-
Slides Post Exploitation and Attack Vectors in vSphere
Slides from Owasp Meeting Cologne 14.09.17: Post_Exploitation_and_Attack_Vectors_in_vSphere
-
Sandbox Evasion PoC Killswitch gethostbyname
Recently lots of people talked about killswitches, so I decided to make a quick test. Using gethostbyname as a sandbox evasion technique seems to work just fine. The function gets a hostname and tries to give back the IP address. The shellcode in the PoC is only executed if the IP cannot be resolved. Hope…
-
Paper AVET Blackhat USA 2017
Hello folks, I wrote a paper for the presentation of AVET at BH USA 2017 Tools Arsenal, explaining the tool and basics about antivirus evasion: BH_USA_2017_AVET Thx to @mback2k and @blubbfiction for the review.
-
Using msf alpha_mixed encoder for antivirus evasion
For enhancing AVET I had a look at the alpha_mixed encoder from the metasploit project. An ASCII only shellcode can be produced that way: # msfvenom -a x86 –platform windows -p windows/shell/bind_tcp -e x86/alpha_mixed BufferRegister=EAX -f c With the common technique of a shellcode binder (or function pointer) the shellcode can not be executed, because…
-
AVET video
Someone made a youtube video about AVET, with a full run and setup. Might be useful for first time users. Stay tuned for the next version that will be released end of July ’17 at Blackhat USA.
-
Write your own metasploit psexec service
Lately I made some research about metasploit’s psexec module and how to write your own service executable. This will be integrated into AVET within the next weeks. The PoC is simple (download: https://github.com/govolution/avepoc/blob/master/psexecservice.c): // compile: // wine gcc -m32 psexecservice.c #include <windows.h> #include <stdio.h> #define SLEEP_TIME 5000 #define LOGFILE “C:\\status.txt” SERVICE_STATUS ServiceStatus; SERVICE_STATUS_HANDLE hStatus; void…
-
AVET and unstaged payloads
There are several reasons for using unstaged payloads for meterpreter. Since the dlls are not loaded over the network, but are included in the executable file, this may reduce the chance for an IDS/IPS to detect the connection. The executable will be much bigger: # ls -al pwn_unstaged.exe -rwxr-xr-x 1 root root 1578548 May 6…
-
Slides Owasp Meeting Cologne AVET
Yesterday I had a presentation about the AVET AntiVirus Evasion Tool at the OWASP meeting Cologne. The main part was demonstration, but nevertheless: here are the slides.
-
Using TDM gcc with Kali 2
This is an article for usage with avet, my antivirus evasion tool you can find here: https://github.com/govolution/avet I had some trouble using mingw cross compiler. It should work fine, so I suggest you try that first. But if you want an alternative, here is how to use tdm for windows with wine in kali (2016.2).…
-
Extract text and media content from docx
Here is a small bash script for extracting the text and media content from a docx file. Might be useful if you do not want to open the file with word. Works with cygwin, should work with linux. Github: https://github.com/govolution/stuff/blob/master/xtractdocx.sh Usage is pretty straight forward: $ bash xtractdocx.sh test.docx * extracting media files to ./test.docx1484702626/media…