Re: New Javascript Packer: JSidle

[Thorgul <thorgul () gmail com>]

Yep, sorry, I get confused and mixed up JSidle and JSlides... And m'y  
answers was even worse...

Just checked the code and your problem should have been somewhere in  
the JSidle patching process. Anyhow, sorry for the stupide answers.

--
Guillaume Thiaux

Le 13 juil. 2010 à 13:15, Miguel Rios <miguelrios35 () yahoo com> a  
écrit :

> Anyway, problem has been fixed. I just deleted jsidle and repatched.
> Now I notice the PDF gets picked up by Bitdefender and Kaspersky as  
> Generic exploits, obviously because of the "suspicious" encrypted  
> javascript.
> I tried the geticon exploit and it worked perfectly (no noticeable  
> delay) on an XP SP3 with Adobe 8.0 installed.
>
> --- On Tue, 7/13/10, Miguel Rios <miguelrios35 () yahoo com> wrote:
>
> From: Miguel Rios <miguelrios35 () yahoo com>
> Subject: Re: [framework] New Javascript Packer: JSidle
> To: "Thorgul" <thorgul () gmail com>
> Cc: "framework () spool metasploit com" <framework () spool metasploit com>
> Date: Tuesday, July 13, 2010, 10:45 AM
>
> ?? Now you've got me confused. My error say Exploit failed:  
> uninitialized constant Rex::Exploitation::JSidle   not JSilde as you  
> wrote. I don't see a typo in my output.
>
> Anyone else have any suggestions as to what may be the problem?
>
> --- On Tue, 7/13/10, Thorgul <thorgul () gmail com> wrote:
>
> From: Thorgul <thorgul () gmail com>
> Subject: Re: [framework] New Javascript Packer: JSidle
> To: "Miguel Rios" <miguelrios35 () yahoo com>
> Cc: "Sven Taute" <sven.taute () gmail com>, "framework () spool metasploit com 
> " <framework () spool metasploit com>
> Date: Tuesday, July 13, 2010, 10:28 AM
>
> Seems to be a typo error. Your error say Rex::Explotation::JSilde  
> instead of Rex::Explotation::JSilde. Try to patch the adobe_geticon  
> code and try again ;)
>
> --
> Guillaume Thiaux
>
> Le 13 juil. 2010 à 12:02, Miguel Rios <miguelrios35 () yahoo com> a écr 
> it :
>
> > No problem. Glad to help out.
> > Although after much messing around the framework I got myself into  
> > a bit of trouble:
> >
> > msf exploit(adobe_geticon) > exploit
> >
> > [-] Exploit failed: uninitialized constant Rex::Exploitation::JSidle
> > [*] Exploit completed, but no session was created.
> >
> > Why am I getting the uninitialized constant error? I must have  
> > broken something. Anyone else getting this error?
> >
> > --- On Mon, 7/12/10, Sven Taute <sven.taute () gmail com> wrote:
> >
> > From: Sven Taute <sven.taute () gmail com>
> > Subject: Re: [framework] New Javascript Packer: JSidle
> > To: "Miguel Rios" <miguelrios35 () yahoo com>
> > Cc: framework () spool metasploit com, "Jonathan R" <agentsmith15 () gmail com 
> > >
> > Date: Monday, July 12, 2010, 5:30 PM
> >
> > Thanks for testing. I think it is very difficult to permanently
> > circumvent the detection of malicious javascript in PDF files. In
> > contrast to web-based exploits, AV can flag the usage of JS  
> > obfuscation
> > as malicious, though it does not see the real exploit (therefore the
> > "generic" detection).
> >
> > In the first development phase I only targeted web-based exploits -  
> > the
> > usage for PDFs was more of a side product.
> >
> > - Sven
> >
> >
> > On Sun, 11 Jul 2010 10:59:53 -0700 (PDT)
> > Miguel Rios <miguelrios35 () yahoo com> wrote:
> >
> > > Well, just thought I'd share my results with NOD after applying the
> > > jsidle patch for new icon adobe exploit. Bottom line, NOD still  
> > flags
> > > it as PDF/Exploit.Gen. Tried encrypting it also and it did cut down
> > > on detections but NOD still flags it as PDF/Exploit.Gen. Seems  
> > NOD is
> > > doing a pretty good job in flagging malicious PDFs.
> > >
> > > --- On Sat, 7/10/10, Jonathan R <agentsmith15 () gmail com> wrote:
> > >
> > > From: Jonathan R <agentsmith15 () gmail com>
> > > Subject: Re: [framework] New Javascript Packer: JSidle
> > > To: "Miguel Rios" <miguelrios35 () yahoo com>,
> > > framework () spool metasploit com Date: Saturday, July 10, 2010,  
> > 11:15 PM
> > >
> > > NOD prides themselves on having one of the best heuristics  
> > engines, so
> > > I believe NOD would mark the PDF as suspicious and not a specific
> > > threat. You can do what many malware writers do and split the PDF  
> > into
> > > multiple parts and you can narrow the range of where/what in the  
> > PDF
> > > is getting flagged. Then change things accordingly.
> > >
> > >
> > > This idea of delaying code to bypass detection has been brought up
> > > before by well known virus writers like Z0mbie and Second Part To
> > > Hell/[rRlf].
> > > http://vxheavens.com/lib/vzo23.html   <--- Z0mbie's Paper
> > > http://www.hack0wn.com/view.php?xroot=72.0&cat=papers   <--- SPTH/ 
> > rHlf
> > >
> > > This is all based upon the fact that a anti virus like Norton or  
> > NOD
> > > can only spend about 3 or 4 seconds on each file. Otherwise a AV  
> > scan
> > > would take to long.
> > >
> > >
> > >
> > >
> >
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
>
>
> -----Inline Attachment Follows-----
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework