 So hi guys today, I'm gonna talk about a tool that I wrote like a couple of months ago that basically Invade pretty much everything on your network starting from your IPS ideas and boxes and point solution by using a simple trick Which is polyglot images so basically you'll get the point of the the name of the tool Basically, it just rely on cat all the time to evade pretty much everything So who am I I'm working for Mandian for like two years now Also French Canadian the kibic was so please excuse my terrible accent. That's my parents fault I'm also the founder of the ring zero team So some of you may know that website is actually just an online CDF that you can try challenges all years before the insect and make Sure that you're ready for the competition And also really love to do like assembly code and bypass stuff So basically we're not gonna drop any all day during this presentation Sorry about that and it does gonna content some assembly. It's pretty light assembly. It's nothing super complex But I guess I hope you're gonna love assembly after this presentation because assembly is live for me So basically this is a simple version of a company network You're gonna have the cloud which is a terrible in place Where there's so many malware's and people that try to send malware into your environment And you're gonna try to avoid that by using IPS Sandboxes and end point solution So if you want to execute a malware on a computer inside of a corporate environment, you're gonna have to pass through all of these Technologies, so I was thinking what's the best way to actually go through all of these Appliance without worrying about it and I come up with a solution that is quite simple. Let me just check my slide Yeah, so there are some evasion techniques that you can use Generally to bypass the sandbox itself So your code gonna be executed on sandbox so you can perform like memory check User check disk size. There's so many Bypass that you can use are already well known But it implied that the binary or the payload is actually executed on the sandbox Which at that point it's kind of bad because you already know that some things executing in the sandbox And I just wanted to avoid that part too. So I just wanted to come up with some things that do not even run on the sandbox So I come up with the question. What can go through a sandbox without being executed? There's so many different format like for example, if you have word They may try to parse the macro and execute it So if you use a malicious macro, you may be getting up flagged by the sandbox itself or the ICS That says this document do contain a macro. So it may be Malicious, we just don't know but there's a macro executable DLL power shell, of course, they're well known But there's some format like images that generally just don't care because parsing an image It's kind of a waste of CPU cycle for the sandbox. So there's no point of checking in an image, right? So what's going down that bad? I was asking myself, is it possible to actually use an image to execute code on the endpoint? So this is actually the bitmap file error format. So it's quite simple The format is just the magic byte, which is capital B, capital M Then you're gonna have like a couple of bytes that are used for the size. You're gonna have Something else. I just don't see it because I don't have the screen on my computer But basically you're gonna have the the error that contains some some other error object like the size of the images The format some special things regarding the color in the images and the cool thing about the RFC regarding bitmap This says that the the the next four byte used By the bitmap format are not reliable as the size for the images which basically mean that they're not used by bitmap parser So that's quite interesting. Basically, we know that to have a valid bitmap error We need the capital B capital M then Probably whatever we want then the rest of the mandatory error So let's just give it a try and I just manually did it a valid the bitmap images by changing those by with Garbage's so the first little white square is actually the first images Which is the unmodified image and the second one is actually the modified image with the random error And apparently both load properly and actually PowerPoint parsed the image as expected So it seems to be a valid power bitmap image which is good news for us. So we control those bytes So what about trying to see what we can do with those bytes and make sure that they may be executed as a malicious payload if you look at the BMP from a assembly perspective is to convert these into the Instruction used by Intel CPU is going to be converted to I don't see Increment edx and decrement ebp. So basically from a shellcode perspective, you're not addressing any memory location You're not differencing memory. So if you execute these by it as shellcode everything is going to go well Your shellcode not gonna crash If you look at the second example, this one actually rely on differencing a location of memory So for example, let's assume that these by will be converted to an instruction that look like that Your shellcode gonna be totally broken because you don't have any idea of what's inside of the register that it's going to be De-referred by the the instruction itself. So Seems like those two bytes are quite promising from a shellcode perspective So we can probably just execute them as shotgun and everything is going to work as expected So this is where I'm to do the cat so I basically has Google for a cat bitmap images And the first one that I get is actually that one. So someone Photoshop at a cat I thought it was a perfect picture for bypassing AV solution So let's actually take this legitimate image and modify the part of it So I just went to the the end of the the bits used for the images Basically bitmap is a super simple format one bits for per pixel So I just changed some of them using CC Which is basically an instruction assembly, which is an interrupt and I just saved the image again If you zoom into the image, you're gonna see the top right corner of the image has been modified Of course because we changed the bytes. So in this case, it just had a little gray line into the images But don't get me wrong if you look at the image full-size, it's not that big But even that I wanted to make sure that this line got removed So I just take a look at the format of the bitmap editor and manage to actually just edit the size a little bit and I just changed the size editor and remove a couple of Just reduce the the height by one So basically the first line gonna be removed and bitmap format is so simple that basically if there's more biting the images They're just gonna discard it So they're just gonna take the rest load the picture and the first lines gonna be removed And you don't see it in more. So basically we just have the same image with a little bit with one less height And it's still work So now what about the payload so we know that we have to have the Bm memory other than we can had a jump to the last part of the images to actually execute a payload that we control So this is where it come interesting Basically, I don't see anything Yep, so this is the jump instruction that I use to actually Jump to the end of the images. So basically if you remember on the This slide if you look at the bottom the bottom edge images You're gonna see the bunch of see that started a location after the start of the After the start of the images So you basically just calculate the length between the jump and this location into your images and you go Ended up with that value. Basically, this is just the upcode representation of the jump to that location So if you look at the images at that point, you're gonna have the Bm the jump that jumped at some location inside of the images Which is something that we can control So to test that it works as a spectator I just come up with this little seco basically just load a file execute the file as shellcode So that was just the easy way for me to test it So this is actually the image load in Immunity debugger and by the way, I did the the shell coding in 34 bytes just for portability reasons since most of the windows Now they still support 32 bytes So you're pretty sure that it's gonna work on both type of of architecture So this is it. This is just the loading. So basically the little C code just gonna end it up calling a register which contain the The image itself so if you look at just put a break point before the call happened And if you look at the address in memory, you see that this is actually the image And you can see the Bm at her and the jump and the rest of the image format So at that point, this is the beginning of the images So as you can see we have the two first instruction that are actually the Bm Which is the mandatory header for the bitmap then you have your jump that jumps somewhere in the code And as you can see on the second slide after you hit the jump, you're gonna end it up in your CC instruction, which is the one that we control at the beginning So basically we have a fully functional bitmap at our image that is also shall call at that point Of course, CCC doesn't do anything super useful at that point But at least you know that you control a point and you can have whatever you want there So that's the part when you actually use like a well-known shell code like meterpreter shell code or a cobalt Stryich shell code and you obfuscate it. So this is actually the image that is modified with the CCC So as you can see it looked perfectly on PowerPoints. This is a totally valid images So if you send this image to a sandbox, they're just gonna check the file analyze the other and say yeah That's a valid bitmap. So there's no way of there's no point of like analyzing that file because it's curry not malicious Right. This is a super beautiful cat cannot be evil, right? So at that point, I don't see anything Yep, so that's pretty much what I just mentioned. This is a valid image that is also a valid shell code So we have the concept behind the polyglot ideas So now it's time to have a little bit of obfuscation on top of the payload that we're gonna use So it's quite simple To make sure that we avoid the the ideas the sandbox and the other product this part is already done We have the image that is actually valid and sandbox gonna say that's a cute image I don't care, but now we have to take care of the endpoint problem So if we just have like the meter predator shell cone embedded in the images Some of the tools may analyze the data itself over the network and just flagged that the meter predator Shall go which is well known. So we have to come up with some things that actually Take care of it. So there's multiple way to do it I'm trying to actually use the lazy way, which is a little snippet of code writing in pure assembly and in a nutshell The purpose of this shell code is quite simple. It's just gonna take the encrypted buffer So I'll show you later But basically I build a tool that take care of the encryption for you and generate the image and all the Important things for you But you're gonna have the encrypted version of the meter predator Which is actually encrypted using your 32 byte integer. So the first loop basically gonna brute force itself So you have the shellcode payload you're gonna have a 32 byte integer magic before your payload Which is unknown by the process only there's a one there's a line that performed the check on this value So you're gonna have a register that get incremented on each round and it's gonna check if The the magic value XOR with that one actually match if there's a match You know that you actually found the key to un-uncrypt yourself So the program just gonna randomly do this it may takes forever depending on the the computer that you use Once one time it took like 20 minutes to get my callback because I was targeting a client that had like a 2003 super old server with probably half a core. I don't know but it was super slow. It was probably AMD So it takes 20 minutes to get my callback because of the brute forcing loop and like Don't get me wrong a 2d to bite integer can go up to like billions of rounds So if you have a CPUs that takes forever for each round It's gonna take a lot of times to actually get to the key But once you get the key the second loop actually just decrypt your payload So basically the the encrypted shellcode got decrypted then the the final stage of the the shellcode is quite simple it's just gonna jump to the final payload and you're gonna execute the The final stager, which is whatever you want can be like a meterpreter shellcode or a cobalt strike shellcode or whatever shellcode that you roll on your own So this is basically just the very roll explanation on what I just told you so basically I don't see anything So basically let's assume that the the key that was generated by the tool is 1337 1337 and our magic number was 41 41 41 41 Basically the shellcode just gonna Run increment the register. So at some point the The register gonna contain the number one three three seven one three three seven and it gonna perform the XOR operation with the The value that is sophisticated in the the final shellcode and if the result equals something that matched the The shellcode actually understand that he found his own key to decrypt the rest of the payload so at that point the the the software just gonna continue and Decode the rest of the original shellcode by using the same key over and over and by XORing each 32 by the integer of your final pale So this is the basically the last part of the second the second part of the shellcode So basically you have the loop that basically check the value inside of ECX And if it matched the magic number, you know that you have your match then you can get out of the loop and continue So ebx contain the key to be tested ex is pointing to the officiated data the 32 byte value Containing to ex is push on the stack So basically this is just a trick to avoid null byte because I wanted to make sure that my shellcode is clean for other purposes because you want to avoid null byte in your shellcode as we discover yesterday during the workshop and all ECX byte or swap because actually I just wanted to have a little bit of Uffication in the the process itself basically the number that you're gonna get it's not exactly the key because it needs to be swapped Just to make sure that reverse sir may spend a little bit more time on this because they may think that this is the key But actually it's gonna be swapped after it But at the end the key remain the same and after that the result is compared with the magic numbers and loop until a Cx actually found a match and at that point you get the key and you're allowed to decrypt your Your malicious payload So I guess that's probably yeah, that's the second loop. That's basically the decryption loop So it just Just doing a little loop It's just gonna jump by four all the time because since it's a 32 byte integer you're not working on one byte at a time You're basically working on for 32 bytes at a time So basically the loops go four by four to decrypt the block of encrypted data and the last step is to jump to the Final payload after that So this is basically the UI for your tool. It's not the best you are ever so you still have the sleepy cat which void AV because he's sleepy and You have like five functionality actually there's only four in the screenshot But there's another one that just had for for convenience See but you can also your image using a simple web server embedded into the the tool So basically you can just run the web server that gonna deliver your images Of course, you can also your image someone else on the internet is really up to you You can also generate the image itself So basically you're just gonna specify the shellcode that you want to execute Then it's gonna generate all the images gonna patch the other make sure that everything's fit gonna Reduce the eye to make sure that your shellcode do not affect the visual of the image Then you're also gonna generate the power shell Final stage that gun actually execute the images because you still have to run this image on your client or endpoint So the trick that I use is actually relying on power shell that actually just gonna execute Shellcode in memory. So from a like IR perspective, you're gonna see power shell downloading an image And that's pretty much it you're gonna execute the image in memory So you can probably fetch the link and you're just gonna realize that this seems to be just a normal image So if you stop there, you may lost the fact that this is not actually just a normal image But it actually do contain a malicious payload inside of it and after that you can also generate the shellcode This one already been covered. You can exit the tool, of course And that's pretty much it and there's actually another functionality that you can specify a raw shellcode And just gonna give you the a shellcode format required by the tools, which is not in the screenshot at that point So this is it This is the the tools used to the module used to generate the payload So as you can see you specify the shellcode, which is actually just a default Metaspoiler meter per hour shellcode in this case and it's just gonna generate the image for you So it's gonna do all the magic. It's a little bit verbal. So, you know what's going on Basically, it's gonna patch the bitmap header generate the random key used for the decryption Then it's just gonna patch the image that you provide by default the tools come with the the cat image It's really up to you to choose whatever bitmap image you want because they're all the same Then it's just gonna generate the the modified version of the image so after that as you can see this is the The image that we generate using the cat with the meter meter per header payload in it So again, you still have the bitmap header bytes Then you're gonna have your jump that jumped to the shellcode and here's the decryption Decryption routine so as you can see you're gonna recognize the code that we discussed a little bit earlier So you'll see in the middle. I think it's yellow Yep, you'll see that Yeah, it's actually a light blue but it's gonna do the compare with the magic number that has been randomly generated by the tool and At that point when you get the key is gonna go back to the bottom and ticker of decrypting the rest of the payload and At that point your image has been fully executed and you're gonna jump to the official Metasploit payload and you're gonna end it up having your meter per session without been noticing over the network because your Your payload was fully encrypted inside of an image, which is valid So ideas IPS and sandbox generally don't care about that part on the endpoint side Of course, it's really dependent on the kind of solution that you have This one as I told you the default payload actually rely on power shell Which may be detected by some some end point solution But there's other solution for that that I'm not gonna cover during the talk because I don't have enough time But there's a way to actually execute power shell without ever invoking power shell So we ended up having an image that is valid shocker I don't know if we should be proud or feel guilty about that. It's really a question of point of view I guess So last step as I told you it's you to use power shell to actually execute the the shell code itself So