GitHub - trickster0/OffensiveRust: Rust Weaponization for Red Team Engagements.
source link: https://github.com/trickster0/OffensiveRust
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
OffensiveRust
My experiments in weaponizing Rust for implant development and general offensive operations.
Table of Contents
Why Rust?
- It is faster than languages like C/C++
- It is multi-purpose language, bearing excellent communities
- It has an amazing inbuilt dependency build management called Cargo
- It is LLVM based which makes it a very good candidate for bypassing static AV detection
- Super easy cross compilation to Windows from *nix/MacOS, only requires you to install the
mingwtoolchain, although certain libraries cannot be compiled successfully in other OSes.
Examples in this repo
File Description Allocate_With_Syscalls It uses NTDLL functions directly with the ntapi Library Create_DLL Creates DLL and pops up a msgbox, Rust does not fully support this so things might get weird since Rust DLL do not have a main function DeviceIoControl Opens driver handle and executing DeviceIoControl EnableDebugPrivileges Enable SeDebugPrivilege in the current process Shellcode_Local_inject Executes shellcode directly in local process by casting pointer Execute_With_CMD Executes cmd by passing a command via Rust ImportedFunctionCall It imports minidump from dbghelp and executes it Kernel_Driver_Exploit Kernel Driver exploit for a simple buffer overflow Named_Pipe_Client Named Pipe Client Named_Pipe_Server Named Pipe Server Process_Injection_CreateThread Process Injection in remote process with CreateRemoteThread Unhooking Unhooking calls asm_syscall Obtaining PEB address via asm base64_system_enum Base64 encoding/decoding strings http-https-requests HTTP/S requests by ignoring cert check for GET/POST patch_etw Patch ETW ppid_spoof Spoof parent process for created process tcp_ssl_client TCP client with SSL that ignores cert check (Requires openssl and perl to be installed for compiling) tcp_ssl_server TCP Server, with port parameter(Requires openssl and perl to be installed for compiling) wmi_execute Executes WMI query to obtain the AV/EDRs in the hostCompiling the examples in this repo
This repository does not provide binaries, you're gonna have to compile them yourself.
Install Rust
Simply download the binary and install.
This repo was compiled in Windows 10 so I would stick to it. As mentioned OpenSSL binaries will have depencency issues that will require OpenSSL and perl to be installed.
For the TCP SSL client/server I recommend static build due to dependencies on the hosts you will execute the binaries.
For creating a project, execute:cargo new <name>
This will automatically create the structured project folders with:
project
├── Cargo.toml
└── src
└── main.rsCargo.toml is the file that contains the dependencies and the configuration for the compilation. main.rs is the main file that will be compiled along with any potential directories that contain libraries.
For compiling the project, go into the project directory and execute:cargo build
This will use your default toolchain.
If you want to build the final "release" version execute:cargo build --release
For static binaries, in terminal before the build command execute:"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat"set RUSTFLAGS=-C target-feature=+crt-static
In case it does not feel easy for you to read my code the way it is written,
you can also you the below command inside the project directory to format it in a better waycargo fmt
Certain examples might not compile and give you some error, since it might require a nightly
build of Rust with the latest features. To install it just do:rustup default nightly
The easiest place to find the dependencies or Crates as they are called.
Cross Compiling
Cross-Compiling requires to follow the instructions here
By installing different toolchains, you can cross compile with the below commandcargo build --target <toolchain>
To see the installed toolchains on your system do:rustup toolchain list
For checking all the available toolchains you can install in your system do:rustup target list
For installing a new toolchain do:rustup toolchain install <toolchain_name>
Optimizing executables for size
This repo contains a lot of configuration options and ideas about reducing the file size. Static binaries are usually quite big.
Pitfalls I found myself falling into
Careful of \0 bytes, do not forget them for strings in memory, I spent a lot of my time but windbg always helped resolving it.
Interesting Rust libraries
-WINAPI
-WINAPI2
-Windows - This is the official Microsoft one that I have not played much with
OPSEC
-Even though Rust has good advantages it is quite difficult to get used to it and it ain't very intuitive.
-Shellcode generation is another issue due to LLVM. I have found a few ways to approach this.
Donut sometimes does generate shellcode that works but depending on how the project is made, it might not.
In general, for shellcode generation the tools that are made should be made to host all code in .text segment,
which leads to this amazing repo.
There is a shellcode sample in this project that can show you how to structure your code for successfull shellcode generation.
In addition, this project also has a shellcode generator that grabs the .text segment of a binary and
and dumps the shellcode after executing some patches.
This project grabs from a specific location the binary so I made a fork that receives the path of the binary as an argument here.
Other projects I have have made in Rust
-UDPlant - Basically a UDP reverse shell
-EDR Detector - Detects the EDRs of the installed system according to the .sys files installed
-Lenum - A simple unix enumeration tool
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK