Description: Windows 8 Public Beta with Eset NOD32 Antivirus 5
1, create an encoded payload for bypass AV
2, redirecting all traffic to my webserver
3, get the NT Authority\SYSTEM privilege, and disable Eset Kernel from autorun services
4, backdooring and reboot
5, Eset AV killed, and the backdoor is working.
VirusTotal Link: http://goo.gl/VFw0c
Tags: hack , metasploit , windows 8 , eset , nod32 , bypass , microsoft , meterpreter , payload , rootkit , av , antivirus , backdoor , ubuntu , armitage , c++ , source , windows xp , arpspoof , dnsspoof , fake , fake update , msfencode , msfpayload , shikata_ga_nai , Antivirus Software , Tutorial , Linux , Desktop , ESET NOD32 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Interesting - thank you.
Your XOR technique is similar to that shown on another video here recently. It was a little difficult to follow in parts because of the language but I suppose that it should become clear when I follow along with an installation. It was good to see you deal with a different AV because most of the demonstrations on ST have dealt with AVG.
I usually turn the music off because it's loud and intrusive - but yours was entrancing and didn't detract from the content of the demonstration!
I look forward to seeing more from you.
Great video, thanks.
I liked the fact that you used armitage. Its a good thing to see how another metasploit interface works.
I also like the Mitm attack you did with a flavor of SE so the victim thinks he is installing a windows update.
By the way are you the same guy with armitage1989? because you have the same avatar with him in your computer account.
Anyway keep up the good work man!!
i'm another h@cker, not armitage1989
good implementation.
i have a question for what you file is encode en -c 20 times? it increment de filezise, in my tutorial i encoded in 5 times and work!
I had some errors to get the meterpreter shell in cli interface,same thing happened to you? but i fixed it
the fake update is perfect,
i know a small framework ISR evilgrade can do it.
and if you want evade more signatures use ather implementacion the shellcode-test
becouse shellcode-test without shellcode have several signatures...
thnx for demostration
Awesome video :) That was a very nice demonstration. My favorite part was how you created your payload. I would love to learn more detail on that process.
Good job!
@Armitage:
"
and if you want evade more signatures use ather implementacion the shellcode-test
becouse shellcode-test without shellcode have several signatures..."
Can you elaborate on that? is that covered in one of your videos?
Thanks so much
I am making a video, I will implement another variant of shellcode-test, please wait .. I need to finish it soon ...: D
i encoded the file 20 times, because avast is identified the 5 times encoded exe as rootkit when running. 5 times encoded file on virustotal: 43/3 and norton internet security and avast was identified. 20 times encoded file was running, an not identified as trojan or rootkit.
@PoisonReverse and @Armitage1989: the comment about a variant of shellcode-test also confused me. I'm looking forward to your (Armitage1989) forthcoming video about this. I like to know what's happening "under the hood". There are articles and videos about the more straightforward aspects of, for say, Metasploit, SET etc., but far fewer about the inner workings and how they can be tweaked.
Very nice detailed video, I have done everything correctly but when i run the final.exe (my final payload executable) it wont work.
http://i.imgur.com/qHGRT.png
I am running Windows 8 - 32 bit
Any help?
Thanks
-Notieboie
if you use my or armitage1989 source, run the final exe with -1
@Ingnatius
when I say that it is advisable to use another implementation of shellcode-test is because if the file scaneas shelcode buffer without really that many antivirus detected.
tanbien I mean you can use __ asm () directive to do the
same example using gcc and the default syntax is at & t
unsigned char buff [] = "shellcode here";
int main {
__asm (lea, _Buffer,% eax);
__asm ("push% eax");
__asm ("Ret");
}
is practically the same thing I mean a different way of implemetacion.