Re: psexec vs NOD32

[Jonathan Cran <jcran () 0x0e org>]

> On Tue, Sep 6, 2011 at 11:55 AM, Anton Sapozhnikov <anton.a.sa () gmail com> wrote:
> > Hi!
> >
> > I'm trying to launch windows/meterpreter/bind_tcp with
> > exploit/windows/smb/psexec
> > But NOD32 is killing my payload just after “[*] Deleting \KoVCxCjx.exe...”
> >
> > Could you suggest me some method to trick NOD32?

You're in luck, background reading and techniques for bypassing AV
have been thoroughly documented by several members of this list (mihi
/ scriptjunkie):

* http://schierlm.users.sourceforge.net/avevasion.html # is probably
the most clear cut on how and why AV is flagging vanilla metasploit
binaries. This writeup gives clear-cut instructions on how to bypass
AV, first with your own template, then documenting exactly how to
build your own custom exe's with the metasploit shellcode (using the
exe-small generation method)

* http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/
# good background on how the exe is generated, and why it's
heuristically flagged in many cases.


jcran
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework