Metasploit mailing list archives
Re: New Javascript Packer: JSidle
From: Thorgul <thorgul () gmail com>
Date: Tue, 13 Jul 2010 12:28:00 +0200
Seems to be a typo error. Your error say Rex::Explotation::JSilde instead of Rex::Explotation::JSilde. Try to patch the adobe_geticon code and try again ;)
-- Guillaume ThiauxLe 13 juil. 2010 à 12:02, Miguel Rios <miguelrios35 () yahoo com> a écrit :
No problem. Glad to help out.Although after much messing around the framework I got myself into a bit of trouble:msf exploit(adobe_geticon) > exploit [-] Exploit failed: uninitialized constant Rex::Exploitation::JSidle [*] Exploit completed, but no session was created.Why am I getting the uninitialized constant error? I must have broken something. Anyone else getting this error?--- On Mon, 7/12/10, Sven Taute <sven.taute () gmail com> wrote: From: Sven Taute <sven.taute () gmail com> Subject: Re: [framework] New Javascript Packer: JSidle To: "Miguel Rios" <miguelrios35 () yahoo com>Cc: framework () spool metasploit com, "Jonathan R" <agentsmith15 () gmail com >Date: Monday, July 12, 2010, 5:30 PM Thanks for testing. I think it is very difficult to permanently circumvent the detection of malicious javascript in PDF files. Incontrast to web-based exploits, AV can flag the usage of JS obfuscationas malicious, though it does not see the real exploit (therefore the "generic" detection).In the first development phase I only targeted web-based exploits - theusage for PDFs was more of a side product. - Sven On Sun, 11 Jul 2010 10:59:53 -0700 (PDT) Miguel Rios <miguelrios35 () yahoo com> wrote: > Well, just thought I'd share my results with NOD after applying the> jsidle patch for new icon adobe exploit. Bottom line, NOD still flags> it as PDF/Exploit.Gen. Tried encrypting it also and it did cut down> on detections but NOD still flags it as PDF/Exploit.Gen. Seems NOD is> doing a pretty good job in flagging malicious PDFs. > > --- On Sat, 7/10/10, Jonathan R <agentsmith15 () gmail com> wrote: > > From: Jonathan R <agentsmith15 () gmail com> > Subject: Re: [framework] New Javascript Packer: JSidle > To: "Miguel Rios" <miguelrios35 () yahoo com>,> framework () spool metasploit com Date: Saturday, July 10, 2010, 11:15 PM>> NOD prides themselves on having one of the best heuristics engines, so> I believe NOD would mark the PDF as suspicious and not a specific> threat. You can do what many malware writers do and split the PDF into> multiple parts and you can narrow the range of where/what in the PDF > is getting flagged. Then change things accordingly. > > > This idea of delaying code to bypass detection has been brought up > before by well known virus writers like Z0mbie and Second Part To > Hell/[rRlf]. > http://vxheavens.com/lib/vzo23.html <--- Z0mbie's Paper> http://www.hack0wn.com/view.php?xroot=72.0&cat=papers <--- SPTH/ rHlf> > This is all based upon the fact that a anti virus like Norton or NOD> can only spend about 3 or 4 seconds on each file. Otherwise a AV scan> would take to long. > > > > _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: New Javascript Packer: JSidle, (continued)
- Re: New Javascript Packer: JSidle Spring Systems (Jul 10)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 10)
- Re: New Javascript Packer: JSidle Jonathan R (Jul 10)
- Re: New Javascript Packer: JSidle John Strand (Jul 10)
- Re: New Javascript Packer: JSidle Spring Systems (Jul 11)
- Re: New Javascript Packer: JSidle Thierry Zoller (Jul 11)
- Re: New Javascript Packer: JSidle Spring Systems (Jul 11)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 10)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 11)
- Re: New Javascript Packer: JSidle Sven Taute (Jul 12)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Re: New Javascript Packer: JSidle Thorgul (Jul 13)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Re: New Javascript Packer: JSidle Thorgul (Jul 13)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Convert browser type exploit into fileformat type Spring Systems (Jul 15)
- Re: Convert browser type exploit into fileformat type Atul Agarwal (Jul 15)
- Re: Convert browser type exploit into fileformat type Spring Systems (Jul 15)
- Re: Convert browser type exploit into fileformat type Spring Systems (Jul 15)
- Re: Convert browser type exploit into fileformat type Spring Systems (Jul 16)
- Re: New Javascript Packer: JSidle Spring Systems (Jul 10)