Bypassing AV with msfencode -x

John Strand put together a great video showing how to use msfencode’s -X parameter to specify a custom template into which you embed a metasploit payload. What does that mean? Any Window’s executable can be used to carry any metasploit executable making it that much easier to avoid antivirus detection.

Back in the day, msfpayloads -x parameter read the template.exe from the /data/ directory and did a simple string replacement. msfpayload would look for the string “PAYLOAD:” in the binary and inserts the “RAW” encoded payload at that point in the binary. Creating custome templates required that you create your own templates containing the PAYLOAD string at the execution entry point. If you did create your own template that you want to continue to use because NO ONE detects it, msfencode will still support the old style template. If you want to use old style templates you can use an “undocumented” encoder type called “exe-small”.. Set your -t output type to “exe-small” instead of “exe” to use the old style templates.
But that is a lot of work. Now, msfencode reads the PE header, finds a .text section in the executable and either prepends or appends (at random) the payload to the code. Then it modifies the entry point in the executable so that the payload is called before the programs normal code is executed.
Pretty cools stuff. Nice video John!
Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.