I was wrong.
He threw together a bash script to generate payloads overnight and we returned to find around 10 viable binaries that all had different hash signatures and worked:
I have used this method to general success ever since, but given what we know about how encoding shouldn't really matter, why does this work? I don't know. My best guess is bad signature writing for a known security tool.
We even took the concept even further when facing multiple products:
Testers tend to keep their AV-evasion methods to themselves for obvious reasons, but with the tools available now it's not a huge deal. I am really writing this post to get thoughts as to why this still works. So the script that Skip wrote works, but I really wanted to speed up the process and start up the handler for testing:
The python script is on github if you are interested in trying this out but your mileage will certainly vary based on the AV product. Over the years, it generally requires more payloads to be created to be successful. Sometimes its in the hundreds, but often its in the thousands. Be careful with disk space since the script doesn't account for that.
-Chris
As each successive encoding gets larger and large what were the sizes of your successful files? AV may give up/not bother if a file is over a certain size?
ReplyDeleteThe files end up being about the same size (73kb), I think there is just an off-by-one problem with some AV signatures.
DeleteOh right I had assumed you were increasing the encoding iterations in msfencode but you're not modifying that!
DeleteIndeed it is a mystery!
Another interesting thing is that the more you encode, the more payloads it takes to get one that bypasses AV.
Delete