Sewing Patches in the Veil AV Evasion Framework

Monday, August 26, 2013

Kyle Young

4ed54e31491e9fa2405e4714670ae31f

I have to admit that I am a little bit weary about the gaining popularity of Veil. AV evasion is really a game of cat and mouse, between the anti-virus companies and the individuals who are trying to evade detection. In this article we will be taking the role of the 'mouse' per se by working with this framework. We will first fix a bug in the framework and I will also show you how to use this framework in an ARM Kali chroot environment where wine is not readily available.

First, let us fix Veil because without this fix, Veil's use under a Linux environment is diminished greatly. To get the Veil framework, you can either do:

git clone https://github.com/ChrisTruncer/Veil veil

Or

sudo apt-get install veil #If you have the right repositories or are using Kali Linux

To get the newest bleeding edge version, you'll want to use the git method. However, if you use this method you will need to run the setup.sh script under the setup directory. This will handle the installing of the necessary dependencies. If you're running an ARM Kali chroot environment on an Android based device, you will want to use 'git' because if you attempt to use apt-get to install veil, it will bomb out and give you an error message that wine is unavailable.

Upon my first use of Veil, I followed this post from the SANS Penetration Testing website closely. One issue I ran into was in the 'How would you like to create your payload executable?' stage. The default method 'Pyinstaller' method did not seem to be creating an executable  in the veil/output/compiled/ directory, but it would create a source file in the source directory (which is still useful, more on this later).

I knew the framework relied on wine and a wine installed version of python to generate payloads under a Linux environment but wasn't sure where to look for where this took place in Veil's code. I started greping for wine in the Veil python modules and soon discovered this interesting piece of code that appeared to be the source of the problem.

Line 84 of the supportfiles.py file which is in the veil/modules/common/ directory contains this line of code:

os.system('wine ' + os.path.expanduser('~/.wine/drive_c/Python27/python.exe') + ' ' + os.path.expanduser('~/pyinstaller-2.0/pyinstaller.py') + ' --noconsole --onefile ' + payloadFile )

Due to the fixed path of '~/pyinstaller-2.0/pyinstaller.py' for Veil to work with this current code, one must have this directory structure and files in their home directory. If you're using Kali Linux, change this piece of code to '/usr/share/pyinstaller/pyinstaller.py' and Veil will now create portable windows executables.

Before I discovered the source of this bug and simple fix for it, I took the harder route and attempted to create the portable executables under wine following these requirements (from https://github.com/ChrisTruncer/Veil/blob/master/README.md ) :

Windows

  1. Python (tested with x86 - http://www.python.org/download/releases/2.7/)
  2. Py2Exe (http://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/)
  3. PyCrypto (http://www.voidspace.org.uk/python/modules.shtml)

I soon learned there were issues with py2exe working under wine. py2exe under wine creates invalid windows portable executables. (http://stackoverflow.com/questions/12170373/python-to-windows-executable-under-wine). I was then stuck with the Py2Exe method that relies on having a Windows machine readily available.

Veil Mobile Scenario

This then brings me back to the mobile scenario. To the best of my knowledge at the moment (and correct me if I'm wrong) you can't install wine under an ARM Kali Linux chroot environment. So if you want to create payloads using Veil on your Android device, you will have to first obtain Veil via git. Secondly, there is no need to fix the code like I posted. You can leave the code as is.

You can now create python source files using either pyinstaller or py2exe under Veil. If you use the pyinstaller method, you will have to copy the files to a Linux machine that has necessarily dependencies for Veil and you can simply create an executable doing something like this:

wine ~/.wine/drive_c/Python27/python.exe /usr/share/pyinstaller/pyinstaller.py meterpreterpayload.py

Or you can use the py2exe method and copy the files to a Windows machine and compile your executable that way.

Other issues with Veil

One minor annoyance with Veil, is that I've noticed the portable executables are kind of hefty in size. If you create a payload using the pyinstaller method, the executable is about 2.4 megs and if you create one using the py2exe method under windows, the executable is over  5 megs. This is quite large in comparison to using msfpayload/msfencode or msfvenom, which creates payloads that are typically less than 100 kilobytes.

I would also like to see Veil being able to bind the obfuscated payload to non malicious executable like putty, however all in all I'm very impressed with this framework and hope the developers like Chris Truncer keep up the good work.

 

Cross posted from: http://zitstif.no-ip.org/?p=882

11301
Post Rating I Like this!
Default-avatar
Chris Truncer Hey, this is Chris Truncer, I'm one of the developers of Veil and wanted to be able to speak to some of your points.

We've been working with the great guys on the offsec team to get the veil apt package updated correctly. Due to its variety of payloads, Veil does have a large amount of dependencies. As you could imagine, there's some room for error. It's currently being looked at by our end and the offsec team, but that's also the reason that we are using github, so that users always have a second way to obtain the tool.

When configuring Veil, the setup script should install everything for you, including placing pyinstaller in your home directory. This is the first time we've heard of someone preferring the pyinstaller folder to be in a different location. If this becomes requested, we can look into changing its location. The reason we have it in its current location is to attempt to ensure compatibility with as many linux distros as possible.

We also found the same resource as you about using py2exe within wine, so you'll need a windows computer (or VM) to invoke py2exe. We wanted to provide both options so the user can make a choice as to which they prefer.

As to payload size, the examples you cited were specifically for python based payloads. Veil can create payloads in multiple languages, with varying size as well. Those sizes you've cited are also normal sizes for pyinstaller or py2exe due to needing to package the python interpreter and other dependencies along with the payload source as well. So if size is an issue, we'd definitely recommend checking out all the payload options.

At this point, Veil is utilizing the Metasploit Framework to generate shellcode and package it up into various language invokers. For backdooring legitimate files, there's always the -x template option for msfvenom, and we also have plans to integrate a separate tool that allows for more comprehensive backdooring. The schedule is to hopefully release that after Derbycon.
1377521506
4ed54e31491e9fa2405e4714670ae31f
Kyle Young Chris,

Thanks for your comment. I also forgot to mention that I wanted to look into alternatives to upx to see about compressing the payloads. The issue is, is that upx can be flagged by AV venders.

"When configuring Veil, the setup script should install everything for you, including placing pyinstaller in your home directory. This is the first time we've heard of someone preferring the pyinstaller folder to be in a different location."

The last time I ran the setup script, it did not do this for me, however, I will have to give it another try. :-)
1377532087
Default-avatar
Chris Truncer UPX actually isn't installed by default when setting up Veil specifically for that reason, it does get caught simply because it was packed. So that would have to be something installed by the user post-install.
1377558166
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.