jpg)
![[0x00000012]> Shellcode based on Out Of Band data
REF: https://www.shelliscoming.com/2019/03/one-way-shellcode-for-firewall-evasion.html
https://bbs.eviloctal.com/thread-10143-1-8.html (Linux exploit: Autor bkbll)
TCP allows to send "OOB" data in the same
channel as a way to indicate that some
information in the stream should be processed as
soon as possible by the recipient peer](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-20-320.jpg)
![[0x00000013]> One-Way VS reverse shell
Standard
Reverse Shell
One-Way
Stager](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-21-320.jpg)
![[0x00000014]> Rebinding approach
REF: https://web.archive.org/web/20161107193740/http://www.lsd-pl.net/winasm-slides.pdf](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-22-320.jpg)
![[0x00000015]> Rebind Port + ACL Shellcode
REF: https://www.shelliscoming.com/2019/11/retro-shellcoding-for-current-threats.html
https://wj32.org/wp/2009/01/24/howto-get-the-command-line-of-processes/
Process ’’Forking’’](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-23-320.jpg)
![[0x00000016]> ACL Shellcode
REF: https://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-24-320.jpg)
![[0x00000017]> One-Way-Shellcodes drawbacks
• Sometimes the socket is not owned by the process.
• Brute-force socket handles it's not a very reliable method
(it doesn’t work in practice with many exploits).
• Sometimes even if you get the socket handle your payload
randomly die (i.e.: another thread tries to do something in your
socket).
• Most of the shellcodes are exploit specific (not universal).
• They require a lot of effort and time.
Non serious experiment: Stager hunter (Honeypot with Frida)
Collection of papers/talks and techniques in Windows:
https://github.com/BorjaMerino/Windows-One-Way-Stagers](https://image.slidesharecdn.com/remotecodeexecutioninrestrictedwindowsenvironments-191226124046/85/Remote-code-execution-in-restricted-windows-environments-25-320.jpg)
Remote code execution in restricted windows environments
- 1. Remote Code Execution in restricted Windows environments
- 2. Foto ponente Borja Merino Febrero borja.merino@protonmail.com
- 3. [0x00000001]> Let's get some context REF: https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/ (OJ Reeves)
- 4. [0x00000002]> What is a Stager? • Shellcode responsible for fetching and executing the next Stage (malware/implant, intermediate stage). • They arise as a need due to the nature of certain exploits (space restrictions). However, they can be very useful even when we have the option to use a stageless approach ("Data Contraception“, “Profiling”). • They are usually hand-made to take the less space possible and to be used by a greater number of exploits. Compiling from languages such as C is another viable option, however, some issues have to be resolved: : PIC (Position-independent code), WinAPI resolution, stack strings, removing unneeded code, etc. * • Frameworks like Metasploit implement a large number of stagers that we can use to run our own payloads/implants REF: http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html
- 5. [0x00000003]> Pazuzu (reusing stagers for your implants) REF: https://github.com/BorjaMerino/Pazuzu
- 6. [0x00000004]> Amber (reusing stagers for your implants) REF: https://github.com/EgeBalci/Amber (Ege Balcı) Memory Mapping File
- 7. [0x00000005]> Stager skeleton https://github.com/rsmudge/metasploit-loader/blob/master/src/main.c (Raphael Mudge) Shellcode/windows/x86/src/block/block_recv.asm (Metasploit)
- 8. [0x00000006]> Other useful uses Intermediate stage that checks if the objective is a potencial victim and if it meets certain criteria (domain?, language?, country? virtualized?, sandbox?) Stager as a persistence method to recover and execute the implant in memory (no disk artifacts) REF: http://phrack.org/issues/62/8.html (the grugq)
- 9. [0x00000007]> Stager building REF: https://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/ *
- 10. [0x00000008]> HTTP / HTTPS Transports * WinINet • Oriented to desktop applications • Sometimes WinINet is filtered by endpoint protection products WinHTTP • Oriented to services (used by BITS and Windows Update) • Allows SSL validation/Certificate Pinning (Useful to avoid MiTM attacks) • Require “Keep-alive” (this is a problem with proxys HTTP 1.0). If there is enough room we can fallback to WinINet REF: https://github.com/rapid7/metasploit-framework/wiki/The-ins-and-outs-of-HTTP-and-HTTPS-communications-in-Meterpreter-and-Metasploit-Stagers
- 11. [0x00000009]> No protocol limitations: Modbus Stager REF: https://www.shelliscoming.com/2016/12/modbus-stager-using-plcs-as.html * < 500 bytes
- 12. [0x0000000A]> No protocol limitations: Modbus Stager REF: https://www.shelliscoming.com/2016/12/modbus-stager-using-plcs-as.html
- 13. [0x0000000B]> Drawbacks of “universal” stagers REF: http://phrack.org/issues/62/7.html Useful Stagers: • Reverse Hop HTTP • Reverse TCP All Ports • DNS TXT Record Payload Option: Socket hunting • Manual search • Rebinding ports * • Brute-force socket handles • FindTag (need recv() length argument) • FindPort (No PAT/NAT Immune) • Out-Of-Band Data * • Socket's lifetime * IMP! Just useful when the process owns the socket (some services like DCOM, SMB, etc. are proxied through a central service and there is no socket to steal)
- 14. [0x0000000C]> Handles Table REF: https://blogs.technet.microsoft.com/markrussinovich/2009/09/29/pushing-the-limits-of-windows-handles/
- 15. [0x0000000D]> APT1 Owned (Malware.lu CERT) REF: https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf
- 16. [0x0000000E]> Veritas Backup Exploit (H.D. Moore) REF: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/backupexec/name_service.rb
- 17. [0x0000000F]> Microsoft IIS 4.0/5.0 Exploit (Yuange) https://www.exploit-db.com/exploits/21371 REF: https://cybersecpolitics.blogspot.com/2018/04/stealing-socket-for-policy-and-profit.html
- 18. [0x00000010]> Socket Hunting (manual approach) Windows Preview quite useful! - TTD (Time Travel Debugging) - Taint Analysis - Code-Flow / Coverage REF: https://github.com/microsoft/WinDbg-Samples
- 19. [0x00000011]> Shellcode based on socket's lifetime REF: https://www.shelliscoming.com/2018/06/windows-reuse-shellcode-based-on.html
- 20. [0x00000012]> Shellcode based on Out Of Band data REF: https://www.shelliscoming.com/2019/03/one-way-shellcode-for-firewall-evasion.html https://bbs.eviloctal.com/thread-10143-1-8.html (Linux exploit: Autor bkbll) TCP allows to send "OOB" data in the same channel as a way to indicate that some information in the stream should be processed as soon as possible by the recipient peer
- 21. [0x00000013]> One-Way VS reverse shell Standard Reverse Shell One-Way Stager
- 22. [0x00000014]> Rebinding approach REF: https://web.archive.org/web/20161107193740/http://www.lsd-pl.net/winasm-slides.pdf
- 23. [0x00000015]> Rebind Port + ACL Shellcode REF: https://www.shelliscoming.com/2019/11/retro-shellcoding-for-current-threats.html https://wj32.org/wp/2009/01/24/howto-get-the-command-line-of-processes/ Process ’’Forking’’
- 24. [0x00000016]> ACL Shellcode REF: https://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html
- 25. [0x00000017]> One-Way-Shellcodes drawbacks • Sometimes the socket is not owned by the process. • Brute-force socket handles it's not a very reliable method (it doesn’t work in practice with many exploits). • Sometimes even if you get the socket handle your payload randomly die (i.e.: another thread tries to do something in your socket). • Most of the shellcodes are exploit specific (not universal). • They require a lot of effort and time. Non serious experiment: Stager hunter (Honeypot with Frida) Collection of papers/talks and techniques in Windows: https://github.com/BorjaMerino/Windows-One-Way-Stagers