Metasploit encoding

[SecureSurfer]

Hello,

metasploit is a great tool, but I have never been able yet to perfrorm a successful exploit because of my internet security program (Kaspersky). There are tons of tutorials to be found on the net about Metasploit, but none of them works without disabling Kaspersky.

What I want to try is to donload a working exe from the internet, for example Skype, and inject this exe with the payload, and encoding it so it goes undetected.
I tried to do this by altering the .text and .data parts with a PE editor. I added 500 bytes and made the .text executable and .data writable. Then I added 500 nullbytes with a HEX editor and tried to encode it. It says 'no encoders succeeded'

I think I'm a bit on the wrong track here, but I can't seem to find well-written explanations about this. It is always assumed that you have an encodable .exe. But what if you have not?

I'm not really asking for a complete tutorial, just point me in the right direction and i'll be happy..

(you can go hard on me if im completely wrong in my thinking)

thanks

[Jimmy87]

Have you tried encoding the payload you want, output it to an exe and then wrap them both together using iexpress in windows?

I've had some success with this before but have never tested it against Kaspersky. I use a small program convert.exe that does basic conversions for you, used that with my encoded payload (as an exe) and used iexpress to package the two executables together. Then when I run my 'new' convert.exe (which has the hidden payload) I can get a shell.

Not sure if this is where you're heading but it works well for me.

Sickness did a sweet tutorial on this using the MSN Installer to hide the payload, search google for "backtrack iexpress" and you should find the first hit is his tutorial.

Hope that helps somewhat.

[purehate]

Skype is not a good thing to practice with. Skype actually uses a form of a packer to create their legit binary. Its a very odd method, however, it makes it exceedingly difficult to inject a payload into it. I would suggest working with the adobe flash installer or some thing along those lines.

[LHYX1]

I tested the adobe flash installer injected with a meterpreter reverce tcp. It worked on my windows xp professional sp3 and didn't get detected by AVG AV but it didn't work on windows 7 home premium (It didn't get dedected by AVG AV but it just didn't work.). I have had some succes with injecting the meterpreter reverse tcp payload into winrar or in the microsoft security essentials installer. A quick google search should give you the exes.

[SecureSurfer]

thank you all for the answers. Im pretty sceptical about being able to circumvent Kaspersky, but ill check out the methods that you guys suggested.

One question though, if I try adobe flash installer, do i also have to put the two exes together with iexpress, or will it just work?
Im a bit confused why for some exes the encoding just works, and for some I need to combine the payload exe with the real exe.
On top of that, I thought that I read somewhere that I should adapt the .text and .data fields of the exe with a PE editor.

Some suggested reading on this, or is it just different for every exe?

Thanks

[laptopz]

Using a small staged payload might give you better chances of evading...something like windows/shell/reverse_tcp

[Jimmy87]

I think it depends on what payload you start with in the first place. As laptopz said you have better chance using windows/shell/reverse_tcp because I don't think it contains the 'signature' that most AV's look for, plus it's less code to scan. From there you could move to meterpreter etc.

Combining the payload with another exe like adobe flash installer like purehate says is a good way of getting the end user to run your payload because it looks less suspicious than some random executable.

Checkout Metasploit Unleashed - There's some good info on binary payloads and av bypass.

[purehate]

The only reason you should need to edit the .exe with a PE editor is if you are doing some custom AV stuff. If using metasploit to encode a exe file it is done for you. For example in 2008 muts did a talk at shmoocon called "I piss on your AV" . In this talk he created a custom XOR loop which encoded the binary to avoid AV detection. This is essentially the same thing the metasploit encoders do. For that type of thing you would want to use a PE editor. It is always really good to learn how to do these things manually to understand whats happening. I use the metasploit encoders as well however I have done it manually many times. The other good part about knowing how to do it manually is that with a cursory amount of assembly knowledge you can create a encoder no one else has and then you will truly be able to by pass AV. I have 2 I will never share and they beat all AVs all the time.