New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Evasion Module Features #11333

Merged
merged 9 commits into from Feb 7, 2019

Conversation

Projects
None yet
5 participants
@zeroSteiner
Copy link
Contributor

zeroSteiner commented Jan 30, 2019

This pull request makes a few tweaks and adds some convenience features for the new Evasion modules.

  • Adds external module support under the type evasion
    • Also adds external module support for advanced options and default options but only in the new evasion template
  • Adds to_handler command support, just like payload modules have
  • Adds tab completion for PAYLOAD, TARGET, to_handler, etc.

Verification

Since there are no external evasion modules yet, I wrote up a quick demo to touch on each of the features. You can find it under my pastebin.com account.

  • Download and install that module under ~/.msf4/modules/evasion/windows/pr_demo (creating the directory structure as necessary
  • Start msfconsole and use evasion/windows/pr_demo
  • Run show options and see the default payload has been selected already
  • Run show advance and see the LOG_LEVEL and LOG_NAME options
  • Type set LHOST and hit tab and see IP addresses populate for you, select one
  • Run run and see the module perform a dummy task of calculating the SHA value of the payload
  • Run to_handler and see a job started with the payload configuration that was selected

Demonstration

metasploit-framework (S:0 J:0) > use evasion/windows/pr_demo
metasploit-framework (S:0 J:0) evasion(windows/pr_demo) > info

       Name: PR Demo
     Module: evasion/windows/pr_demo
   Platform: Windows
       Arch: x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Spencer McIntyre

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME  Vlw.exe          yes       Filename for the evasive file (default: random)

Description:
  This module demonstrates the functionality added by a pull request 
  to the metasploit framework created by Spencer McIntyre in January 
  2019.

References:
  CVE: Not available
  https://github.com/rapid7/metasploit-framework

metasploit-framework (S:0 J:0) evasion(windows/pr_demo) > show options 

Module options (evasion/windows/pr_demo):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  Vlw.exe          yes       Filename for the evasive file (default: random)


Payload options (windows/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The local listener hostname
   LPORT     8443             yes       The local listener port
   LURI                       no        The HTTP Path


Evasion target:

   Id  Name
   --  ----
   0   Windows x86


metasploit-framework (S:0 J:0) evasion(windows/pr_demo) > show advanced 

Module advanced options (evasion/windows/pr_demo):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   LOG_LEVEL  WARNING          yes       The log level (Accepted: DEBUG, INFO, WARNING, ERROR, CRITICAL)
   LOG_NAME                    no        The name of the root logger
   VERBOSE    true             no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

metasploit-framework (S:0 J:0) evasion(windows/pr_demo) > set LHOST 192.168.90.1 
LHOST => 192.168.90.1
metasploit-framework (S:0 J:0) evasion(windows/pr_demo) > run

[*] [2019.01.30-09:53:07] The target architecture is: x86
[*] [2019.01.30-09:53:07] Payload hash (SHA-256): 54373f6df937c6e5ed0d1bde275c7a21805a2fb1a3bf6d6ee713ce592b0c01b9
metasploit-framework (S:0 J:0) evasion(windows/pr_demo) > to_handler 
[*] Payload Handler Started as Job 1
metasploit-framework (S:0 J:1) evasion(windows/pr_demo) > 
[*] [2019.01.30-09:53:09] Started HTTPS reverse handler on https://192.168.90.1:8443

@jmartin-r7 jmartin-r7 added the msf5 label Jan 30, 2019

@acammack-r7
Copy link
Contributor

acammack-r7 left a comment

Looks nifty! I have some comments about the external module bits.

Show resolved Hide resolved lib/msf/core/modules/external/shim.rb Outdated
Show resolved Hide resolved lib/msf/core/modules/external/shim.rb Outdated
Show resolved Hide resolved lib/msf/core/modules/external/templates/evasion.erb Outdated
@sempervictus

This comment has been minimized.

Copy link
Contributor

sempervictus commented Feb 5, 2019

I could see using this to import things like obfuscators from unicorn... At first glance this appears to be mostly harness, but it could be implemented with callbacks from the core libs as a procession step, right? :)

Thanks as always.

@busterb busterb self-assigned this Feb 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 7, 2019

Right on @sempervictus this is something we had in mind from the beginning. Thanks a lot for the help @zeroSteiner !

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 7, 2019

LGTM, landing...

@busterb busterb merged commit 0908d5a into rapid7:master Feb 7, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Feb 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 7, 2019

Release Notes

This enhances library support for evasion modules and adds initial scaffolding for integrating with external tools.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment