You could always use msfencode to put meterpreter into a built CORE Agent binary ;-)
-- Rob Fuller | Mubix Room362.com | Hak5.org | TheAcademyPro.com Ignore this: x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* On Fri, Mar 19, 2010 at 11:12 AM, Jim Halfpenny <[email protected]>wrote: > UPX is easy to use, give it a try. Many AV products support UPX extraction; > some malware uses UPX and then purposely damage the header to bypass attempt > to detect and extrace the real executable. These modalities may serve you > well. > > Jim > > > On 19 March 2010 13:34, Brian Judd <[email protected]> wrote: > >> Wow, you've had success with PEScrambler and Core's agent? I've tried >> PEScramber several times and it creates a new executable, but it doesn't >> work. I am not familiar with UPX or the ability to use Metasploit's >> msfpayload with Core's agent. Have you done this before? Any tips or >> tricks that you could share? I guess I will try PEScramber again also. >> >> Brian Judd >> ------------------------------ >> >> Message: 8 >> Date: Thu, 18 Mar 2010 13:02:54 -0400 >> From: Paul Asadoorian <[email protected]> >> Subject: Re: [Pauldotcom] Package/Scramble Core Impact Agents >> To: PaulDotCom Security Weekly Mailing List >> <[email protected]> >> Message-ID: <[email protected]> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Ah yes, pe-scrambler works really well too, I've used it with great >> success. >> >> If all else fails, a VBscript payload in a Word doc is effective. >> >> Cheers, >> Paul >> >> On 3/18/10 12:07 PM, Daniel Holiday wrote: >> > Would pescrambler work for this? >> > >> > http://www.rnicrosoft.net/ >> > >> > >> > >> > On Thu, Mar 18, 2010 at 9:05 AM, Brian Judd <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Does anyone know of a good packager/installer that can get a Core >> > Impact agent past AV detection? I used NSIS in the past, but it >> > seems to be getting caught now. Thanks! >> > >> > >> > >> > Brian Judd >> > >> > This message (including any attachments) may contain confidential >> > information and is intended only for the individual to which it is >> > addressed. If you are not the intended recipient, please delete >> this >> > message and contact the sender. You are also hereby notified that >> > any review, disclosure, copying, or distribution of this message, >> or >> > the taking of any action based on it, is prohibited. >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> <mailto:[email protected]> >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> > >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> >> -- >> Paul Asadoorian >> PaulDotCom Enterprises >> Web: http://pauldotcom.com >> Phone: 401.829.9552 >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
