visual studio market place scaled tr 1024x480 1

Distributing Malicious Extensions via Microsoft Marketplace

Meterpreter is undoubtedly one of the best tools for cybersecurity experts. In all our tests, studies, and research, we need powerful malicious code like “meterpreter.” Conducting a security test without Meterpreter is challenging in the cybersecurity world, and many people cannot even imagine it. Meterpreter’s ability to provide many modules to jump to other systems after infiltrating a system, its small size, and stability make it one of the most powerful tools. This power of Meterpreter is further amplified when used with a good distribution method in Windows architectures. If our malicious code will not be sent to the target system via an exploit and will be used as a backdoor, the distribution method becomes as important as code development.

Meterpreter can create backdoors suitable for many types and platforms with the MSFVenom tool. This article specifically addresses two topics:

  • Creating a Malicious Extension for Visual Studio (Creating a backdoor that will be integrated into Visual Studio and start every time it runs).
  • Distributing malicious code with Visual Studio Marketplace.

For more information, you can visit: VSIXPreter on GitHub.

Creating a Malicious Extension for Visual Studio

I needed a malicious code that would integrate with Visual Studio and automatically start every time the application runs. Starting from this need, I decided to write an extension for Visual Studio and place malicious code within the extension I wrote.

First, we will write a malicious extension for Visual Studio via Visual Studio itself. To write an extension for Visual Studio, click on “Create new project…” from the main screen of Visual Studio 2017.

To develop an extension that will work in Visual Studio 2017, after clicking “Create New Project,” we need to select “Extensibility VSIX Project.” If this menu is empty and you cannot see the screen above, the SDK is not installed on your computer. To install the SDK, click on “Open Visual Studio Installer” from the “Create New Project” window.

From the opened screen, you can install the SDK by checking the “Visual Studio extension development” option.

I created a project named VSIXPreter. With this project, we will have developed an extension for Visual Studio. Automatically, “index.html” and “stylesheet.css” files will be created in the project we created. After creating the project, let’s delete these two files.

Then, right-click on the project, click on the Add New Item menu, and we encounter the screen above. By selecting “Extensibility Custom Command” and naming the file “PreterCommand.cs,” we add the “cs” file to the project where we will code meterpreter.

Before starting coding, we need to create a meterpreter shellcode using the MSFVenom tool. The code we will create will be produced compatible with C#.

With the code above, we produce a C# compatible shellcode that will connect to the IP address 192.168.228.127 on port 4444 using the reverse_tcp method.

We can also create our shellcode within MSFConsole as follows:

With both methods, our C# compatible shellcode will be created. The point we need to pay attention to is that there may be differences in the parameters used in both methods. For example, if we are creating shellcode with Msfvenom, the payload is specified with the “-p” parameter, while in Msfconsole, this parameter is used to specify the platform. Although the two production methods work on the same framework, the use and functions of the parameters are different from each other.

We will need three functions to run the shellcode we created. We define these three functions as follows. With the VirtualAlloc function, we allocate memory space equal to the size of our shellcode. With CreateThread, we create a thread, and the WaitForSingleObject function checks the validity status of a specified object.

I defined a method named RunMeterpreter, and this method requires the IP and port variables in string format to be triggered. The complete method that will run the Meterpreter shellcode will be as follows:

I assigned the Meterpreter shellcode encoded with Base64 to the variable named shellCodeRaw. Then, by automatically calculating the entered IP and port variables, I place the 12 characters (newShellCode) encoded with Base64 along with the offset value into the main shellcode. Thus, instead of producing shellcode again every time the IP address changes, it will be sufficient to change the IP address I defined as a string.

We wrote the method that will run the Meterpreter shellcode. To run our method, we write the code above into the “Execute” method of type private void automatically created in our “PreterCommand.cs” file. With this code, we create a thread from the Task class and call the RunMeterpreter method. Our extension is now ready. By compiling the application, we can access the extension.

To receive the incoming Meterpreter connection, we start multi/handler as follows:

Now, by running the vsix (Visual Studio extension) file we created, we can install the extension. One point we need to pay attention to is that Visual Studio 2017 must be closed while installing the extension. If it is not closed, we may encounter an error in this direction while loading the application.

When our project named VSIXPreter is compiled, the files “VSIXPreter.dll” and “VSIXPreter.vsix” will be created. When we double-click and run the VSIXPreter.vsix file, the VSIX Installer will run as shown above and ask if we want to install the application. By clicking “Install” on this screen, we can install the extension to Visual Studio 2017.

After the installation is complete, we will encounter the screen above. Our extension installation has been successfully completed. By opening Visual Studio 2017 and clicking “Run PreterCommand” from the “Tools” menu, we can obtain a meterpreter connection.

As seen, “Run PreterCommand” has been added to the Tools menu. Every time this menu is run, our shellcode using Meterpreter reverse_tcp will be triggered, and a connection will be sent to the address we specified. However, here we will encounter a problem like this: after loading the extension to Visual Studio 2017, it is a difficult task to click Meterpreter from this Tools menu every time. For this reason, we need to write a code that will automatically trigger the Meterpreter shellcode every time Visual Studio is opened. But first, let’s upload the “VSIXPreter.vsix” file we created to VirusTotal and look at the results.

We sent our created malicious code to Virustotal. And Bingo! 0/60. Our created malicious code is not recognized by any anti-malware product. Let’s continue to examine our created malicious code with Process Hacker.

The VSIXPreter.dll file we created has been loaded by devenv.exe and sent a connection to the IP address 192.168.228.127 on port 4444. Now, we need to arrange our code to run every time Visual Studio 2017 is opened.

The “PreterCommand.cs” file we created will also create the “PreterCommandPackage.cs” file during creation. By defining the parameters above into this file, we can ensure that the malicious code runs every time Visual Studio 2017 is opened.

With ProvideAutoLoad, we need to specify in which situation we want it to load automatically. The VSConstants.UICONTEXT.NoSolution_string parameter provides exactly this. With this parameter, every time Visual Studio 2017 is opened, the extension is triggered, and a meterpreter connection is obtained.

Similar Posts