Skip to Main Content
November 21, 2010

SET Update gives significantly better A/V Avoidance for MSF Payloads

Written by David Kennedy
Security Testing & Analysis Social Engineering
Anti-Virus has always been a pain when it comes to backdooring a legitimate executable within Metasploit. It's hit or miss, generally there's probably around a 40 percent detection rate nowadays. Kevin Mitnick was recently doing some work and had an idea that he got from JDuck from the Metasploit Team. He pointed me to a Didier Stevens post and a tool that he wrote called "disitool" which utilizes a method of copying digital signatures from legitimate executable's and importing them into malicious ones. I've now incorporated that technique into SET which signs the malicious binary with a legitimate signature. This adds much better anti-virus avoidance but it's not perfect yet. There's another flag within Didier's tool that is called "inject" which will insert your malicious executable into a legitimate and digitally signed executable under the signature's file space. From here you would need to do a search for the digital signature and then from there copy the rest of the file to a memory space and execute the malicious code. I'll be slating this for version 1.1 or maybe 1.2, but as of right now with the addition of this, anti-virus avoidance is significantly better. Couple of things you need to know to get this to work in SET: You will need to download pefile from: http://code.google.com/p/pefile/. Extract it, and run python setup.py install From there in the config/set_config turn DIGITAL_SIGNATURE_STEAL=OFF to DIGITAL_SIGNATURE_STEAL=ON. Special thanks to Kevin, JDuck, and Didier.