EH-Net

Mubix (Rob Fuller/Room362) has just released a Meterpreter script allowing an active session to download and initiate the the recent Cygwin bundled Metasploit. Get to the script and binary downloads via his blog post (http://www.room362.com/archives/595-metasploit-framework-as-a-payload.html).

I haven't had a chance to fully play with it yet, but it opens up some interesting possibilities and should definitely come in handy.

Let us know!  I'd be interested in what, if anything, it left behind once you were done with it. 

This is looking like another promising feature in the framework. Can't wait for CG to do a blog entry on Carnal0wnage about it -hints-  ;)

we'll see,


im not a huge fan on putting any binaries on boxes that i'm pretty sure will send an AV alert though

Chris, good point. I hadn't look at using the script in live environments yet, just playing around with my home lab.

AV coverage appears pretty weak so far, VirusTotal results (http://www.virustotal.com/analisis/7cea4d8fa1aa59341b300ec1349633079d591582dc7870b7097dd80b5a81f879-1246275993) for the 5MB mini binary currently show 27% flagging as malicious. Coverage is also fairly random, some of the big boys flag it (Kaspersky, MS, Trend) whilst other large AV players treat it as benign (Symantec, McAfee, AVG). Of course heuristic and active scanning may trip other flags as you delve deeper.

Not sure how this will change in the future as more AV firms get to grips with the release, your milage may vary.....

I run AVG on most of my machines.  I noticed that the mini framework executable itself does not set off the AntiVirus scanner.   However, once installed, some of payloads and exploits start attracting AVG.   This must be the heuristics engine at work. 

Arguably, if you have control of the box, you can take a swipe at disabling the AntiVirus prior to uploading msf.   I wonder how Core's agent gets around AV.   Does anyone know?   Did they make a deal? ;)

Couldnt we obfuscate the binary(ies)? using garbage insertion, variable renaming, code reordering, encapsulating/encrypting code or data, or branching functions? i'd be a lot of work, but virus writers do it.... just an idea...

Often it is already enough to change some "things" by simply using an hex-editor to bypass av-software. When the soure-code is available it is of course even easier to make it undetectable.

i think that the problem occurs mostly when the mini msf exe is exploded on the other side.  at least for me, the AV picks up random rb files as potentially dangerous files.  it basically appears to know that something isn't right, but doesn't know exactly what.   this is likely the heuristics engine kicking in. 

i think that if you exploit a linux box and upload a linux version of msf, you should be golden.   on a windows box with a/v, it really depends on the a/v.   i think that the way to go is an agent based approach like Core does.  i believe their agents sits entirely in RAM and just listens for and passes commands.

I'd agree with Ketchup on this one.  Modifying the base exe's is easy, as you can quickly do that to pass them by AV's.  It's a pretty common tactic, nowadays.    I've done that with netcat and other tools to insert them through a box I've compromised with msf.  However, if you want to pivot, you have many more files and such that are involved, and a lot of the AV's are using a more heuristic approach (finally...)

Pushing a single agent, that gets past the AV, and is capable of performing the same functions, would tend to be both cleaner and easier, and cleanup is simpler, by removing the single agent from disk / memory.

Actually I talked to Rob and the removal of certain exploits brings down the virus detection significantly. This in conjunction with flipping some bits on the exc almost makes it perfect.