it's quite simple. You just use power shell a lot of people already wrote this kind of script You're just allocating memory and you're taking care of pushing your bytes in it And you're just jumped with pretty much the same as the sequel that we used earlier to test for payload So when you're done at that point, you're just gonna Go through it and you guys I told you you're gonna virtual a lock a space of Allocation and memory to to copy your bytes Then you're gonna create thread and just jump to your your memory location and execute it as shall go Which is actually in this case your images So this is pretty much the power shell script that the tools gonna generate for you in a nutshell just gonna perform a download the strings which is a Well-known API and power shell that allow you to download a string from the internet But it's never gonna write the string to disk So the the image is never gonna touch the disk It's only gonna be in memory and you can execute that That part of memory using the virtual a lock the create thread and wait for a single object to to make sure that everything has been Executed as expected. So this is the end goal memory Delivery mechanism used by the tools so you can use the tools to generate all of this because nobody wants to write power shell I do not like to write power shell at least So the first step is quite simple. You just specify the URL where your malicious image is actually located So specify the URL quite simple then you have the tool to generate you the one-liner power shell So it's just a power shell one-liner with the base 64 encoded Power shell a code that we see earlier, which is excel there. So this is just feature in power shell You can just encode everything in base 64. That's actually quite interesting. It saves you a lot of time And after that you can just host the file as we created you just start the web server on whatever port in this case I use the port 880. So at that point the image is actually stored and Ready to be the delivered to your your victim through the internet So That was interesting. I was able to run shellcode at that point. So I Have like cobalt strike beacon payload or meter meter predator pedal, but I wanted to go a little bit further with this idea I just wanted to be able to deliver whatever executable through this metal life For example, if you want to run Mimi cats, which is a full-blown EXC file so it takes a lot of space and how to actually execute it like using a shellcode approach So I came I just do the same process with actual with actual DLL and EXC file And I just realized that again the only two men that's rebites at the beginning of a EXC or a DLL file is actually the mz which is the mz editor before DPE editor So after that you have the magic and other field are actually not really required to make your Your binary font fully functional. So again the the error is converted to Increment edx and pop edx. So again, nothing's that gonna break your shellcode. So you're you're all good for that Then you can actually do the same idea. So jump and have like a little Shellcode actually load the EXC in memory and execute it and actually this is how metaspoit Pretty much deliver their DLL after the first stage. They're using a slightly different approach But the idea is quite the same and funny fact I just discovered that after I did all of that. So I should have just read about it before and save a lot of time so Usually an EXC and DLL you're gonna found a bunch of Null byte that are not used at the end of some of the section that can be used to basically Provide whatever you want. So we usually call them cod cave So this is the perfect place to actually put your shellcode So the idea beyond is you're gonna patch the DLL or the EXC that you want to deliver automatically using the tool And you're gonna have a little shellcode inside of the code cave that actually load the binary itself in memory place all the section Map it in memory and just execute the the EXC itself So that was the idea behind that part and again, we just wrong one way Basically what you have to do is quite simple But I mean quite simple I have to read the slide because I don't remember all but you're gonna virtual a lock all the PE editor You're gonna parse the image base and the size of image So basically you're gonna be able at that point to map your your EXC and memory after that You're gonna virtual a lock all the section that are defined in the errors then you're gonna be able to Import the loaded table using game proc address And at that point you can call the entry level because everything has been loaded in memory It's like having a EXC loaded but manually instead of using the underlying operating system So sorry So once the polyglot DLL or EXC file has been generated it can be embedded inside of the image So of course you're gonna need a little bit bigger image because usually EXC or DLL are way bigger than a simple shellcode But you can still hide it in your image So at that point you're gonna have the whole EXC embedded inside of the image The EXC gonna have the error patch that gonna jump to the shellcode inside of the DLL or the EXC Which actually gonna load itself in memory and execute it Which means that you can fully embed like Mimi cats for example inside of the image and run it remotely in memory without touching the disk and totally bypass all the the network production mechanism because it's just an image right so there's nothing malicious in an image Actually, like if you look at PowerShell nowadays They're gonna do pretty much the same like they're gonna load Mimi cats from a website Or using a PowerShell script, but the thing is it's easy to get the To get a access to this value because it's actually clear at some points Even if it's encrypted over the network using HTTPS most of the time like those end point solution Gonna have like web hook or other functionality like that that have visibility on the packet that your computer receives So they're gonna flag that actually you downloaded Mimi cats and they're just gonna block it at that point So you just have to have this layer of investigation to make sure that it goes through the network without being detected So that's actually the links for the tool if you want to give it a try There's no read me at the moment on purpose, but I'm gonna date it in the next couple of days to actually make it more User friendly for for you guys, but that's pretty much the tools and the idea behind it. So that was it for me