Truth be told, this isn’t really about bypassing AV. “Bypassing AV” would suggest a workflow of creation, execution, detection, analysis, modification, test, etc, which I certainly didn’t employ. The AV agents used by VirusTotal never detected the payload as malicious (nor did the AV product I use) so no bypass was actually required.
Dart is an object-oriented language developed by Google for creating various types of apps. It’s not super new (circa 2011) but it’s certainly not the most used or well-known. The ability to compile native binaries that will run on a variety of Windows-based operating systems makes it a good candidate for basic reverse shells that would be useful during CTFs, hacking labs like HackTheBox or other situations where an endpoint security product is protecting a system that you’re looking to hit.
The Dart reverse shell referenced below sailed past the fully-updated-all-options-enabled-modern-AV-IPS endpoint product that I use in my home office environment without an issue – I’d be keen to know how one of these performs in an environment with proper EDR, SIEM logging, etc, so if you do take the next step and give it a run, let me know!
Dart reverse shells have been around for a while (see here for Potato-Industries’ cut circa-2019) so this isn’t new, but what interested me enough to put hands on the keyboard was that the AV detection stats back in Nov 2019 match those for March 2021.
Why? I have no idea. Someone smarter than me will be able to work that out without too much effort I’m sure, but today’s all about the how, not the why. So here’s the how…
Installing Dart SDK & Visual Studio (C++)
You’ll need Windows. I used a Windows 7 64-bit VM. From there:
- Install the Dart SDK from dart.dev via the instructions (using Chocolately is easiest)
- OPTIONAL: Install Visual Studio Community to get ‘editbin.exe’ so you can modify your Dart shell binary to run silently. Install the “Desktop Development with C++” package when prompted.
To compile your Dart binary:
- Grab the example Dart reverse shell code from Github.
- Modify the host and port to a value that suitable:
3. Open a command prompt and compile the binary with dart2native:
3. To stop the binary executing with a persistent black command window in the foreground, use editbin.exe from your Visual Studio install to hide it (optional):
4. Transfer the binary to the target system, set up a listener on the box you configured and give it a crack.
As I said before, it’s not a robust shell and the code is very basic and needs work (e.g. graceful process termination on connection close, etc) but its simplicity and effectiveness is somewhat of a surprise, as is its longevity. Worthy of closer inspection.