Friday, December 18, 2009

File Upload, Anti-Virus, UPX Packer, Mubix's article and a partridge in a pear tree.

Today I was asked to give a proof-of-concept as a fun way of entering the holiday season. The idea was to prove why file upload (without extension / file type checking) can be dangerous. The target client and web server were both using A/V. We already knew it was possible to upload whatever type of file you chose. The question was, as the administrators demanded would be the case, would the A/V stop such an attack.

The answer?

Using solely the technique gained Here , which is @Mubix's site......sadly......the answer is NO. Now a week ago this would have worked. Recent A/V updates have changed that. So how to get around it?

Note: I've been warned by @carnal0wnage
that this technique will most likely flag on some products because of the UPX packing.

That being said, it worked great against the A/V and it turned out to be a fun day.


Create and encode the meterpreter payload as instructed on Mubix's site (link above).

Download the UPX packer Here. I chose the upx-3.04-i386_linux.tar.bz2 for BT4.

Now simply bunzip2 & tar -xvf the file and cd into the upx directory. Perform a ./upx and consider the file packed. 

Happy Hacking!

No comments: