Land #3168, EICAR payload encoding

2014-04-01 09:17:10 -05:00 · 2014-04-01 09:17:10 -05:00 · f9a7cfaa67
parent 517a94c551 42c7b85b86
commit f9a7cfaa67
2 changed files with 62 additions and 0 deletions
--- a/lib/msf/core/exploit/exe.rb
+++ b/lib/msf/core/exploit/exe.rb
@ -16,12 +16,14 @@ module Exploit::EXE
    # EncodedPayload#encoded_exe in lib/msf/core/encoded_payload.rb
    register_advanced_options(
      [
+        OptBool.new(   'EXE::EICAR',    [ false, 'Generate an EICAR file instead of regular payload exe']),
        OptPath.new(   'EXE::Custom',   [ false, 'Use custom exe instead of automatically generating a payload exe']),
        OptPath.new(   'EXE::Path',     [ false, 'The directory in which to look for the executable template' ]),
        OptPath.new(   'EXE::Template', [ false, 'The executable template file name.' ]),
        OptBool.new(   'EXE::Inject',   [ false, 'Set to preserve the original EXE function' ]),
        OptBool.new(   'EXE::OldMethod',[ false, 'Set to use the substitution EXE generation method.' ]),
        OptBool.new(   'EXE::FallBack', [ false, 'Use the default template in case the specified one is missing' ]),
+        OptBool.new(   'MSI::EICAR',    [ false, 'Generate an EICAR file instead of regular payload msi']),
        OptPath.new(   'MSI::Custom',   [ false, 'Use custom msi instead of automatically generating a payload msi']),
        OptPath.new(   'MSI::Path',     [ false, 'The directory in which to look for the msi template' ]),
        OptPath.new(   'MSI::Template', [ false, 'The msi template file name' ]),
@ -29,6 +31,13 @@ module Exploit::EXE
      ], self.class)
  end

+  # Avoid stating the string directly, don't want to get caught by local
+  # antivirus!
+  def get_eicar_exe
+    obfus_eicar = ["x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar", "standard", "antivirus", "test", "file!$h+h*"]
+    obfus_eicar.join("-").upcase
+  end
+
  def get_custom_exe(path=nil)
    path ||= datastore['EXE::Custom']
    print_status("Using custom payload #{path}, RHOST and RPORT settings will be ignored!")
@ -41,6 +50,7 @@ module Exploit::EXE

  def generate_payload_exe(opts = {})
    return get_custom_exe if datastore.include? 'EXE::Custom'
+    return get_eicar_exe if datastore['EXE::EICAR']

    exe_init_options(opts)

@ -68,6 +78,7 @@ module Exploit::EXE

  def generate_payload_exe_service(opts = {})
    return get_custom_exe if datastore.include? 'EXE::Custom'
+    return get_eicar_exe if datastore['EXE::EICAR']

    exe_init_options(opts)

@ -90,6 +101,7 @@ module Exploit::EXE

  def generate_payload_dll(opts = {})
    return get_custom_exe if datastore.include? 'EXE::Custom'
+    return get_eicar_exe if datastore['EXE::EICAR']

    exe_init_options(opts)

@ -112,6 +124,7 @@ module Exploit::EXE

  def generate_payload_msi(opts = {})
    return get_custom_exe(datastore['MSI::Custom']) if datastore.include? 'MSI::Custom'
+    return get_eicar_exe if datastore['MSI::EICAR']

    exe = generate_payload_exe(opts)

--- a/modules/encoders/generic/eicar.rb
+++ b/modules/encoders/generic/eicar.rb
@ -0,0 +1,49 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Encoder
+
+  # Set to ManualRanking because actually using ths encoder will
+  # certainly destroy any possibility of a successful shell.
+  #
+  Rank = ManualRanking
+
+  def initialize
+    super(
+      'Name'             => 'The EICAR Encoder',
+      'Description'      => %q{
+        This encoder merely tacks the EICAR test string to the beginning of
+        the payload. Note, this is sure to ruin your payload.
+
+        Any content-aware firewall, proxy, IDS, or IPS that follows anti-virus
+        standards should alert and do what it would normally do when malware is
+        transmitted across the wire.
+      },
+      'Author'           => 'todb',
+      'License'          => MSF_LICENSE,
+      'Arch'             => ARCH_ALL,
+      'EncoderType'      => Msf::Encoder::Type::Unspecified)
+
+  end
+
+  # Avoid stating the string directly, don't want to get caught by local
+  # antivirus!
+  def eicar_test_string
+    obfus_eicar = ["x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar", "standard", "antivirus", "test", "file!$h+h*"]
+    obfus_eicar.join("-").upcase
+  end
+
+  # TODO: add an option to merely prepend and not delete, using
+  # prepend_buf. Now, technically, EICAR should be all by itself
+  # and not part of a larger whole. Problem is, OptBool is
+  # acting funny here as an encoder option.
+  #
+  def encode_block(state, buf)
+    buf = eicar_test_string
+  end
+
+end