Apr 25, 2012

0
Using Metasploit Templates to Bypass AV

 

 

Metasploit Templates

Metasploit creates executable files by encoding a payload and then inserting the payload into a template executable file. The templates are in the data/templates folder. Metasploit includes templates for Windows, Mac, and Linux, templates for x86, x86_64, and ARM, and a template for Windows services. If you look in the data/templates/src folder you will find the source files for each of the templates.

Modifying the Templates

Each source file declares a variable to hold the payload and assigns it the value of “PAYLOAD:”. The payload variable is 4096 bytes in some cases and 8192 bytes in others. Metasploit uses lib/msf/util/exe.rb to insert your payload by replacing the value “PAYLOAD:” with your encoded payload. You can use a custom template as long as it defines a variable of the right size and assigns it the value of “PAYLOAD:”. For the service template you can also define a variable and assign it the value “SERVICENAME”. Looking at the service.c template you can see the variable definitions:
#define PAYLOAD_SIZE 8192
char cServiceName[32] = "SERVICENAME";
char bPayload[PAYLOAD_SIZE] = "PAYLOAD:";

Using a Custom Template

If executables built with the default template are getting caught by your AV then you will need to modify the source file, compile it, and then use the new executable as your template. If you are using msfencode it looks like this:
msfencode -t exe -x /path/to/template/template.exe
If you are using the psexec module then you can set the advanced options EXE::Template and EXE::Path.

Bypassing Antivirus

There is no tried and true technique for bypassing antivirus. You may find your AV product can be bypassed with simple modifications to the templates or you may find that it doesn’t matter how you modify the template because the AV is picking up on the payload. This is when your encoding becomes important.
Here are a couple of things to keep in mind.
  1. People don’t like to talk about how they bypass AV because the AV companies will develop a signature.
  2. Don’t submit your AV bypass to VirusTotal or similar services because the AV companies use these services to develop new signatures.
  3. Setup a virtual machine with the AV you want to bypass, update it to the latest signatures then disconnect it from the network.
UPDATE: I have rewritten this article and put it on the Metasploit documentation wiki you can find it here.

Posted by FlashcRew at 23:52
Labels: , , , , , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
FlashcRew Blog