avoid

Introducing a simple script I have created to bypass most Anti-Virus products. This script is based on scripts I used whilst attempted to avoid A.V,  credit to all authors of the mentioned scripts below for their research and work. This was just a very quick script I put together to make life a bit easier.

What it does it generator a Metasploit Meterpreter payload executable automatically for you. It auto changes the icon to a PDF and also auto creates AutoRun files. So you can then use this file via a shell upload to get a reverse shell via Metasploit, place on a USB stick for some social engineering/Phishing attacks, or burn to a CDROM for some AutoRun fun.

There are many good tools/scripts around, but a lot of these are now detected by most Anti-Virus products. On a recent laptop assessment I was getting blocked by McAfee attempting a AutoRun exploit and most tools and encoding would not get round this, so I decided to knock up a quite script that did get round it.

Even if you are not looking to get around A.V, or this gets detected more in the future it is a very easy script to generate you a quick Meterpreter payload for your local or remote listener.

Some screen shots, download path and A.V bypass script comparisons below. At its best my script was only detected by 10 out of 46 Anti-Virus products, these depends on which stealth option you use. At its lowest it was about 14/15 A.V products found this. This is still bypasses 20+ more products than just encoding the payload using Mfsencode or Msfvenom.

It uses Msfencode, but also pads the file and re-compiles the executable  including a PDF icon. The file size and contents are never the same for every executable generated,  this helps it avoid most Anti-Virus products. The more intelligent A.V products will still pick it up.


Download from the NCC Open Source GitHub Repository below:

https://github.com/nccgroup/metasploitavevasion

Tested on Backtrack 5 and Kali only. Run as root.

Exploit on victim now opens minimised, thanks to @redmeat_uk for the info.


av1

It requires two very small files in order to create the PDF icon and AutoRun files. It will auto download these if they are not within the directory. If it can’t download them it will continue, but it will not create the PDF icons.

av2

If you want to download these two files in advance, just get them below. Place in the same directory as the script is stored. If you want to change the autorun.ico for your own icon this will change the autorun icon. To change the exe icon is a little more complex and is compiled from the icon.res file. Google around and you can create this using windres.

wget http://www.commonexploits.com/tools/avoid/autorun.ico

MD5 checksum: ebe763172e90b7f218d522b13abbc5c1

wget http://www.commonexploits.com/tools/avoid/icon.res

MD5 checksum: 876caf8703c803d7a2359103adc9ce58

Select local system or remote. If you select local it will auto grab your local IP address and use that. If you select alternative, it will ask you which IP address to listen on, then give you the msf listener code to run at the end.

av3

Enter the port number to listen on. If local it doesn’t really matter, but if external they may have some restrictions so try port 80, 443 or 53. A recent test I found workstations could talk directly outbound on DNS/53, so I could get a AutoRun shell out to the internet.

av4

There are 5 options for the payload. The more stealthy the bigger the file. All this is doing is padding out with more random junk, which seems to reduce the detection ratio slightly. If size is not an issue i.e using a CD or USB then try the most stealthy option for better results. I have not tested option 5 on online scanners as it exceeds the upload limit.

av5

It then saves you out the executable named salaries.exe, you can change the name in the top of the script header. You could use this and place on a few USB sticks and leave around the building, I am sure curious staff may want to open, and as it has a PDF icon it helps. It also creates you an autorun directory, simply burn these to a CDROM to try a AutoRun shell or a U3 USB – normal USB sticks won’t AutoRun and obviously if the system has AutoRun disabled it will not work.

av6

 

avsal

 

autorun

It will then launch the listener locally.

av7

Or if you selected an alternative system, it will give you the code to copy and paste to start the listener.

av8

Then run the exploit and you will get your shell. In this case the AutoRun exploited without any user interaction.

av10

 

av9

 

I run this over 46 Anti-Virus products and got fairly good results. Below is a comparison I made with the most commonly known and used A.V avoidance tools and scripts.

 Standard Metasploit payload (encoded)

c1

Shell Code Exec

c2Vanish Script

c3

AV0ID

c4

Syringe

c5

Quick high level view on the above scripts.

Shell Code Exec

Great tool created by Bernardo Damele that did get round almost all A.V products. The shellcode exe now does get detected more as this file stays the same. Bernardo allows you to download the source code, so I believe a quick modification to the file and a recompile would get round this.

Info here: http://bernardodamele.blogspot.co.uk/2011/04/execute-metasploit-payloads-bypassing.html

Download here: https://github.com/inquisb/shellcodeexec

This is also built into SET (Social Engineering Toolkit) under the media generator options.

Vanish Script

Great script that inspired my script.  Created originally by Astr0baby in 2011 and modified by Vanish3r that generates the Metasploit payload for you. It is getting more detected now.

Download here: http://pastebin.com/7xmvGnks

Syringe

This works in a very similar way to Shellcode exec, but I found this to be very good and got round a lot of A.V products. This was the only tool that got around Microsoft A.V in my testing.

Download here: https://code.google.com/p/syringe-antivirus-bypass/