n-quire Posted December 4, 2015 Share Posted December 4, 2015 (edited) Does anyone know a good way to change the signature of the metasploit "adobe_pdf_embedded_exe_nojs" exploit to get it past antivirus? I'm trying to copy the exploited PDF onto my test PC but the AV blocks it (BLOODHOUND.PDF.24). I can successfully avoid the AV with a venom tweaked reverse_tcp EXE, but can't figure out how to do the same with a PDF. (I can't even find the code for the exploit - I would expect it in the exploits\CVE2010-1240 folder) I'm using my tweaked reverse_tcp as the exe in the pdf. The exe gets past the AV without any problems. So the problem must be with the adobe_pdf_embedded... exploit. Has anyone managed to do this? Any advice or better ideas? I'm not fussed about the actual exploitation of the PC at this stage. I trying to learn how to dodge the antivirus. Edited December 4, 2015 by n-quire Quote Link to comment Share on other sites More sharing options...
vailixi Posted December 8, 2015 Share Posted December 8, 2015 You don't need an exploit. Create your obfuscated payload. msfvenom alone isn't going to do it. But there are tools in Kali for handling this. Output your payload to an EXE file. Then simply right click on it and change the name of it to whatever.pdf. That's pretty much it. Quote Link to comment Share on other sites More sharing options...
n-quire Posted December 13, 2015 Author Share Posted December 13, 2015 I could do that, but it's not exactly subtle. Most users would know somethings wrong when the PDF doesn't open. I'm trying to learn about manipulating PDFs. So I'd prefer to get a proper PDF 'tojan' working. The 'adobe_pdf_embedded_exe' works well except that the AV knows it's signature. If I knew where to look I should be able to change the signature enough to dodge the watchdogs. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted December 13, 2015 Share Posted December 13, 2015 You can take this file that is flagged as blood.hound.24 Split the file Into 2 equal chunks. Upload them both to the machine while taking note of witch chunk is flagged... then take this flagged piece, split into 2 equal chunks again and upload to the machine... You can repeat this process until you spot exactly what signature is setting off red flags... Quote Link to comment Share on other sites More sharing options...
n-quire Posted December 16, 2015 Author Share Posted December 16, 2015 Thanks i8igmac. It's not quite the point-and-click solution I had hoped for. But it's probably a better way for me to learn. I'll give it a crack. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.