Dailydave mailing list archives
Re: VML Exploits and IDP-AV Evasion
From: "Lorenzo Hernández García-Hierro" <lorenzohgh () tuxedo-es org>
Date: Tue, 26 Sep 2006 23:00:17 +0200
http://aviv.raffon.net/2006/09/25/VMLExploitVsAVIPSIDSSignatures.aspx http://aviv.raffon.net/content/binary/vmlmsf.png A nice article by Aviv related to simple evasion methods and how well are performing AVs and other products against the public exploit. HD worked out a module for Metasploit: http://metasploit.com/projects/Framework/exploits.html#ie_vml_rectfill http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049678.html I commented with him on the possible evasion methods for JS-based exploits. For example encoding Active X component names and other tricks (this was for the Adodb related issues). Also white-space, tab and comments can be used to alter the binary stream without impacting the exploit reliability. Randomization of variable names: my $var_buffer = Pex::Text::LowerCaseText(int(rand(30)+2)); my $var_shellcode = Pex::Text::LowerCaseText(int(rand(30)+2)); my $var_unescape = Pex::Text::LowerCaseText(int(rand(30)+2)); my ${var_x} = Pex::Text::LowerCaseText(int(rand(30)+2)); my ${var_i} = Pex::Text::LowerCaseText(int(rand(30)+2)); (...) my $data = qq| <html xmlns:${xmlns} = "urn:schemas-microsoft-com:vml" > (...) <script> var ${var_unescape} = unescape ; var ${var_shellcode} = ${var_unescape}( "${shellcode}" ) ; Other methods include randomization of code blocks (ex. loops). You can randomize the way your code behaves on payload generation time (ex. this time I use a while() loop, another uses for(), and other one uses a do-while() ). This applies for string encoding. You can encode the strings inside using a random Caesar cipher each time with different rotation/shifting. This doesn't stop "humans" to spot your evil intentions but fools IDS and AVs products which rely only on binary format parsing code. And most current signature-based engines seem broken anyways (and people create signatures for the exploit, not the vulnerability; thus they all make flawed assumptions: if it doesn't look like the exploit I know it's not a exploit so I don't get pwned and stay safe). I may code a module for doing this right away in the new 3.x branch when I finish some other stuff. HD and Aviv can make really nice comments on this for sure. Cheers. On 9/26/06, Arsal, Ertunga <EArsal () techdata de> wrote:
Hello All, Do you think that the security products are getting more into creating an illusion of safety, thus making people more vulnerable? The issue is the vulnerabilities they are not able to catch properly. One of them is the recent vml exploit. Okay we know it there are millions of ways to create an html page that could execute, which means no signature would be reliable. I did a basic test. Just went to http://www.isotf.org/zert/testvml.htm with IE. ISS Proventia blocked it. Tested without Proventia. This time Symantec AV caught it. Excellent! Then I went to the second line: <html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office"> Changed it from "urn:schemas-microsoft-com:vml" to "urn:schemas-microsoft-com: vml" by putting one space and uploaded to a web server. Proventia didn't catch a thing nor the Symantec av. IE crashed. So, what is the trend now? Having only protection against public test exploits? Is this only a publicity thing than proper protection? Ertunga Arsal _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- VML Exploits and IDP-AV Evasion Arsal, Ertunga (Sep 26)
- Re: VML Exploits and IDP-AV Evasion Lorenzo Hernández García-Hierro (Sep 26)