>>Alright, thanks for coming. I know it’s uh, lunch time. And no one likes to miss lunch time. So, uh my name's Josh Pitts. I got out of the Marines right before 9/11. I wrote, uh Back Door Factory and uh Back Door Factory Proxy. And this is a, this is a file on infection framework that will inject code into PE, ELF and Maco binaries, the x86 and sixty-four bit side. And also do ARMv7 for ELF. I uh, because of that, I found OnionDuke, which was a, uh Russian malware infecting downloads over Tore, why would you do that over Tore? I have no idea. Uh, but I co-authored a uh, environmental key framework, uh that made environmental key malware called Ebowla and yes that’s spelled correctly. I work at Okta where I do red teaming. I, we uh do design reviews, everything you can think of. Pen Testing, reverse engineering of anything we put on our network and there’s my twitter handle and there’s my GitHub where a lot of this code is. So um, why this talk? Well you know, I- I- think, writing shellcode is fun believe it or not. Uh my wife thinks I need new hobbies and that’s fair. Um, so and I want to talk about the current state about public Windows shellcode, how it works and uh talk about updating it. So we’ve got three parts. There’s history, there’s further development and there’s uh, mitigations and bypasses. So the first part. So MetaSploit’s shellcode right now uses Stephen Fewer’s Hash API or MetaSploit Payload Hash. Uh, the, the basic concept is it, of it, uh it uses a four byte hash with a thirteen bit war instruction. Uh, define Windows APIs into use the export table, or define Windows APIs in the export table of a DLL, any system DLL. And I was introduced in August 2009 and some of this has roots back to uh Matt Miller or Scapes, one thirty two shellcode paper. And these slides are online and then I have a link to the paper. And uh Scape now works for Microsoft in the mitigation department. So just keep that in mind. So this is um how it works. You do a call over the payload, you push everything onto the stack and then the, the, the uh, the shell code or the, the hash API will parse export address table and then jump into Windows API and then return back to payload logic and it will continue until there is no more payload logic and your payloads been executed. Now this allows, what was kind of cool though about this is that this allowed payloads to be portable across all Windows pla- uh platforms. And of course some mitigations uh decided to uh be or to come out. You have EMET or E MET uh this was a SFHA, Microsoft. And then you have uh Piotr Bania. He has a Phrack article on, oh beating uh, some of these uh payloads. And then there’s also the HAVOC um, mitigation. Which was released, uh uh the concept was released in POC GTFO twelve seven. Amen. Um, and, and, HAVOC stands for Halting Attacks Via Constructing Configurations. And this was funded by Darpa uh fast track. It’s by Digital Operatives and what it did, it threw um, it threw a DLL up into the loaded module list of uh the DLLs and it what it, what it did, it, it, basically it pre-computed collisions uh for this four byte war, um, four byte hash war assembly. Uh, anyway, so what it did, it made these collisions and actually it uh worked pretty well. So there’s also the EMET Caller in EAF uh protections. Remember the shellcodes was introduced in August 2009. And the EMET EAR protections was introduced in 2010. And what this does is it protects uh KERNEL32 NTDLL and KERNELBASE uh from ya know read that. And then also you have the caller protection which is really more uh, restricts ROC like calls but still computers hash tag PI would trigger on this also. They say you cannot go into a Windows API cia a ret or a jump it had to be basically a uh indirect call. And as you may have heard, EMET end of life. It’s supported through July thirty-first, next year. It still works and, but it’s being reintroduced into Windows 10 uh this fall and we’re going to talk about that. And it, it does still work. I mean, so this is the this is the pro, this is the Tor exploit that uh was targeting some people that was doing some illegal things on Tor. Nobody does that, um, it, it basically it flagged on a stack pivot mitigation. So, so EMET still has um, some relevance in the field, right? So Bypassing EMET, there have been a couple, uh, uh public bypasses and uh Skypher had a, a um or Skyline, used a, a method um to make EMET think that the the code was valid reading the ex… [audio skipping], Piotr uh Bania, and he wouldn’t use hard wired breakpoints, he would erase them essentially. And often since security, they had a bypass by reusing code within EMET itself. Now the caller uh bypass, like I said earlier if you have the handle two Windows API all you do is move it into a uh, there’s a couple ways to do it, but all you do is move it into a, uh register, you reference the register and then you call it directly. Or you can do a indirect call. I think it’s shorter to do an indirect call. Directly, I think it’s only two bytes. So knowing this, a bit, back in May 2014, I’ve put import address based payloads into BDF and they worked just like compiled code because I realized the closer you, you are to working like compiles code, the harder it is to stop you with uh, any mitigations and it also makes you harder to see for anti-viruses. Uh, so I added these in, in May and then December I wanted to see if I could use a concept and exploitation um, and I wanted to use the import address table. So I looked for some prior work. Skape’s uh paper, again I used that, I looked at that. It wasn’t, I, import address table payload, uh that he had, but there was some issues with it because he used the export table to get to uh,uh uh API load library A and then he would use that to get to a DL, DLL and then use an import table off of that. Um and it was, I think it was hard coded to a certain version of, of the system DLL. And then uh, uh Piotr Bania, he had a import address table parser. I decided to use that but just for reference. The first known, I guess use of import address table, uh for something malicious was a virus from 1997. Ok, uh it was not really an exploit, it just used the import table directly. So uh, it was a file infector and it would just use the import table. So this is Piotr Bania’s, uh point of concept. I could not get this to work on a modern Windows OS. Uh, I think I was testing this on a Windows XP service pack three. And alsa Windows 7. And so I decided to update it for some tolerances and I’ll explain that. So the way it would work, is you would find image base, in the P being, you could get the P header and then you’ll get the import table relative virtual address and then you would loop through and find KERNEL32 via a ASKI match. And so, um next, oh, it find low library A and get a procedure address but I added a check in set to, set bounds of readable memory to make sure that um, it’s readable memory. Because if you can’t read the memory you will have a crash. And then after the stub is done, low library A would be an EBX and get, uh get procedure address, GetProcAddress, would be in ECX. I bolted on a reverse GCB shell and it’s this bypass column, EF checks, really easy. And then I emailed the EMET team. And uh, this was the response essentially. So uh, so they knew about it obviously uh Matt Miller, I don’t know if he was consulted but they knew about it. I mean they get tons of crashes and they analyze crashes. Uh so, in my POC just use the load library A and get a proc address from the import table. It was pretty limited, so if the, if the uh binary did not have it in the import table then it was useless at the time. So this code sat from December 2014 until February 2016 when SubT, if you don’t know SubT you should get to know him. Uh he’s the person that executes code and things, he ru- executes codes and things that shouldn’t be executing code. Not through exploitation but through hidden features and other uh things that just, ya know these are signed by Microsoft and you can run code and it’s great. Like ya know, like it’s pretty awesome. So uh, he, he tweeted that he was having problems at EMET because of EAF. And I knew exactly what his problem was so we started to collaborate. And I sent him the only stub I had at the time and he went crazy with it. He was using it pretty much everywhere. Uh the only problem was, in powershell, uh powershell did not have load library A in the import table. So we talked about uh moving, looking elsewhere for loadlibrary And GetProcAddress from a loaded module. And, so he wrote an addition to do this and he borrowed code from uh Stephen Peer’s API stuff. And changed it around a little bit. He decided to use a four byte hash. Uh, the ROR algorithm to, to find just the DLL name. Versus DLL and API. And so that means you, you would find, you would use that hash to find um anything in the loaded module that will match that and so if you’re going to do something like Havoc where you’re going to cause a collision you would need to know all the possible combinations of anything that might be deployed with any applications as far as DLLs. And so um, so yea, uh, uh, he wrote that stub and we were excited about it. So now we had two stubs. Okay that’s cool, alright. Uh, so then we knew you could use, get, GetProcAddress anywhere in memory space and if you do that, you can get load library A as long as you enumerate the location of KERNEL32. So you use the four byte hash algorithm like I mentioned uh and then you would get, um this is how we would uh get uh load library A. Pretty simple right? And then we would push the handle into the stack and then move ES, uh, we would push the handle of load library A onto the stack and move ESP to EBX and then we would do an indirect call to EBX. So now we have four stubs that we could use. But we didn’t know where we could use them. So what we did is I went through and enumerated system binaries across all five, five operating systems for load library A, get procedure address or just get procedure address in the import table. And this is the output of that. I saved the output in a Json format. So when you’re, you’re looking for an import to use, you would walk everything that is loaded recursively in a, in a dependency walker style fashion. Uh to find anything that might be in memory. So we had a lot of