Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Evasion Module Features #11333

Merged
merged 9 commits into from
Feb 7, 2019
Merged

Evasion Module Features #11333

merged 9 commits into from
Feb 7, 2019

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Jan 30, 2019
edited by busterb
Loading

This pull request makes a few tweaks and adds some convenience features for the new Evasion modules.

  • Adds external module support under the type evasion
    • Also adds external module support for advanced options and default options but only in the new evasion template
  • Adds to_handler command support, just like payload modules have
  • Adds tab completion for PAYLOAD, TARGET, to_handler, etc.

Verification

Since there are no external evasion modules yet, I wrote up a quick demo to touch on each of the features. You can find it under my pastebin.com account.

  • Download and install that module under ~/.msf4/modules/evasion/windows/pr_demo (creating the directory structure as necessary
  • Start msfconsole and use evasion/windows/pr_demo
  • Run show options and see the default payload has been selected already
  • Run show advance and see the LOG_LEVEL and LOG_NAME options
  • Type set LHOST and hit tab and see IP addresses populate for you, select one
  • Run run and see the module perform a dummy task of calculating the SHA value of the payload
  • Run to_handler and see a job started with the payload configuration that was selected

Demonstration

metasploit-framework (S:0 J:0) > use evasion/windows/pr_demo
metasploit-framework (S:0 J:0) evasion(windows/pr_demo) > info

       Name: PR Demo
     Module: evasion/windows/pr_demo
   Platform: Windows
       Arch: x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Spencer McIntyre

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME  Vlw.exe          yes       Filename for the evasive file (default: random)

Description:
  This module demonstrates the functionality added by a pull request 
  to the metasploit framework created by Spencer McIntyre in January 
  2019.

References:
  CVE: Not available
  https://github.com/rapid7/metasploit-framework

metasploit-framework (S:0 J:0) evasion(windows/pr_demo) > show options 

Module options (evasion/windows/pr_demo):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  Vlw.exe          yes       Filename for the evasive file (default: random)


Payload options (windows/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The local listener hostname
   LPORT     8443             yes       The local listener port
   LURI                       no        The HTTP Path


Evasion target:

   Id  Name
   --  ----
   0   Windows x86


metasploit-framework (S:0 J:0) evasion(windows/pr_demo) > show advanced 

Module advanced options (evasion/windows/pr_demo):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   LOG_LEVEL  WARNING          yes       The log level (Accepted: DEBUG, INFO, WARNING, ERROR, CRITICAL)
   LOG_NAME                    no        The name of the root logger
   VERBOSE    true             no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

metasploit-framework (S:0 J:0) evasion(windows/pr_demo) > set LHOST 192.168.90.1 
LHOST => 192.168.90.1
metasploit-framework (S:0 J:0) evasion(windows/pr_demo) > run

[*] [2019.01.30-09:53:07] The target architecture is: x86
[*] [2019.01.30-09:53:07] Payload hash (SHA-256): 54373f6df937c6e5ed0d1bde275c7a21805a2fb1a3bf6d6ee713ce592b0c01b9
metasploit-framework (S:0 J:0) evasion(windows/pr_demo) > to_handler 
[*] Payload Handler Started as Job 1
metasploit-framework (S:0 J:1) evasion(windows/pr_demo) > 
[*] [2019.01.30-09:53:09] Started HTTPS reverse handler on https://192.168.90.1:8443

acammack-r7
acammack-r7 reviewed Jan 30, 2019
View reviewed changes
Copy link
Contributor

@acammack-r7 acammack-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks nifty! I have some comments about the external module bits.

lib/msf/core/modules/external/shim.rb Outdated Show resolved Hide resolved
lib/msf/core/modules/external/shim.rb Outdated Show resolved Hide resolved
lib/msf/core/modules/external/templates/evasion.erb Outdated Show resolved Hide resolved
@sempervictus
Copy link
Contributor

I could see using this to import things like obfuscators from unicorn... At first glance this appears to be mostly harness, but it could be implemented with callbacks from the core libs as a procession step, right? :)

Thanks as always.

@busterb busterb self-assigned this Feb 7, 2019
@busterb
Copy link
Member

busterb commented Feb 7, 2019

Right on @sempervictus this is something we had in mind from the beginning. Thanks a lot for the help @zeroSteiner !

@busterb
Copy link
Member

busterb commented Feb 7, 2019

LGTM, landing...

@busterb busterb merged commit 0908d5a into rapid7:master Feb 7, 2019
busterb added a commit that referenced this pull request Feb 7, 2019
@busterb
Land #11333, Add initial scaffolding for external evasion module tools
0e838da
@busterb
Copy link
Member

busterb commented Feb 7, 2019

Release Notes

This enhances library support for evasion modules and adds initial scaffolding for integrating with external tools.

@zeroSteiner zeroSteiner deleted the feat/eva-ext branch February 23, 2021 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@acammack-r7 acammack-r7 acammack-r7 left review comments

Assignees

@busterb busterb

Labels
msf5
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@zeroSteiner @sempervictus @busterb @acammack-r7 @jmartin-tech