Touch up the EICAR stuff

bug/bundler_fix
Tod Beardsley 2014-03-28 11:45:28 -05:00
parent 19918e3207
commit 196e07c5b1
No known key found for this signature in database
GPG Key ID: 1EFFB682ADB9F193
2 changed files with 62 additions and 0 deletions

View File

@ -16,12 +16,14 @@ module Exploit::EXE
# EncodedPayload#encoded_exe in lib/msf/core/encoded_payload.rb
register_advanced_options(
[
OptBool.new( 'EXE::EICAR', [ false, 'Generate an EICAR file instead of regular payload exe']),
OptPath.new( 'EXE::Custom', [ false, 'Use custom exe instead of automatically generating a payload exe']),
OptPath.new( 'EXE::Path', [ false, 'The directory in which to look for the executable template' ]),
OptPath.new( 'EXE::Template', [ false, 'The executable template file name.' ]),
OptBool.new( 'EXE::Inject', [ false, 'Set to preserve the original EXE function' ]),
OptBool.new( 'EXE::OldMethod',[ false, 'Set to use the substitution EXE generation method.' ]),
OptBool.new( 'EXE::FallBack', [ false, 'Use the default template in case the specified one is missing' ]),
OptBool.new( 'MSI::EICAR', [ false, 'Generate an EICAR file instead of regular payload msi']),
OptPath.new( 'MSI::Custom', [ false, 'Use custom msi instead of automatically generating a payload msi']),
OptPath.new( 'MSI::Path', [ false, 'The directory in which to look for the msi template' ]),
OptPath.new( 'MSI::Template', [ false, 'The msi template file name' ]),
@ -29,6 +31,13 @@ module Exploit::EXE
], self.class)
end
# Avoid stating the string directly, don't want to get caught by local
# antivirus!
def get_eicar_exe
obfus_eicar = ["x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar", "standard", "antivirus", "test", "file!$h+h*"]
obfus_eicar.join("-").upcase
end
def get_custom_exe(path=nil)
path ||= datastore['EXE::Custom']
print_status("Using custom payload #{path}, RHOST and RPORT settings will be ignored!")
@ -41,6 +50,7 @@ module Exploit::EXE
def generate_payload_exe(opts = {})
return get_custom_exe if datastore.include? 'EXE::Custom'
return get_eicar_exe if datastore.include? 'EXE::EICAR'
exe_init_options(opts)
@ -68,6 +78,7 @@ module Exploit::EXE
def generate_payload_exe_service(opts = {})
return get_custom_exe if datastore.include? 'EXE::Custom'
return get_eicar_exe if datastore.include? 'EXE::EICAR'
exe_init_options(opts)
@ -90,6 +101,7 @@ module Exploit::EXE
def generate_payload_dll(opts = {})
return get_custom_exe if datastore.include? 'EXE::Custom'
return get_eicar_exe if datastore.include? 'EXE::EICAR'
exe_init_options(opts)
@ -112,6 +124,7 @@ module Exploit::EXE
def generate_payload_msi(opts = {})
return get_custom_exe(datastore['MSI::Custom']) if datastore.include? 'MSI::Custom'
return get_eicar_exe if datastore.include? 'MSI::EICAR'
exe = generate_payload_exe(opts)

View File

@ -0,0 +1,49 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Encoder
# Set to ManualRanking because actually using ths encoder will
# certainly destroy any possibility of a successful shell.
#
Rank = ManualRanking
def initialize
super(
'Name' => 'The EICAR Encoder',
'Description' => %q{
This encoder merely tacks the EICAR test string to the beginning of
the payload. Note, this is sure to ruin your payload.
Any content-aware firewall, proxy, IDS, or IPS that follows anti-virus
standards should alert and do what it would normally do when malware is
transmitted across the wire.
},
'Author' => 'todb',
'License' => MSF_LICENSE,
'Arch' => ARCH_ALL,
'EncoderType' => Msf::Encoder::Type::Unspecified)
end
# Avoid stating the string directly, don't want to get caught by local
# antivirus!
def eicar_test_string
obfus_eicar = ["x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar", "standard", "antivirus", "test", "file!$h+h*"]
obfus_eicar.join("-").upcase
end
# TODO: add an option to merely prepend and not delete, using
# prepend_buf. Now, techiically, EICAR should be all by itself
# and not part of a larger whole. Problem is, OptBool is
# acting funny here as an encoder option.
#
def encode_block(state, buf)
buf = eicar_test_string
end
end