op, opportunity to use this. And um, if, if you look you see, they made an effort to decrease the use of load library A and get, GetProcAddress. And you see Windows 10 has less, right? Then XP. Obviously. But then you see there’s more, GetProcAddress. So either way, it was, it was a pretty good find. So we’re going to submit to a, to a CFP, or we’re going to submit to a conference. Uh, this is about June and then this came out. Uh, a flash exploit that used GetProcAddress from user thirty-two import table to get a payload, was discovered by FireEye. And this was pretty depressing, cause then what we waid, we, we, it wasn't’ good anymore. I mean, not good, but it just wasn’t as exciting. So we wrote a blog post about it and we released the POC that would pick for you which stub you would use. Uh and we released a reversed CCP shell with this with no exit function so it would automatically crash all the time. Uh that was kind of trolling a little bit. But um, we want to do more stuff. So we wanted more payload, we wanted to get this into MetaSploit somehow. And we knew it’d be a lot of work and we had a couple ideas. So that brings us to part two. So two ideas. Remove Stephen Fewer’s Hash API and replace it with something else completely. But we, or build something to rewrite payload logic for use with an import address table, uh parsing stub. So I decided to rewrite all the things. So, and do it automatically and magically. And this is how MetaSploit payloads work. You push everything on, well for, for x86, so you push everything onto the stack and call the hash API with a call EVP. Um, so I had a workflow, I used Capstone for disassembly, keystone for reassembly. The only thing that I had issues with was protecting the save load library A and GetProcAddress from being clobbered because of conditional instructions that would pick a path and then I‘ll lost context. Um, and I worked on this for five days straight for about twelve to fiteen hour days over Christmas. Not on Christmas but over Christmas holidays. And when I solved one problem, more appeared. And there was a point that I crossed it and where I could probably just rewritten everything or at least getting a good, or at least have a good POC of things uh to show for my work. But really I had nothing, so I decided to burn it down. Uh so the next idea was to take the hash API and the actual payload logic, remove, remove the uh old hash API, use my, one of my import address table stubs, then offset table. So, I had some requirements. I needed support, uh read/execute memory. Just incase somebody would use this other places that weren’t read, write, execute memory. Let me keep it small, as possible. I want to support any Metasploit payload that uses Stephan Fewer’s hash API. So at the same four steps I would take, I would take uh imports in, dissasemble it, capture the instructions, uh, or capture the blocks of instructions, capture all the API’s be able to look up offset table and then I’d find the appropriate import address tables for the executable and then there will be an output table I mean an output to different types. So even if the user does not provide a DLL they’re looking for, this would do it automatically because of all the Json, uh, output that I’ve saved. So this is what I came up with. Uh, so you would take the four block, four byte block hash, uh used in the API parsed export table but now it’s going to point to the APIs and the DLLs that were going to be called and those, those are going to be in a string and they’re going to be null terminated. So for example you, you have the first hash right? It’s four bytes. And then, the DLL offset, if it matches, it, it’s going to point to KERNEL32. And then the next API is gonna, the APIs gonna point to WinExec. So you have the next hash, points to KERNEL32 again. And then it points to the next API exit thread, so on, so forth. So you do, because I unique the string, you do have some overlap and you can save some space. So, this, this logic for the parsing, for parsing the lookup table. Basically I jump over the table, I move the first hash into the lookup table and I continue until I find a match. If found I move the DLL offset into AL. I normalize for memory and I use load library A to load the DLL. And then I save the DLL handle. I put the API offset in AL, normalize and use GetProcAddress to get the Win API handle. I prepare the call to the WIndows API by clearing the stack. I save EAX down the stack for recovery on pop AD. then I save the return address to EBP then I call the Windows API. While the API returns I fix the EB- EBP to point back to the beginning of the import address table stub. And then I return back to the payload logic. So this is how it works, I jump over uh everything, into uh the payload logic that comes with Metasploit. Uh and then I return, or I- I- do a call into the import address table stub. And then lookup table goes into a Windows API, returns back the lookup table and then I go back into the payload logic and I just continue until done. So the initial POC to write the table took about twelve hours. ANd then add in all the workflow and then the stubs took about another twelve