Jump to content

n-quire
 Share

Recommended Posts

Does anyone know a good way to change the signature of the metasploit "adobe_pdf_embedded_exe_nojs" exploit to get it past antivirus?

I'm trying to copy the exploited PDF onto my test PC but the AV blocks it (BLOODHOUND.PDF.24).

I can successfully avoid the AV with a venom tweaked reverse_tcp EXE, but can't figure out how to do the same with a PDF. (I can't even find the code for the exploit - I would expect it in the exploits\CVE2010-1240 folder)

I'm using my tweaked reverse_tcp as the exe in the pdf. The exe gets past the AV without any problems. So the problem must be with the adobe_pdf_embedded... exploit.

Has anyone managed to do this? Any advice or better ideas?

I'm not fussed about the actual exploitation of the PC at this stage. I trying to learn how to dodge the antivirus.

Edited by n-quire
Link to comment
Share on other sites

You don't need an exploit. Create your obfuscated payload. msfvenom alone isn't going to do it. But there are tools in Kali for handling this. Output your payload to an EXE file. Then simply right click on it and change the name of it to whatever.pdf. That's pretty much it.

Link to comment
Share on other sites

I could do that, but it's not exactly subtle. Most users would know somethings wrong when the PDF doesn't open.

I'm trying to learn about manipulating PDFs. So I'd prefer to get a proper PDF 'tojan' working. The 'adobe_pdf_embedded_exe' works well except that the AV knows it's signature. If I knew where to look I should be able to change the signature enough to dodge the watchdogs.

Link to comment
Share on other sites

You can take this file that is flagged as blood.hound.24

Split the file Into 2 equal chunks. Upload them both to the machine while taking note of witch chunk is flagged...

then take this flagged piece, split into 2 equal chunks again and upload to the machine...

You can repeat this process until you spot exactly what signature is setting off red flags...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...