[script] for AV evasion

**LHYX1** · 04-04-2012, 11:39 AM

@L21ZIFER I edited my script and added the option to create an evil pdf.
It's a little bit different then how you did it. Now you can use all the payloads to create an evil pdf and not just meterpreter.
I made the original pdf path user generated

I'am looking into pdf obfuscation techniques so the pdf won't get detected by AV's anymore.

@melissabubble I dont really think there's an exe binder for linux.
Try to get one working under wine

**L21ZIFER** · 04-05-2012, 12:22 AM

Good news! So, when is it coming out?

**samiux** · 04-05-2012, 05:29 AM

@LHYX1,

Is it possible not to use Easy Binder to bind the script generated exe file to another executable file but use the msfencode instead? It is because the Easy Binder generated file has no file description which will alert the victim.

Samiux

**LHYX1** · 04-05-2012, 06:39 AM

@L21ZIFER I should have mentioned it but if you download the script now you'll get the new version

@samiux msfencode can't bind exes. It can only inject one of the metasploit payloads into an exe.
If you want to change the description or the company name, icon,.. of an exe, you can compile it with a resource file.
http://stackoverflow.com/questions/7...led-executable

There's also a program called resource hacker that can adjust resources after compilation.
http://www.angusj.com/resourcehacker/

**L21ZIFER** · 04-05-2012, 08:29 AM

@LHYX1,

well - but currently the PDF-Backdoor isn't working is it?
I am testing it right now and I see no good results. The PDF doesn't get detected after all - however, the backdoor isn't launching. The good .exe is doing his job like known, the pdf lacks performance at this state.

**L21ZIFER** · 04-05-2012, 08:30 AM

doublepost

**LHYX1** · 04-05-2012, 09:09 AM

@L21ZIFER
This pdf exploit only works on a specific version of adobe acrobat reader. select the exploit in metasploit and do a show targets to confirm.
I stumbled upon this a couple of days ago: http://blog.didierstevens.com/programs/pdf-tools/
Maybe this is what you are looking for. btw this is from the same guy who wrote /windows/fileformat/adobe_pdf_embedded_exe for metasploit.
And you really got to stop double posting mate

**L21ZIFER** · 04-05-2012, 10:17 AM

Why no notice then? You could mention the version-limitation for your pdf-binding anywhere in your script.

**samiux** · 04-05-2012, 04:03 PM

@LHYX1,

Thanks for the information.

Is it possible to inject your script generated payload to any execuate file (exe) and the execuate file will running properly even the backdoor is launched?

Samiux

**LHYX1** · 04-06-2012, 04:47 AM

@Samiux You could use an exe binder or
you can use the program iexpress that comes with windows.

BackTrack Linux - Penetration Testing Distribution

Thread: [script] for AV evasion

Thread Tools

Search Thread

Display

Re: [script] for AV evasion

Re: [script] for AV evasion

Re: [script] for AV evasion

Re: [script] for AV evasion

Re: [script] for AV evasion

Re: [script] for AV evasion

Re: [script] for AV evasion

Re: [script] for AV evasion

Re: [script] for AV evasion

Re: [script] for AV evasion

Similar Threads

Script for simple AV evasion (tested on AVG, Avast, Emisoft)

Script for simple AV evasion (tested on AVG, Avast, Emisoft)

Snort Signature Evasion with Metasploit

Advanced antivirus evasion techniques

Firewall evasion techniques?

Posting Permissions