hours and uh it, it took awhile to get the tool to where it’s at, but I’m really happy about it. So now that these um, API hashes are been, they no longer hold reference. Um, they’re now meaningless, okay? After, after it goes though and we figure out what they are, they’re meaningless. And I found out AVs depend on them for signatures. So, what, what, what happens if we, um, just randomize them? It’s pretty fun actually. So I’ve got to demo that, yeah. Do this properly. Everybody see that? Okay. Okay, so all I'm doing here is just doing a um, I’m just outputting to file a reverse TCP um shell, MSFvenom. And then I’m going to cat that out into uh Fid0. That’s the name of this tool, Fid0. And I’m going to do a loadlibraryA GetProcAddress, um, we’re going to use those out of the import table of the main module. And I’m, I’m, uh outputting that to file. And uh, the, the outputs uh fairly, fairly useful to tell you what’s going on. Pretty straightforward. And now I’m going to use Backdoor Factory and effect tcpview and I’m going to put that on Window 10. And there’s Windows Defender. Of course it was detected. I’m going to do the same thing but I’m going to use M for Mangle. Going to use Backdoor Factory again to infect tcpview. I drop that onto disk. And then I set up a netcat handler. And then no detection. [applause] Alright so here’s an example of using FID0 as you’ve seen in the video. So I was having some issues with a couple DLLs. And when I say couple, all the system ones. Uh I was running into a problem where, where I had to build a blacklist to avoid using those as, saying they had the GetProcaddress or load library A in their import table. And I decided to look at this because it was going to a point where I was just blacklisting everything. ANd I figured out that it was just Windows 7 through 10. So I decided to look, look into it some more. And this is when I discovered the effect of MINWIN. Uh these, these, typically these are used in system DLLs. It’s, it's for portability and they've been used in Windows 7, they've been in use since Windows 7. And if the DLL, if it is in the DLL's import table in your process space, you can use an exposed API, such as, GetProcAddress. And in, and GetProcAddress case, it’s everywhere. It’s in every single process. Um, because it’s in KERNEL32. Uh, so this is the view of KERNEL32’s import table. So KERNEL32’s import, importing GetProcAddress via its import table through one of these MINWIN DLLs. And then it exports it back out uh so it can be used ya know through the normal API. But if you’re parsing the import table then you can use it. So let me explain what this means. We just need GetProcAddress in any DLL, any import table in any DLL to access the entire Windows API. We just need it, just need GetProcAddress period. So uh, since Windows 7, get roc address has been in KERNEL32 import table. So that means, we’ve had a, a stable EMET EAF and Caller bypass since Windows 7. And it still works on Windows 10. So I’m going to demonstrate that with uh, the Tor exploit that I talked about earlier. Alright so what I’m showing here is I turned off the stack pivot um mitigation just to show that EAF will flag the, as far as the mitigation. So now I’m going to drop the exploit and payload into um Tor browser. You see the mitigation pops up and tells you what was flagged. It’s very nice. So now, I’m going to uh just run FID0 with using Firefox as the uh target binary. And what you’re seeing here uh where it says number of lookups to do, it tells you everything. That’s recursively, it’s parsing through and trying to figure out which, what DLLs are loaded through the system. And then it will continue through and tell you where you can, you can, where you can use what import table. And so um, it automatically used GetProcAddress you can see it at the bottom where it says GPA. But I’m going to use the MINWIN DLL. Cause you can see it’s in KERNEL32 and then it’s the API MS Win Core Libraryloader DLL. And what I, what I did here is I had an encoder to uh put the output, uh standout so I can reformat it into uh a proper Javascript format. Just showing that. I already have it in the uh, exploit example. I just need to uncomment it. This is a calc payload. Restarting the Tor browser. And there you go. [applause] Alright and um, so these payloads were introduced at RECON Brussels back in January 2017. For Def Con twenty-five I’m releasing sixty-four bit payloads and that brings us to mitigation and bypsses. So I opened up a, uh Github issue to incorporate these import address table payloads into MetaSploit, Uh part of what I was offering to do was to release these sixty-four bit stubs uh to whelp with that process. And, and, if, if my top would have ended here, right here. However, three months later, after my Github issue submission and five weeks before this talk the EMET protections are being added back into Windows 10. Implemented via the Kernel. Additionally uh, Matt Graeber, pointed out to me that there’s now a import address table mitigation. Which is, this was my reaction. Just flipping tables for days. Uh, yeah. So how does, how does the import address table filter work? Well, so