Friday, August 9, 2013

Introducing Obfy

Are you sick of AV products killing any payload made by Metasploit when doing a pen test?  Me two.  First let me say, if you have a password or a hash, you should use smbexec: https://github.com/brav0hax/smbexec Seriously, use smbexec to collect more hashes and work your way up to domain admin without any AV problems.  Done.

But what if you don’t have a password or a hash yet, but you have something else, say a reliable exploit picked up on a scan but the reverse shell isn’t popping and you think it is due to AV.  Well thanks to the EXE::Custom option in Metasploit now, you have more options.  Do a show advanced in the module you want to use, and if you see EXE::Custom you are in business.  More info on it can be found here: http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/ In a nutshell, set EXE::Custom to the file you want to be the payload, setup the multi/handler listener set to the correct payload and port in another window, and run the exploit and watch it connect back.

One option is to use a custom shell, like the kind I have here: https://github.com/secjohn/ruby-shells.  But that is the worst case scenario, we want Meterpreter and we want it now.  That is where Obfy comes in.

Obfy is a simple Ruby script that runs on Kali and BackTrack Linux and will make the payload for you, decompile it, alter the assembly code to change the signature to fool AV, and compile it for you.  Then that executable can be used with EXE::Custom and you are off to the races.  I got the idea from Royce’s blog post here: http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/.  But I hate doing things manually, so I automated it.

The magic in Obfy is in the valuables that randomly pick which assembly code to inject at specific places.  The public version of the tool right now has only very simple commands, far more simple than explained in the blog post linked above.  Code like, push edi, pop edi.  Adding a bunch of those all over the place doesn’t seem like it should work, but it totally does.  However, since I made this public I doubt it will work for long as new signatures will be made over time for this.  So I highly recommend reading Royce’s blog post, watching Security Tube’s Linux Assembly Primer if you need to http://www.securitytube.net/groups?operation=view&groupId=5 and adding some of your own code there to make it unique to you (and submitting the code back to github to help others).  But I could be wrong this may work forever as is, time will tell.

Now, some AV software like MS SE will still see this.  Therefore there is one more step I recommend.  Run your payload through ditto: https://github.com/mubix/ditto and copy the resources from a normal file like calc or notepad.  Using Obfy and then ditto will get you past most things. If it doesn’t work either revert back to the custom shell I linked above and kill AV, or you have something else messing with you and you may need to sign the executable.  Also remember to always try the HTTPS version of the payload to get past IDS, but I digress.

Anyway, I’m excited to see how many people use this and if anyone contributes assembly code to it to help make it better and keep it working.  So here is the link:


Enjoy and provide feedback as always.

No comments:

Post a Comment