From 196e07c5b1ad8fbfbf3360ba4dfb428436d3e419 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Fri, 28 Mar 2014 11:45:28 -0500 Subject: [PATCH] Touch up the EICAR stuff --- lib/msf/core/exploit/exe.rb | 13 ++++++++ modules/encoders/generic/eicar.rb | 49 +++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 modules/encoders/generic/eicar.rb diff --git a/lib/msf/core/exploit/exe.rb b/lib/msf/core/exploit/exe.rb index b98d459585..09e0142a7f 100644 --- a/lib/msf/core/exploit/exe.rb +++ b/lib/msf/core/exploit/exe.rb @@ -16,12 +16,14 @@ module Exploit::EXE # EncodedPayload#encoded_exe in lib/msf/core/encoded_payload.rb register_advanced_options( [ + OptBool.new( 'EXE::EICAR', [ false, 'Generate an EICAR file instead of regular payload exe']), OptPath.new( 'EXE::Custom', [ false, 'Use custom exe instead of automatically generating a payload exe']), OptPath.new( 'EXE::Path', [ false, 'The directory in which to look for the executable template' ]), OptPath.new( 'EXE::Template', [ false, 'The executable template file name.' ]), OptBool.new( 'EXE::Inject', [ false, 'Set to preserve the original EXE function' ]), OptBool.new( 'EXE::OldMethod',[ false, 'Set to use the substitution EXE generation method.' ]), OptBool.new( 'EXE::FallBack', [ false, 'Use the default template in case the specified one is missing' ]), + OptBool.new( 'MSI::EICAR', [ false, 'Generate an EICAR file instead of regular payload msi']), OptPath.new( 'MSI::Custom', [ false, 'Use custom msi instead of automatically generating a payload msi']), OptPath.new( 'MSI::Path', [ false, 'The directory in which to look for the msi template' ]), OptPath.new( 'MSI::Template', [ false, 'The msi template file name' ]), @@ -29,6 +31,13 @@ module Exploit::EXE ], self.class) end + # Avoid stating the string directly, don't want to get caught by local + # antivirus! + def get_eicar_exe + obfus_eicar = ["x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar", "standard", "antivirus", "test", "file!$h+h*"] + obfus_eicar.join("-").upcase + end + def get_custom_exe(path=nil) path ||= datastore['EXE::Custom'] print_status("Using custom payload #{path}, RHOST and RPORT settings will be ignored!") @@ -41,6 +50,7 @@ module Exploit::EXE def generate_payload_exe(opts = {}) return get_custom_exe if datastore.include? 'EXE::Custom' + return get_eicar_exe if datastore.include? 'EXE::EICAR' exe_init_options(opts) @@ -68,6 +78,7 @@ module Exploit::EXE def generate_payload_exe_service(opts = {}) return get_custom_exe if datastore.include? 'EXE::Custom' + return get_eicar_exe if datastore.include? 'EXE::EICAR' exe_init_options(opts) @@ -90,6 +101,7 @@ module Exploit::EXE def generate_payload_dll(opts = {}) return get_custom_exe if datastore.include? 'EXE::Custom' + return get_eicar_exe if datastore.include? 'EXE::EICAR' exe_init_options(opts) @@ -112,6 +124,7 @@ module Exploit::EXE def generate_payload_msi(opts = {}) return get_custom_exe(datastore['MSI::Custom']) if datastore.include? 'MSI::Custom' + return get_eicar_exe if datastore.include? 'MSI::EICAR' exe = generate_payload_exe(opts) diff --git a/modules/encoders/generic/eicar.rb b/modules/encoders/generic/eicar.rb new file mode 100644 index 0000000000..b787b0be11 --- /dev/null +++ b/modules/encoders/generic/eicar.rb @@ -0,0 +1,49 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Encoder + + # Set to ManualRanking because actually using ths encoder will + # certainly destroy any possibility of a successful shell. + # + Rank = ManualRanking + + def initialize + super( + 'Name' => 'The EICAR Encoder', + 'Description' => %q{ + This encoder merely tacks the EICAR test string to the beginning of + the payload. Note, this is sure to ruin your payload. + + Any content-aware firewall, proxy, IDS, or IPS that follows anti-virus + standards should alert and do what it would normally do when malware is + transmitted across the wire. + }, + 'Author' => 'todb', + 'License' => MSF_LICENSE, + 'Arch' => ARCH_ALL, + 'EncoderType' => Msf::Encoder::Type::Unspecified) + + end + + # Avoid stating the string directly, don't want to get caught by local + # antivirus! + def eicar_test_string + obfus_eicar = ["x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar", "standard", "antivirus", "test", "file!$h+h*"] + obfus_eicar.join("-").upcase + end + + # TODO: add an option to merely prepend and not delete, using + # prepend_buf. Now, techiically, EICAR should be all by itself + # and not part of a larger whole. Problem is, OptBool is + # acting funny here as an encoder option. + # + def encode_block(state, buf) + buf = eicar_test_string + end + +end