Tuesday, February 27, 2018

Metasploit Loader (III): loader64.exe (x64_64 bits)

ANTIVIRUS EVASION /Metasploit Loader (III): loader64.exe (x64_64 bits)

- Layout for this exercise:

- This exercise is based in the previous one:


1 - Adapting the source code to the x64_64 bits architecture

- The goal of this exercise is to adapt previous example of Windows 10 x86_32 bits to the x64_64 bits architecture.

- Let's create a new file main64.c where changes will be implemented.

- The technical explanation of why and how to modifiy the source code for the new architecture is here:


- For the x86_32 bits architecture:

- For the x64_64 bits architecture:

- To sum it up, the x64_64 bits architecture uses 10 Bytes for the RDI register: a \x48 hexadecimal must be prepended, keeping the bytes of the x86_32 bits case (BF 78 56 34 12), and ending up with \x00s.

- Editing main64.c to reflect these changes:

- The first change is to amplify the buffer up to 10 Bytes. The old code:

- The new code:

- The second change is to prepend  with 0x48. The old code:

- The new code:

- Also, updating the buffer expansion from 5 to 10, as before. Old code:

- New code:

- Finally, the whole altered section looks like this:

- Cross-compiling with mingw32 (version for x64_64 bits):

- A new executable loader64.exe is created:

2 - Running the payload at the victim side

- Setting a simple web server at Kali:

- Downloading the executable loader64.exe to Windows 10:

- Setting up a Metasploit handler session at Kali machine:

- However, when running loader64.exe at Windows 10 the file stops working:

- Also, a Meterpreter session is created but it dies after a few instants:

- Why does this handler session fail? 

- The reason is that the payload was established for the x86_32 bits architecture, what is not correct because in this exercise we are dealing with x64_64 bits:

- So, the payload must be replaced with the version for x64_64 bits (let's notice the /x64):

- Repeating the whole process now the attack is successful. Establishing a Metasploit handler session on Kali:

- Running loader64.exe from the victim Windows 10 x64_64 bits:

- Finally the meterpreter session is successfully generated:


- Checking the Anti Virus evasion rate

- Checking loader64.exe against Virus Total a rate of 95.5% of evasion success is achieved:

- Checking loader64.exe against No Distribute, a rate of 100% of evasion success is achieved: