danielsauder

Recently lots of people talked about killswitches, so I decided to make a quick test. Using gethostbyname as a sandbox evasion technique seems to work just fine. The function gets a hostname and tries to give back the IP address. The shellcode in the PoC is only executed if the IP cannot be resolved. Hope…

Hello folks, I wrote a paper for the presentation of AVET at BH USA 2017 Tools Arsenal, explaining the tool and basics about antivirus evasion: BH_USA_2017_AVET Thx to @mback2k and @blubbfiction for the review.

For enhancing AVET I had a look at the alpha_mixed encoder from the metasploit project. An ASCII only shellcode can be produced that way: # msfvenom -a x86 –platform windows -p windows/shell/bind_tcp -e x86/alpha_mixed BufferRegister=EAX -f c With the common technique of a shellcode binder (or function pointer) the shellcode can not be executed, because…

Someone made a youtube video about AVET, with a full run and setup. Might be useful for first time users. Stay tuned for the next version that will be released end of July ’17 at Blackhat USA.

Lately I made some research about metasploit’s psexec module and how to write your own service executable. This will be integrated into AVET within the next weeks. The PoC is simple (download: https://github.com/govolution/avepoc/blob/master/psexecservice.c): // compile: // wine gcc -m32 psexecservice.c #include <windows.h> #include <stdio.h> #define SLEEP_TIME 5000 #define LOGFILE “C:\\status.txt” SERVICE_STATUS ServiceStatus; SERVICE_STATUS_HANDLE hStatus; void…

There are several reasons for using unstaged payloads for meterpreter. Since the dlls are not loaded over the network, but are included in the executable file, this may reduce the chance for an IDS/IPS to detect the connection. The executable will be much bigger: # ls -al pwn_unstaged.exe -rwxr-xr-x 1 root root 1578548 May 6…

Yesterday I had a presentation about the AVET AntiVirus Evasion Tool at the OWASP meeting Cologne. The main part was demonstration, but nevertheless: here are the slides.  

This is an article for usage with avet, my antivirus evasion tool you can find here: https://github.com/govolution/avet I had some trouble using mingw cross compiler. It should work fine, so I suggest you try that first. But if you want an alternative, here is how to use tdm for windows with wine in kali (2016.2).…

Here is a small bash script for extracting the text and media content from a docx file. Might be useful if you do not want to open the file with word. Works with cygwin, should work with linux. Github: https://github.com/govolution/stuff/blob/master/xtractdocx.sh Usage is pretty straight forward: $ bash xtractdocx.sh test.docx * extracting media files to ./test.docx1484702626/media…

A couple of days ago I started running a password honeypot based on heralding. Here is some first analysis and wordlists. Time frame of this analysis From: $ head heralding_activity.log -n 2 | cut -d “,” -f1 timestamp 2016-10-07 19:33:32.291966 To: $ tail heralding_activity.log -n 1 | cut -d “,” -f1 2016-10-22 16:51:06.616767 Password attacks…