This simple ruby script will decompile a metasploit payload, obfuscate the ASM code and compile it again to avoid AV detection. You can use the menu to let the script make the payload for you, have it obfuscate a payload you already have created, or simply alter an ASM file that you want to compile outside of the script.
The tool uses the metasm ruby gem, that gem must be installed to work. I have only tested this script on Back Track and Kali linux. All future testing will only be on Kali. The custom payload option seems to work fine on any metasploit payload, but it does not always work on other executable files. The larger it is the more likely it will fail. If you are running into that problem decompile it yourself manually, and compile it manually. If that works take the decompiled code and run it through the script using the obfuscate ASM file option and then compile it again.
Download the script, chmod +x obfy.rb, and run it with ./obfy.rb, follow the menu. The first options will create the payload for you, decompile it, alter it, and compile it. If you have a payload already or want to use one not in the menu, make the payload file and use the custom payload option. If the custom payload option isn’t working, but you can decompile and compile the code, then run the decompiled file through the obfuscate ASM file only option.
If the file doesn’t compile and it is a metasploit payload, someone added some ASM code that isn’t playing nice. Simply do it again and odds are the script will work fine.
Update 11/24/2014: Only McAfee seems to be vulnerable to this without using something else on the file like ditto. Crypter not working on the files anymore makes this not automated against much of anything other than McAfee at this point. If you are using it for pentests I recommend checking out Veil instead:https://github.com/Veil-Framework/Veil. However this still is crazy easy and fast if you know you are going against McAfee. Also it is a good example about how this works, manually explained here: https://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/. This is still a good method to use if you are doing other manual methods to make a long term backdoor such as a properly signed payload for phishing attacks, etc. So the Obfuscate ASM file only is still a good option for those to add a bit extra randomness and help avoid detection.
As of writing this readme on 8/8/13 this script as is works perfectly fine against Symantec and McAfee. MS Security Essentials picks it up. But it you use ditto on the file (https://github.com/mubix/ditto) it slips past that as well. I highly recommend using ditto on all files no matter what AV you are up against, the file I copied resources from in my testing was notepad.exe. Also, don’t test anything this file changes in virustotal or we may need to start from scratch on the ASM code we add! Seriously, no virustotal, yes I’m talking to you.
Since the effectiveness of this file depends on AV companies not creating new signatures for whatever ASM code we add to the payloads, I’m putting a version of this file up with very stripped down ASM code, the one I use personally has far more. The shocking thing is, it appears to work with very little and simple ASM code, but don’t expect that to last for long. So if you use this script you have three options:
- Use it as is, if you aren’t a pentester and just want to prove to someone AV has issues, this will probably work fine for you.
- Add your own ASM code to the script and keep it for yourself. If you are a pentester this is a wise move.
- Add ASM code and push it back up to github so we can keep the public script functional for the people that really need to pick option 1. Which leads me to:
If you look at the script, the way it works is randomly picking ASM code in the three arrays at the top of the script: random_push, random_pop, random_xor. The more ASM code we add there they better the script. This is where this file needs more work. We need more ASM code options and more complex one. But the ASM code can’t change how the file works or the payload will break. Also keep in mind any code in the push array will be active upon by the pop and xor arrays, and the code in the pop array will be acted upon by the xor array. So the most complex code can go into the xor array, and least complex should go into the pop one. If the code in the push array is too complex and involves one or more pop or xor commands, when that code gets acted upon by the next two arrays you may break the file.
Whenever you add ASM code, please test it. Comment out the three random_ variables and make your own with only your code in it, and make a few payloads with the script and make sure they compile and run them on a system. Sometimes it will compile but not run properly, you have to test both, running it also tests that the new code does bypass AV. If you add code and don’t do this then your new code might not get used in your testing and it might break things and you won’t know it. If we add things that break the file and don’t realize it, it can be hard to figure out which one it is later.
The starter info you need to contribute Watch this mega primer http://www.securitytube.net/groups?operation=view&groupId=5
Read this blog post by Royce Davis http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/ This blog post also gave me the idea, and Royce gave me the idea to have the file input raw files and ASM files as well. Thank you Royce.
I added crypter.exe support. If the script sees the crypter.exe file using the locate command it will ask if you want to use it and if you say yes it will make a second executable ran through that cool tool.
The source for this cool tool can be found here:
http://nullsecurity.net/tools/binary.html
The directions how to compile it and get it working can be found on my blog here:
http://secjohn.blogspot.com/2013/08/encrypting-payloads-with-smbexec-on.html
In a nutshell, compile it (see link above for directions), name the executable crypter.exe and run updatedb so the locate command finds it. Do that the script will find you have it and ask if you want to use it.
I added an rc file creation into the script to save time. It is called obfy.rc and will match whatever payload you picked if you use 1-4. If you are doing a custom file you are on your own. It does not launch an xterm and launch it. I like managing my own windows.
I commented out the crypter part, I didn't delete it if it starts working again someday. Something changed in how msfpayload makes it's payloads and whatever it was it makes it so running crypter on these files now makes it not run.