Dviros Posted November 7, 2017 Share Posted November 7, 2017 Hey guys, Excalibur is a payload for scanning and exploiting Eternalblue affected machines automatically. You can view it here: https://github.com/Dviros/Excalibur Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 7, 2017 Share Posted November 7, 2017 I read through it really quick. I am not at home so not at my machine to see what is in that zip in my virtual environment. My only concern would be if the machine has a virus scanner. Reason being is you are doing some payload building on the victim's HD. The AV will see all that, especially the shellcode part. Until I see what is in there I do not know what other options you may have. Other than that, it looks good. Link to comment Share on other sites More sharing options...
Dviros Posted November 7, 2017 Author Share Posted November 7, 2017 Correct. This is something that I didn't overcome yet - there is an Eternalblue exploit based on PS, however, it wasn't stable enough. Here's the VT scan (detected by 14 AV's):https://www.virustotal.com/#/file/e1b8cff9071ea0863d8fcae4aabcd41300612e551bf4773f946e7a67c053fa92/detection In any case, I recommend on compiling the python exploit in pyinstaller as a standalone. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 7, 2017 Share Posted November 7, 2017 Might have lower detection rate compiling on Windows with Py2Exe. The EB exploit is unstable in it of itself. It does not go off all the time and depends on conditions. If not met could result in a crash rather than exploit which is why most kits have a multirun in it in case it fails. For python code it is tricky because tunring it into an exe turns it into a packed file. Those you cannot eject since it needs the base image path to explode from so memory injection will not work unless the pe part of the exe is setup to deal with it. Best way to hide it in that case is to modify the python code before compiling to exe. Obfuscate it so when it explodes, it is still illegible to AV to determine what it is until it is ran. Simple method is to stringify all the malicious code and encode/encrypt/scramble it and encapsulate that in a procedure to deobfuscate and run. Link to comment Share on other sites More sharing options...
Dviros Posted November 8, 2017 Author Share Posted November 8, 2017 I agree. Once I have the time I''ll try to obfuscate it :) Link to comment Share on other sites More sharing options...
C1PH3R Posted January 17, 2018 Share Posted January 17, 2018 You could also just turn off AV (at least windows defender) by just running a simple ps line. I've used it in my payloads and it works. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted January 17, 2018 Share Posted January 17, 2018 I use Avast as my AV detection baseline. It is free and also it detects a slew of things I try against it so if reason serves if I beat Avast, I may be able to beat 90% of the AVs out there...hopefully. Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted January 18, 2018 Share Posted January 18, 2018 7 hours ago, PoSHMagiC0de said: I use Avast as my AV detection baseline. It is free and also it detects a slew of things I try against it so if reason serves if I beat Avast, I may be able to beat 90% of the AVs out there...hopefully. Avast is pretty good in that it has live detection for free. It's hard to find a fully-featured one for free, and this is pretty close. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.