How to Evade AV with OWASP-ZSC - Part 1

Among the tools available to create shell-code capable of going undetected by  Anti-Virus (AV) software, OWASP-ZSC (Zero-day ShellCode) may be the most versatile.Shellcode is basically instructions  that executed when the code is injected into a running application such SMB and other vulnerable services and applications. Buffer overflows are  most often used in  these cases. When a stack or heap based buffer overflow is executed, the shellcode is then injected and often gives the attacker a way to control the target system through such things as a command shell (hence its name).Let's take a look at how we can use OWASP-ZSC to build, encode and obfuscate shellcode.Step -1 Fire Up KaliThe first step, of course, is to fire up Kali or other attack operating system. OWASP-ZSC is developed to run on Linux, OSX or Windows, but I suggest you run it under Linux as some components don't work properly under the other two OS's.Step - 2 Download OWASP-ZSCOWASP-ZSC is not built into Kali, nor is it in the Kali Repository, so we will need to download it from github.com.root@kali:~# git clone https://github.com/zscproject/OWASP-ZSC

Once we have OWASP-ZSC downloaded to our Kali system, the next step is to install it.

Navigate to the directory of OWASP-ZSC.

root@kali: > cd OWASP-ZSC

 Next, we need to execute the installer the script

root@kali:~/OWASP-ZSC# chmod 775 installer.pyroot@kali:# ./installer.py

Once the installer has run, you should see a screen like that above. Note that to uninstall OWASP-ZSC, you simply run ./uninstaller script. Also, once OWASP-ZSC has been installed, you need only type zsc to start this script.

root@kali"# zsc

Step - 3 The OWASP-ZSC Help

 Before we get started with OWASP-ZSC, let's take a look at the help screen. That's ALWAYS a good idea when using a new application.

root@kali:-# help

In the screen-shot above, you can see that OWASP-ZSC displays all the commands in its help screen. The key commands are the first six, but also note the back, clear, help, exit commands that useful when using OWASP-ZSC.

Step - 4 Generate Shellcode

Now, let's generate some shellcode. As we can see from from the help screen, we simply type "shellcode" and then "generate".

zsc> shellcodezsc/shellcode> generate

OWASP-ZSC uses the TAB key to show options for any command, so now we use the TAB to show the shellcode  options.

As you can see below, OWASP_ZSC has three OS  shellcode options, linux_x86, osx_x86 and windows_x86. Since most of us are interested in Windows, let's type;zsc/shellcode/generate>windows_x86Now that we have selected the type of target OS platform to build a shellcode for, we can hit TAB to get more options.

OWASP-ZSC now displays the shellcode options it has for windows_x86. Note that we are not limited to these shellcodes. OWASP-ZSC will work on just about any shellcode, but these shellcodes are built-in by default.

 You can get a plethora of shellcodes to use  at shell-storm.org among other places including exploit-db.com. OWASP-ZSC has an API connected to the www.shell-storm.org site that enables you to search and download directly from the hundreds of shellcode at that site shell-storm.orgLet's use the add_admin shellcode. This shellcode will--as the name implies-- add another admin user on the target system.zsc/shellcode/generate/windows_x86> add_adminOWASP-ZSC will now prompt us for the username and password we want to use for this admin account. Of course, I entered my name, "OTW"  and password "hackers-arise".zsc/shellcode/generate/windows_x86/add_admin> username&&passwordshellcode. If you don't want to encode, type "none". Here, I chose to encode with random XOR (xor_random). The random encodes produce shellcode that is different each time making it more likely to be undetected by AV.zsc/shellcode/generate/windows_x86/add_admin/encode_type> xor_randomAfter I typed in my encoding type, OWASP-ZSC  prompts me whether I want to output assembly code and whether I want to output my shellcode to the screen. I said "n" for the assembly and "y" to output the shellcode to my screen. Of course, neither is necessary.OWASP-ZSC now prompts us whether we  want to output to .c file. I entered "y". It then prompts me for a file name. You can call your new shellcode any qualified file name, but I entered "mynewshellcode".When I create my new shellcode, it saves it by default in the OWASP=ZSC directory. Let's take a look. Note that "mynewshellcode" was saved at /root/OWASP-ZSC.Step - 6 ObfuscateThe process of obfuscation is an attempt to conceal the real purpose of the code. In this way, the forensic investigator or incident handler is less likely to understand the purpose of our shellcode.Next, we want to obfuscate that shellcode. Enter "obfuscate";zsc > obfuscateNow, to see the choices, hit the TAB key. It will display your obfuscation choices. These include;

javascript, perl, php, python, ruby

I selected Perl. For more on Perl, see my series on Scripting for Hackers. This may not be the best choice for attacking Windows systems as the Perl interpreter is seldom on Windows systems, but I will use it nevertheless for demonstration purposes. On the other hand, it is unlikely that the AV has a signature for this shellcode in Perl, so that it will likely go undetected by Windows AV and be effective against those rare systems where the Perl interpreter is installed.

OWASP-ZSC now prompts you for the file name your want to obfuscate. Simply enter the full path to our new shellcode or any shellcode you have on your system. In my case, it is /root/OWASP-ZSC/mynewshellcode.

It then prompts you for the encoding you want to use and I selected simple_hex.

The final step is to test your new shellcode against AV software. If you know what software the target is using, simply test it against that one (check out my article on recon-ng to determine the AV the target is using). If not, you can test your new shellcode at VirusTotal to see how well it evades most commercial AV software.