Metasploit mailing list archives
Re: pdfs & msfencode
From: Brian Milliron <antechrist () io com>
Date: Wed, 21 Oct 2009 22:32:53 -0500
You can try to apply the JS encoding techniques from the browser exploits to the heap fill code in the PDF. Alternatively, you can use something like JS Minifier to "compress" the JS code: - http://www.jslab.dk/tools.minify.php If you want to obfuscate based on the PDF format and not the JS, take a look at the following: http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ The *only* thing msfencode does is take shellcode, encode it with one or more encoders, and then pack that into a one kind of file or another. The issue you are running into is the JS/scripting inside the PDF, not the payload at all.
I've been playing around with this for a few days now. From looking at the hex for the generated pdf I can see metasploit is already applying some of the obfuscation techniques listed in that paper. That seems to be enough for most AV, but I'm using Avast, which still picks it up. I tried changing around some of the obfuscations, thinking I just need to change it enough to alter the hash. I've become convinced that Avast is actually reducing the file to canonical form before scanning it. The AV companies are catching on! When I made "cosmetic" changes to the file such as by replacing ASCII with hex codes, etc, it was still detected. But when I removed even one byte of the shellcode it was no longer detected. So it *is* detecting the shellcode, even in encoded form. Yet, when I cut the shellcode out of the pdf into another file and scanned it, Avast had no problems with it *since it was no longer in a pdf*. Further, if I changed any of the structures inside the pdf such as the root catalog in such as way as to make the pdf unreadable, again it would not be detected as malicious, because it is no longer a valid pdf. This tells me the scanning engine is able to "read" pdf structures and analyze them in a much more intelligent way than I think anyone has given them credit for. I suspect they have added some limited decoding capabilities to account for this line compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js)) And if another form of encoding were appended it might just sneak by, but I don't have the skill for that and am not certain it is all that important anyway. But I wanted to let you & the team know the current methods of obfuscation may be becoming obsolete. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- pdfs & msfencode Brian Milliron (Oct 19)
- Re: pdfs & msfencode HD Moore (Oct 19)
- Re: pdfs & msfencode Brian Milliron (Oct 21)
- Re: pdfs & msfencode HD Moore (Oct 19)