Making Meterpreter Viable Again
In this demonstration of the Big Stack Bypass, we take one of the most signatured payloads in offensive security and successfully bypass Windows Defender and other AV engines
Part One: Introduction
The goal of this writeup is to demonstrate the effectiveness of the Big Stack Bypass by achieving a working meterpreter session on a modern Windows system with Windows Defender enabled.
The goal of this article is to demonstrate the effectiveness of the initial bypass, not necessarily the longevity of the connection so we won't be discussing encrypting the communications of our session or redirecting our traffic to a teamserver the way an actual red team operation might.
Part Two: Getting Started
We start off with an unencrypted and unencoded meterpreter binary payload.
Before we go into writing our code we need to make sure these work. So we can quickly setup our multi/handler listener on Kali and run either the binary or the executable and we should receive a connection.
And here we can see that it works.
We note that the payload is approximately 200KB. We paste it into the code template we used in the original Big Stack Bypass writeup.
Template:
Now lets kill those sessions and see if we can nop into the raw binary and bypass Defender in a non-exception folder.
Part Three: The Weather Outside is Frightful
Once we've built and inserted the sleigh, we can compile our implant and put it into our test folder.
Remember, we need at least a 2MB payload…that's a lot of NOPs.
Nothing happens when we drop the implant in our test folder. ThreatCheck confirms it's flagged as safe.
Part Four: ???
[Intentionally left blank]
Part Five: Profit
We run and catch our session.
This technique also successfully bypasses most analysis availible on VirusTotal:
If you only use the implant code without the Big Stack Bypass, you can expect these results:
Part Six:Conclusion
In this example we saw that one of the most signatured payloads in offensive security could be made viable again using the Big Stack Bypass. Additionally, this methodology once again proved highly effective at evading most AV engine analysis on VirusTotal.
References:
Last updated