Re: VML Exploits and IDP-AV Evasion

["Lorenzo Hernández García-Hierro" <lorenzohgh () tuxedo-es org>]

http://aviv.raffon.net/2006/09/25/VMLExploitVsAVIPSIDSSignatures.aspx
http://aviv.raffon.net/content/binary/vmlmsf.png

A nice article by Aviv related to simple evasion methods and how well
are performing AVs and other products against the public exploit.

HD worked out a module for Metasploit:
http://metasploit.com/projects/Framework/exploits.html#ie_vml_rectfill
http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049678.html

I commented with him on the possible evasion methods for JS-based
exploits. For example encoding Active X component names and other
tricks (this was for the Adodb related issues). Also white-space, tab
and comments can be used to alter the binary stream without impacting
the exploit reliability.

Randomization of variable names:
        my $var_buffer    = Pex::Text::LowerCaseText(int(rand(30)+2));
        my $var_shellcode = Pex::Text::LowerCaseText(int(rand(30)+2));
        my $var_unescape  = Pex::Text::LowerCaseText(int(rand(30)+2));
        my ${var_x}       = Pex::Text::LowerCaseText(int(rand(30)+2));
        my ${var_i}       = Pex::Text::LowerCaseText(int(rand(30)+2));
(...)

my $data      = qq|
<html xmlns:${xmlns} = "urn:schemas-microsoft-com:vml" >
(...)
<script>

        var ${var_unescape}  = unescape ;
        var ${var_shellcode} = ${var_unescape}( "${shellcode}" ) ;

Other methods include randomization of code blocks (ex. loops). You
can randomize the way your code behaves on payload generation time
(ex. this time I use a while() loop, another uses for(), and other one
uses a do-while() ). This applies for string encoding. You can encode
the strings inside using a random Caesar cipher each time with
different rotation/shifting. This doesn't stop "humans" to spot your
evil intentions but fools IDS and AVs products which rely only on
binary format parsing code. And most current signature-based engines
seem broken anyways (and people create signatures for the exploit, not
the vulnerability; thus they all make flawed assumptions: if it
doesn't look like the exploit I know it's not a exploit so I don't get
pwned and stay safe).

I may code a module for doing this right away in the new 3.x branch
when I finish some other stuff. HD and Aviv can make really nice
comments on this for sure.

Cheers.

On 9/26/06, Arsal, Ertunga <EArsal () techdata de> wrote:
> Hello All,
>
>
> Do you think that the security products are getting more into creating an illusion of safety, thus making people more 
> vulnerable? The issue is the vulnerabilities they are not able to catch properly. One of them is the recent vml 
> exploit. Okay we know it there are millions of ways to create an html page that could execute, which means no 
> signature would be reliable.
>
> I did a basic test. Just went to http://www.isotf.org/zert/testvml.htm with IE.
>
> ISS Proventia blocked it. Tested without Proventia. This time Symantec AV caught it. Excellent!
>
> Then I went to the second line: <html xmlns:v="urn:schemas-microsoft-com:vml" 
> xmlns:o="urn:schemas-microsoft-com:office:office">
> Changed it from "urn:schemas-microsoft-com:vml" to "urn:schemas-microsoft-com: vml" by putting one space and uploaded 
> to a web server.
>
> Proventia didn't catch a thing nor the Symantec av. IE crashed.
>
> So, what is the trend now? Having only protection against public test exploits? Is this only a publicity thing than 
> proper protection?
>
>
> Ertunga Arsal
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave