Metasploit mailing list archives
Re: exploits for client side attacks not work
From: Atul Agarwal <atul () secfence com>
Date: Tue, 22 Jun 2010 12:33:30 +0530
Yes, addition of a custom packer for js based exploits in framework itself will be a plus. One thing more that can be added is the option of setting up multiple filters, and user defined chaining, in PDF based exploits. Maybe Someone can port some of Origami framework's ( http://seclabs.org/origami/) code (as its in ruby too) to msf. Thanks, Atul Agarwal Secfence Technologies On Tue, Jun 22, 2010 at 1:44 AM, Spring Systems <korund () hotmail com> wrote:
Thank you for helpful info. I agreel, to obfuscate the javascript is not so difficult task. But it is much more complex to do all this manually, separately, then assemble parts manually into the final exploit file. Metasploit is handy as it allows to create exploits automatically. It would be handy, if Metasploit had some javascript encoding/packer module which allowed to encode a javascript and change the encoding algorithm on the fly (include adding custom encoding manually) depending on situations or tasks. What do you think? Best Regards, ------------------------------ From: atul () secfence com Date: Tue, 22 Jun 2010 00:09:16 +0530 Subject: Re: [framework] exploits for client side attacks not work To: korund () hotmail com CC: framework () spool metasploit com Hello, Yes, only encoding the payload is not going to help you. As an example, in order to make the exploit undetectable, you will have to obfuscate the javascript that triggers the exploit (which is valid for most PDF exploits - geticon(), newplayer() et al, libtiff doesn't utilise js for exploitation). Obfuscating the javascript is not particularly difficult, and you can use publicly available js packers for the same (eg. http://dean.edwards.name/packer/, <- heavily used). As they are public, bear in mind, most AV's will flag it. Developing a custom javascript packer is also not much difficult. Also, you could pack the js again and again using same or different packers. A nice place to find obfuscated js exploits is the exploit packs, which you can get at any "underground" forum. Also keep checking the MDL ( http://malwaredomainlist.com/) for samples. Look into them. Another approach to make the PDF exploits undetectable is to chain the stream filters. Refer to http://blog.didierstevens.com/2008/05/19/pdf-stream-objects/ for details. I know, all the above will have to be done manually, outside metasploit. But hey, metasploit is available to the AV guys too, and they can always generate the samples and add signature/heuristics to the ways available in the msf. So you will have to think differently. Hope it helped. Thanks, Atul Agarwal Secfence Technologies On Mon, Jun 21, 2010 at 8:09 PM, Rob Fuller <mubix () room362 com> wrote: AVs are flagging on the exploited function (or should be), which is the basis for the exploit. Encoding the payload a million times will not help you. You are welcome to try for yourself though. -- Rob Fuller | Mubix Room362.com | Hak5.org On Mon, Jun 21, 2010 at 9:17 AM, Spring Systems <korund () hotmail com> wrote:PDF exploits for client side attacks not work at all, due 100% detectionbyAVs as exploits. This PDF will be useless unless Metasploit change payloads encodingscheme,allowing to select verious encoding options during the exploit creation. ________________________________ Hotmail is redefining busy with tools for the New Busy. Get more fromyourinbox. See how. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework ------------------------------ The New Busy is not the old busy. Search, chat and e-mail from your inbox. Get started.<http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3>
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- exploits for client side attacks not work Spring Systems (Jun 21)
- Re: exploits for client side attacks not work Rob Fuller (Jun 21)
- Re: exploits for client side attacks not work Atul Agarwal (Jun 21)
- Re: exploits for client side attacks not work Spring Systems (Jun 21)
- Re: exploits for client side attacks not work Atul Agarwal (Jun 22)
- Re: exploits for client side attacks not work Atul Agarwal (Jun 21)
- Re: exploits for client side attacks not work Rob Fuller (Jun 21)