Home page logo

metasploit logo Metasploit mailing list archives

Re: adobe_pdf_embedded_exe
From: Alexander Klink <alexander () klink name>
Date: Fri, 13 May 2011 15:37:37 +0200


On Fri, May 13, 2011 at 08:33:33AM -0400, macubergeek wrote:
I've been experimenting with adobe_pdf_embedded_exe
The problem I'm having is that most of the AV's on virustotal detect the pdf I create with this module as an exploit.
Is there any way to encode the exe before stuffing it into the pdf? Crypt it?

If it does not necessarily have to be a PDF where you embed it, but only something
that is (automatically on a website with the correct content type) opened by Adobe
Reader, you may want to look into the pdf2xdp.rb script which I submitted a while ago:

It converts the PDF to an equivalent XDP (XML Data Package, basically a XML/Base64-representation
of the PDF) file, which flys well under the radar of all of VirusTotal's scanners ...

I guess it would work fine in a browser/drive-by scenario but might be more tricky if social
engineering is involved as users might be sceptical about the .xdp extension (the icon on the
other hand looks pretty similar to that of a PDF file).



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]