From 196e07c5b1ad8fbfbf3360ba4dfb428436d3e419 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Fri, 28 Mar 2014 11:45:28 -0500
Subject: [PATCH 1/3] Touch up the EICAR stuff

---
 lib/msf/core/exploit/exe.rb       | 13 ++++++++
 modules/encoders/generic/eicar.rb | 49 +++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 modules/encoders/generic/eicar.rb

diff --git a/lib/msf/core/exploit/exe.rb b/lib/msf/core/exploit/exe.rb
index b98d459585..09e0142a7f 100644
--- a/lib/msf/core/exploit/exe.rb
+++ b/lib/msf/core/exploit/exe.rb
@@ -16,12 +16,14 @@ module Exploit::EXE
     # EncodedPayload#encoded_exe in lib/msf/core/encoded_payload.rb
     register_advanced_options(
       [
+        OptBool.new(   'EXE::EICAR',    [ false, 'Generate an EICAR file instead of regular payload exe']),
         OptPath.new(   'EXE::Custom',   [ false, 'Use custom exe instead of automatically generating a payload exe']),
         OptPath.new(   'EXE::Path',     [ false, 'The directory in which to look for the executable template' ]),
         OptPath.new(   'EXE::Template', [ false, 'The executable template file name.' ]),
         OptBool.new(   'EXE::Inject',   [ false, 'Set to preserve the original EXE function' ]),
         OptBool.new(   'EXE::OldMethod',[ false, 'Set to use the substitution EXE generation method.' ]),
         OptBool.new(   'EXE::FallBack', [ false, 'Use the default template in case the specified one is missing' ]),
+        OptBool.new(   'MSI::EICAR',    [ false, 'Generate an EICAR file instead of regular payload msi']),
         OptPath.new(   'MSI::Custom',   [ false, 'Use custom msi instead of automatically generating a payload msi']),
         OptPath.new(   'MSI::Path',     [ false, 'The directory in which to look for the msi template' ]),
         OptPath.new(   'MSI::Template', [ false, 'The msi template file name' ]),
@@ -29,6 +31,13 @@ module Exploit::EXE
       ], self.class)
   end
 
+  # Avoid stating the string directly, don't want to get caught by local
+  # antivirus!
+  def get_eicar_exe
+    obfus_eicar = ["x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar", "standard", "antivirus", "test", "file!$h+h*"]
+    obfus_eicar.join("-").upcase
+  end
+
   def get_custom_exe(path=nil)
     path ||= datastore['EXE::Custom']
     print_status("Using custom payload #{path}, RHOST and RPORT settings will be ignored!")
@@ -41,6 +50,7 @@ module Exploit::EXE
 
   def generate_payload_exe(opts = {})
     return get_custom_exe if datastore.include? 'EXE::Custom'
+    return get_eicar_exe if datastore.include? 'EXE::EICAR'
 
     exe_init_options(opts)
 
@@ -68,6 +78,7 @@ module Exploit::EXE
 
   def generate_payload_exe_service(opts = {})
     return get_custom_exe if datastore.include? 'EXE::Custom'
+    return get_eicar_exe if datastore.include? 'EXE::EICAR'
 
     exe_init_options(opts)
 
@@ -90,6 +101,7 @@ module Exploit::EXE
 
   def generate_payload_dll(opts = {})
     return get_custom_exe if datastore.include? 'EXE::Custom'
+    return get_eicar_exe if datastore.include? 'EXE::EICAR'
 
     exe_init_options(opts)
 
@@ -112,6 +124,7 @@ module Exploit::EXE
 
   def generate_payload_msi(opts = {})
     return get_custom_exe(datastore['MSI::Custom']) if datastore.include? 'MSI::Custom'
+    return get_eicar_exe if datastore.include? 'MSI::EICAR'
 
     exe = generate_payload_exe(opts)
 
diff --git a/modules/encoders/generic/eicar.rb b/modules/encoders/generic/eicar.rb
new file mode 100644
index 0000000000..b787b0be11
--- /dev/null
+++ b/modules/encoders/generic/eicar.rb
@@ -0,0 +1,49 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Encoder
+
+  # Set to ManualRanking because actually using ths encoder will
+  # certainly destroy any possibility of a successful shell.
+  #
+  Rank = ManualRanking
+
+  def initialize
+    super(
+      'Name'             => 'The EICAR Encoder',
+      'Description'      => %q{
+        This encoder merely tacks the EICAR test string to the beginning of
+        the payload. Note, this is sure to ruin your payload.
+
+        Any content-aware firewall, proxy, IDS, or IPS that follows anti-virus
+        standards should alert and do what it would normally do when malware is
+        transmitted across the wire.
+      },
+      'Author'           => 'todb',
+      'License'          => MSF_LICENSE,
+      'Arch'             => ARCH_ALL,
+      'EncoderType'      => Msf::Encoder::Type::Unspecified)
+
+  end
+
+  # Avoid stating the string directly, don't want to get caught by local
+  # antivirus!
+  def eicar_test_string
+    obfus_eicar = ["x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar", "standard", "antivirus", "test", "file!$h+h*"]
+    obfus_eicar.join("-").upcase
+  end
+
+  # TODO: add an option to merely prepend and not delete, using
+  # prepend_buf. Now, techiically, EICAR should be all by itself
+  # and not part of a larger whole. Problem is, OptBool is
+  # acting funny here as an encoder option.
+  #
+  def encode_block(state, buf)
+    buf = eicar_test_string
+  end
+
+end

From fb20759fc297c2e073516ba978a8fc6796dcb930 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon, 31 Mar 2014 16:42:50 -0500
Subject: [PATCH 2/3] Comment doc speelling

---
 modules/encoders/generic/eicar.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/encoders/generic/eicar.rb b/modules/encoders/generic/eicar.rb
index b787b0be11..2a75060cdb 100644
--- a/modules/encoders/generic/eicar.rb
+++ b/modules/encoders/generic/eicar.rb
@@ -38,7 +38,7 @@ class Metasploit3 < Msf::Encoder
   end
 
   # TODO: add an option to merely prepend and not delete, using
-  # prepend_buf. Now, techiically, EICAR should be all by itself
+  # prepend_buf. Now, technically, EICAR should be all by itself
   # and not part of a larger whole. Problem is, OptBool is
   # acting funny here as an encoder option.
   #

From 42c7b85b86c4cfdb58e5665bce4fcf44507a679a Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Tue, 1 Apr 2014 09:05:55 -0500
Subject: [PATCH 3/3] Don't EICAR every time. That would be bad.

---
 lib/msf/core/exploit/exe.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/exe.rb b/lib/msf/core/exploit/exe.rb
index 09e0142a7f..74b5c88485 100644
--- a/lib/msf/core/exploit/exe.rb
+++ b/lib/msf/core/exploit/exe.rb
@@ -50,7 +50,7 @@ module Exploit::EXE
 
   def generate_payload_exe(opts = {})
     return get_custom_exe if datastore.include? 'EXE::Custom'
-    return get_eicar_exe if datastore.include? 'EXE::EICAR'
+    return get_eicar_exe if datastore['EXE::EICAR']
 
     exe_init_options(opts)
 
@@ -78,7 +78,7 @@ module Exploit::EXE
 
   def generate_payload_exe_service(opts = {})
     return get_custom_exe if datastore.include? 'EXE::Custom'
-    return get_eicar_exe if datastore.include? 'EXE::EICAR'
+    return get_eicar_exe if datastore['EXE::EICAR']
 
     exe_init_options(opts)
 
@@ -101,7 +101,7 @@ module Exploit::EXE
 
   def generate_payload_dll(opts = {})
     return get_custom_exe if datastore.include? 'EXE::Custom'
-    return get_eicar_exe if datastore.include? 'EXE::EICAR'
+    return get_eicar_exe if datastore['EXE::EICAR']
 
     exe_init_options(opts)
 
@@ -124,7 +124,7 @@ module Exploit::EXE
 
   def generate_payload_msi(opts = {})
     return get_custom_exe(datastore['MSI::Custom']) if datastore.include? 'MSI::Custom'
-    return get_eicar_exe if datastore.include? 'MSI::EICAR'
+    return get_eicar_exe if datastore['MSI::EICAR']
 
     exe = generate_payload_exe(opts)