I, you had to downl- I had to download the preview edition This is coming out in the fall by the way, officially. But you can get it preview edition. So first off they’re not enabled by default. You have to go through and click through and enable everything. But what it does is they take, there’s a pointer to the import uh name and they zero that pointer. So at, at this point the, the thunks are there so that compile code can work. But at this point you’re driving blind and uh, if you’re driving blind you’re, you’re probably going to crash at some point. And uh, yeah it’s pretty awesome. So but ya know the funny thing is I knew that something like this might happen so I had a, an ace in my pocket. Um so this is KERNEL32 entry for GetProcAddress. And on the next line is GetProcAddress for caller. Um, this was introduced on Windows 8 It’s exported by kernel base and then imported by KERNEL32. That means it's in every process. It works very similar to GetProcAddress. It’s not filtered by the import address table filter yet. And this is how it works. You just add a zero on the end and that’s [laughter] technically, yeah way to go guys. Uh so yea, so it, [inaudible noise] so I’ve added, I’ve added this into uh FID0 and you use it basically um, you use it through ExternGPAFC so I’ve got a demo for that real quick. Um, sorry. Alright so, what I, what I did. Let me just, I don’t remember. Alright so what we’re doing here is, so I’m just taking a sixty-four bit uh, reverse shell from MetaSploit and I’m just using GetProcAddress and then I’m passing it to Backdoor Factory patching who is sixty-four and then I’m going to throw that onto the operating system. Now I do not have the protection enabled yet, just to show you that the protection does work. There you go. Uh, now I’m going to enable the protection. And then uh, it’s going to take a second to crash but it will crash. There you go. And then I’ll run it again and it should be faster the next time. Alright, now I’m going to use uh, GetProcAddress for caller. Put that on disk. And there you go. [applause] So I did let Microsoft know about this. So they’re gonna, they’re gonna have a patch for it whenever it comes out officially. Because since they were making an effort to make it an honest try to fix it then I decided to let the know. So now what? Now we can’t parse the export table or the import table. Uh is is possible that you could find more APIs that are not filtered and that can give you use- useful information to get to GetProcAddress? Yeah, probably. Or, what if we didn’t use import table or the export table? So let’s think about this real quick. Um, in modern users space Windows exploitation you have to bypass ASLR dep and other protections. And on top of that your exploitation is most likely to be tailored to a specific version or versions of software and operating systems. So why shouldn’t your payload be targeted also? Why does the payload have to work on every operating system from XP to uh Windows 10? Right? Why not make it targeted to that specific um version of application. So the way that you would do that is you would go to GetProcAddress directly. And the way it would work is you would take PEB imagebase and that’s easy enough to find and then GetProc, the offset for GetProcAddress and that’s going to be version dependent. And the offset can be found during exploit or during exploit or payload development. And um, this is going to be in the main module of the main program. Or it can be any, in any application uh specific DLL. So I would not target system DLLs because those change very often. So if, so if there’s a DLL that has the same offset for a number of versions, for lets say, they depend on openSSL for something and they just, they just uh, hope they don’t update the openSSL binary, binary even though you’re not exploiting the openSSL, you can use the uh GetProcAddress um, offset in that DLL across multiple versions. So and, and it does say codes. So this is, this is the import uh parse table code to find and GetProcAddress. Just to GetProcAddress. It’s a fair bit of code, um but if you know what, if you know what GetProcAddress offset is going in, that’s how much code it takes, obviously, right? So uh, and, and so what if, what if you had um more, what if you had, you couldn’t find a single GetProcAddress in one DLL Well what you would do is you would find a uh, DLL that was consistent acr- across all versions that had GetProcAddress and then you would engineer, you would diff the um binaries across different versions, diff the DLL’s across different versions and then you would make a similar lookup table, uh so that you could use the diff sections to figure out what version you’re in and that would be associated with the appropriate offset table. So I have an example of not of the actual diffing process but I have the example of using an offset for GetProcAddress. Either within the uh main module program or the external offset, uh DLL, right. So um, if anyone wants to help me develop that or engineer that system, please find me. I’m easy to contact. I’m on Twitter and I have an email address. Um, that sums up my talk. Any questions? [applause]