Tuesday, February 27, 2018

Metasploit Loader (II): loader-modified.exe (x86_32 bits)

ANTIVIRUS EVASION /Metasploit Loader (II): loader-modified.exe (x86_32 bits)

- Layout for this exercise:


- This exercise is based in the previous one:

1 - Modifying the source code

- The objective of this exercise is to get an executable easier to use than the previous loader.exe, so that it is not necessary to go through the command line with the arguments of the IP and port of the attacker, embedding both parameters in the payload code.

- To achieve this goal we need to modify the source code main.c:

- Opening main.c:

- First this section of the code must be removed, because the executable is not going to take arguments any more from the user through the command line:

- Now, this section must be altererd, because the socket will be established with constant parameters, and not passed as arguments to the function:

- Kali's IP and port 9999 are introduced, replacing the older connection parameters:

- To finalize, the source code must be compiled again (using mingw32 with version for x86_32 bits architecture), outputting a new executable called loader-modified.exe:

2 - Checking the functionality of loader-modifed.exe

- Setting a simple web server on Kali:

- Connecting from the victim Windows 10  (x86_32 bits) and downloading loader-modified.exe:

- Setting up a Metasploit handler session on Kali Linux, waiting to the victim Windows 10 to run the executable:

- Running the executable on Windows 10 (x86_32 bits) :

- The attack is successful:

3 - Checking the Anti Virus evasion rate

- Checking loader-modified.exe against Virus Total, a rate of 68.2% of evasion success is achieved:

- Checking loader-modified.exe against No Distribute, a rate of 71.8% of evasion success is achieved:

- So comparing to the previous exercise the rate detection is slightly smaller, but on the brigth side the payload is a lot easier to be used.