Jump to content

Is it still possible to embed malicious programs into PDFs?


Recommended Posts

I have a question about malicious PDFs (or, for that matter, malicious DOC or JPG files).

Metasploit has a number of "fileformat" exploits. These create a PDF, DOC, or JPG file which also contains a payload.

The file is opened on the target machine and then the payload is executed. This does, of course, assume that it's not detected.

The payload is some kind of a shell from the Metasploit suite.

However, I can see one major issue. When setting up the fileformat exploit, you need to provide your IP (the LHOST value). That could be your IP or a VPN IP which forwards to your internal IP. This is the address where the listener lives on the attacker's system. The IP needs to be static. If it changes then the payload will not connect to the attacker's listener.

(The same is true of tools like Metasploit persistence - you need to set your IP for it to connect to).

The issue here is that the victim is connecting to you (reverse shell) and hence it needs your static IP.

IPs can change for any number of reasons. Perhaps the router dies. Or you turn off the computer.

As I understand it, Remote Administration Tools (RATs) work differently because they use dynamic DNS. Therefore, it is irrelevant whether the attacker's IP has changed because the RAT on the victim will always query the dynamic DNS database to get the latest IP of the attacker.

My question:

Given the above is it possible to have a RAT which is placed into a PDF or DOC or JPG (like a fileformat program). If so, how? My impression is that the Metasploit fileformat options only allow a Metasploit payload to be placed into the file.

This would a) allow the RAT to use dynamic DNS and b) mean that it could be crypted to make it more UD (my impression is that Metasploit payloads are easily detectable).

As a side query - I assume that all pen-testers must use static IPs otherwise their Metaspoloit reverse shells would not work. Yes?


Link to comment
Share on other sites

Regardless of payload, attack, etc, you can proxy chain or use Dyn-DNS setups so even if your IP changes, you can get the shell sent back to you, but most people use static addresses on things like amazon or cloud servers I imagine unless its a pentest and are on the inside lan/corp network already. Whatever payload you use, has to have some place to send the shell back to though, so you'd need to figure out how to make that hop get back to your machine either way.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...