bypass uac own payload

[pentest09]

Hi all Merry Xmas and Happy New year!

#ok here we go ........Is there a way to use my own undetecable payload with the metasploit bypassuac.rb module as most Avs detect the payload in the module.

Also metasploit db_autopwn function no longer exists is there a way to create a new resource file to act out the same actions as autopwn like the karmetasploit module. Used to use nessus and import in to msf for autopwn and used to work well as one of my videos showed.

Kind regards DEe

[scottm99]

Which encoder(s) have you used with your payload? On a Win XP target, I've had good luck with shikata_ga_nai...maybe in combination with jmp_call_additive. If you know Ruby pretty good, you could code up your own payload module in MSF; using the existing payload modules as examples.

My opinion on the second part of your post would be to take a copy of db_autopwn itself, and hack around with it to get it working reliably for you. Don't forget about asking on the Metasploit mailing list...HDM and the dev team often hang out there. I hang out there myself, and have picked up some good tips & tricks...not knowledgeable enough yet to contribute much myself

[scottm99]

Which encoder(s) have you used with your payload? On a Win XP target, I've had good luck with shikata_ga_nai...maybe in combination with jmp_call_additive. If you know Ruby pretty good, you could code up your own payload module in MSF; using the existing payload modules as examples.

My opinion on the second part of your post would be to take a copy of db_autopwn itself, and hack around with it to get it working reliably for you. Don't forget about asking on the Metasploit mailing list...HDM and the dev team often hang out there. I hang out there myself, and have picked up some good tips & tricks...not knowledgeable enough yet to contribute much myself

[pentest09]

Hi thanks for the reply but my payloads use various shellcode and other encoders to bypass 100/100 with random junk thrown in , its not my payloads that are the problem, its the bypassuac module's basic (rozena.AA.trojan) shikata ga nia is not good enough on its own to bypass also check my videos (youtube: dgconsultinguk) out for a netcat backdoor on win 7 which bypasses uac and does'nt get flagged by avs. Going to try to replace the bypass.exe in the modules folder with my own but it looks like they get encoded before being uploaded to C:/Users/blahblah/Appdata/local/Temp/JjmTy*******.exe and get flagged.

Any ideas on this please feel free to join in as the forum is very quiet lately and there was a lot more going on last year before bt5 where are all the old skool lads with the great ideas and innovations with regards to bt?

kind regards dee.

[scottm99]

Hmm...I think this problem is beyond my current skill level. Thanks for the youtube videos, I'll have a look. At this point, I think the Metasploit dev team (or other highly experienced people) would be your best bet. Unfortunately, I fit neither category