Metasploit Loader (III): loader64.exe (x64_64 bits)

ANTIVIRUS EVASION /Metasploit Loader (III): loader64.exe (x64_64 bits)

- Layout for this exercise:



      
                      
- This exercise is based in the previous one:

http://www.whitelist1.com/2018/02/metasploit-loader-i-loaderexe-x8632-bits_27.html

                                                                                         
1 - Adapting the source code to the x64_64 bits architecture

- The goal of this exercise is to adapt previous example of Windows 10 x86_32 bits to the x64_64 bits architecture.

- Let's create a new file main64.c where changes will be implemented.




- The technical explanation of why and how to modifiy the source code for the new architecture is here:

https://github.com/rsmudge/metasploit-loader
https://dev.metasploit.com/pipermail/framework/2012-September/008664.html


- For the x86_32 bits architecture:




- For the x64_64 bits architecture:

- To sum it up, the x64_64 bits architecture uses 10 Bytes for the RDI register: a \x48 hexadecimal must be prepended, keeping the bytes of the x86_32 bits case (BF 78 56 34 12), and ending up with \x00s.

- Editing main64.c to reflect these changes:





- The first change is to amplify the buffer up to 10 Bytes. The old code:



- The new code:




- The second change is to prepend  with 0x48. The old code:



- The new code:




- Also, updating the buffer expansion from 5 to 10, as before. Old code:









- New code:





- Finally, the whole altered section looks like this:




- Cross-compiling with mingw32 (version for x64_64 bits):




- A new executable loader64.exe is created:




2 - Running the payload at the victim side

- Setting a simple web server at Kali:






- Downloading the executable loader64.exe to Windows 10:







- Setting up a Metasploit handler session at Kali machine:




- However, when running loader64.exe at Windows 10 the file stops working:





- Also, a Meterpreter session is created but it dies after a few instants:






- Why does this handler session fail? 

- The reason is that the payload was established for the x86_32 bits architecture, what is not correct because in this exercise we are dealing with x64_64 bits:





- So, the payload must be replaced with the version for x64_64 bits (let's notice the /x64):




- Repeating the whole process now the attack is successful. Establishing a Metasploit handler session on Kali:





- Running loader64.exe from the victim Windows 10 x64_64 bits:




- Finally the meterpreter session is successfully generated:



 

4 - Checking the Anti Virus evasion rate

- Checking loader64.exe against Virus Total a rate of 95.5% of evasion success is achieved:





- Checking loader64.exe against No Distribute, a rate of 100% of evasion success is achieved: