Metasploit mailing list archives
Re: pdfs & msfencode
From: HD Moore <hdm () metasploit com>
Date: Mon, 19 Oct 2009 21:41:33 -0500
On Mon, 2009-10-19 at 21:01 -0500, Brian Milliron wrote:
I've been playing with some of the pdf exploit modules on metasploit. All of them are being detected by anti-virus though. Is there any way to pipe the payload through msfencode before the pdf is generated to help obfuscate? A simple yes or no from one of the dev team would be helpful.
You can try to apply the JS encoding techniques from the browser exploits to the heap fill code in the PDF. Alternatively, you can use something like JS Minifier to "compress" the JS code: - http://www.jslab.dk/tools.minify.php If you want to obfuscate based on the PDF format and not the JS, take a look at the following: http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ The *only* thing msfencode does is take shellcode, encode it with one or more encoders, and then pack that into a one kind of file or another. The issue you are running into is the JS/scripting inside the PDF, not the payload at all. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- pdfs & msfencode Brian Milliron (Oct 19)
- Re: pdfs & msfencode HD Moore (Oct 19)
- Re: pdfs & msfencode Brian Milliron (Oct 21)
- Re: pdfs & msfencode HD Moore (Oct 19)