To round out the work done by mihi for x86 stages back in the day,
this PR provides x64 Windows stage encryption in RC4 via assembly
written/modified by max3raza during adjacent work on DNS tunneled
transport.
Stage encryption differs from encoding in that there is no decoder
stub or key materiel carried with the stage which can be used by
defensive systems to decode and identify the contents. Persistence
payloads, oob-delivered stage0, and other contexts benefit heavily
from this as their subsequent stage is difficult to detect/identify,
and the chance of accidental execution of the wrong payload/stage
is drastically reduced if separate keys are in play for individual
targets - acquiring the wrong stage will result in decryption
failure and prevent further execution.
For historical context, all of the RC4 stagers implement in-place
decryption via stage0 for the contents of stage1 using the provided
passphrase converted to a key and embedded in stage0 as part of the
payload.
Testing:
In-house testing with Max - we got sessions, loaded extensions.
Notes:
All credit for the work goes to Max3raza - big ups for getting
this knocked out.
While this method here is somewhat noisy on the network it eliminates
a poor user experience when the handler is started but the payload is
not yet running on the target.
When a target is sent a udp packet and it is not rejected push down
an initial "echo syn" command that will respond with output. This
allows framework to be aware that the payload is what is running on
the server port instead of assuming a non-existent target is a valid
session.
Brent Cook