[script] for AV evasion

[LHYX1]

Hello everybody,

I created a python script that will obfuscate metasploit payloads so they won't get detected by AV's.
The script creates a C file that will execute your obfuscated shellcode.
The script:
1)XOR's your payload
2)adds a random byte after every byte of your shellcode
3)adds random junk
4)radomizes the file size
5)strips out the debugging symbols

So basicly signature based AV's have no chance at detecting this

Then to bypass heuristic methods of detection:
When you run your exe file, it deobfuscates your payload with very long for loops and I added a timer that waits a few moments.
And then your metasploit shellcode get's executed.

The script let's you choose to copy the exe to /var/www so you can easly download it via apache or
you can use your undetectible exe to attack a target with the java applet method from SET.

At the moment the script only contains a few payloads from metasploit. Feel free to add more.

The only disadvantage the script has is that it takes about 8 seconds before you get a shell after your victim has executed the exe file.
This is because of the timer and the for loops.

I tested the scrript on kaspersky 2012, symantec, avg, avast and microsoft essentials.
Novirusthanx results: http://vscan.novirusthanks.org/analy...ja2Rvb3ItZXhl/

All the files should be placed in your metasploit directory and you should have mingw32 installed.
Download: http://home.base.be/%72%68%69%6e%63%6b%78%74/script.zip

Some of the ideas for the script I got from: http://spareclockcycles.org/tag/antivirus-evasion/

I hope you like it

EDIT: added option to create an evil pdf 04/04/2012

[zimmaro]

All always many appreciate and many.many.many thanks

[loveablerouge]

Wow thats so cool cheers ....

[comaX]

Clean code, easily readable. A few comments would have been nice, though.
I'm having a "script" section on my site where I put scripts I find interesting. Would you mind me "publishing" yours (that would concist only of redirecting people on this thread ) ?

Oh, and by the way... while no virus thx and the like are handy tools, they do give the file signature to the AV corporations, so you should avoid that (or tick the "no send" box, if available) ! I guess you knew it, but it might be good for other people to know it

Cheers !

[LHYX1]

@ComaX I don't mind you publishing my script on your site
Sorry, I didn't really think about comments
I checked the box "Do not distribute this sample" when I uploaded my backdoor.exe to novirusthanx.
I used novirusthanx because it's the only scanner with multiple engines that I know has this option.

[loveablerouge]

Heres another good site for scanning files doesnt share samples either . You will need to register thou but worth it you can either use the 2 free scans a day or buy more credits .

http://elementscanner.net/
http://myavscan.net

[zimmaro]

hi,LHYX1
works WONDERFULLY:
I tested (apache-server-mode) versus 3 "-MYwin machine" XPSP3(IE7) VISTAsp1(IE8) WIN7(fully patched IE9) with the most important AV used in my part
The only small thing is"system" win7 + IE9 that "tends to block the download/execute"

thanks for your works!

[LHYX1]

Glad you like it zimmaro

[Atomix]

Very Very Nice

[synackrstnull]

Very nice to bypass antivirus, I tested in a windows 7 machine + Online Armor Premium Firewall = The firewall tracks every movement of the payload xD "allow or deny?"

Cheers.