Re: New Javascript Packer: JSidle

[Thorgul <thorgul () gmail com>]

Seems to be a typo error. Your error say Rex::Explotation::JSilde  
instead of Rex::Explotation::JSilde. Try to patch the adobe_geticon  
code and try again ;)

--
Guillaume Thiaux

Le 13 juil. 2010 à 12:02, Miguel Rios <miguelrios35 () yahoo com> a  
écrit :

> No problem. Glad to help out.
> Although after much messing around the framework I got myself into a  
> bit of trouble:
>
> msf exploit(adobe_geticon) > exploit
>
> [-] Exploit failed: uninitialized constant Rex::Exploitation::JSidle
> [*] Exploit completed, but no session was created.
>
> Why am I getting the uninitialized constant error? I must have  
> broken something. Anyone else getting this error?
>
> --- On Mon, 7/12/10, Sven Taute <sven.taute () gmail com> wrote:
>
> From: Sven Taute <sven.taute () gmail com>
> Subject: Re: [framework] New Javascript Packer: JSidle
> To: "Miguel Rios" <miguelrios35 () yahoo com>
> Cc: framework () spool metasploit com, "Jonathan R" <agentsmith15 () gmail com 
> >
> Date: Monday, July 12, 2010, 5:30 PM
>
> Thanks for testing. I think it is very difficult to permanently
> circumvent the detection of malicious javascript in PDF files. In
> contrast to web-based exploits, AV can flag the usage of JS  
> obfuscation
> as malicious, though it does not see the real exploit (therefore the
> "generic" detection).
>
> In the first development phase I only targeted web-based exploits -  
> the
> usage for PDFs was more of a side product.
>
> - Sven
>
>
> On Sun, 11 Jul 2010 10:59:53 -0700 (PDT)
> Miguel Rios <miguelrios35 () yahoo com> wrote:
>
> > Well, just thought I'd share my results with NOD after applying the
> > jsidle patch for new icon adobe exploit. Bottom line, NOD still  
> flags
> > it as PDF/Exploit.Gen. Tried encrypting it also and it did cut down
> > on detections but NOD still flags it as PDF/Exploit.Gen. Seems NOD  
> is
> > doing a pretty good job in flagging malicious PDFs.
> >
> > --- On Sat, 7/10/10, Jonathan R <agentsmith15 () gmail com> wrote:
> >
> > From: Jonathan R <agentsmith15 () gmail com>
> > Subject: Re: [framework] New Javascript Packer: JSidle
> > To: "Miguel Rios" <miguelrios35 () yahoo com>,
> > framework () spool metasploit com Date: Saturday, July 10, 2010,  
> 11:15 PM
> >
> > NOD prides themselves on having one of the best heuristics  
> engines, so
> > I believe NOD would mark the PDF as suspicious and not a specific
> > threat. You can do what many malware writers do and split the PDF  
> into
> > multiple parts and you can narrow the range of where/what in the PDF
> > is getting flagged. Then change things accordingly.
> >
> >
> > This idea of delaying code to bypass detection has been brought up
> > before by well known virus writers like Z0mbie and Second Part To
> > Hell/[rRlf].
> > http://vxheavens.com/lib/vzo23.html   <--- Z0mbie's Paper
> > http://www.hack0wn.com/view.php?xroot=72.0&cat=papers   <--- SPTH/ 
> rHlf
> >
> > This is all based upon the fact that a anti virus like Norton or NOD
> > can only spend about 3 or 4 seconds on each file. Otherwise a AV  
> scan
> > would take to long.
> >
> >
> >
> >
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework