Dailydave mailing list archives
Re: Better, more FLAME-like, penetration testing
From: Moses <moses () moses io>
Date: Fri, 27 Sep 2013 14:10:47 -0400
This is an interesting concept. I may have 'seen' this in use in other systems like a SOA based system but truly interesting. One end of the system is injected and merely builds a message passing channel while the other end does the heavy lifting. Very freaking scary. Very freaking awesome. Very freaking scary still.
This is pretty genius, I would imagine it doesn't rely on any scripting technology like javascript, instead it would rely on the text within PDF's. I am not sure how operationally you would get someone to open a large number of PDF's but its still a salient idea.
This is very similar to how some of the agents that used comment code in http would work. Will this be a part of Canvas going forward and be parallel to MosDef?
Dave Aitel wrote:
One of the core features is that there are channels into and out of the core message pumps, and these are themselves hot-swappable. So for PDF exploits, one of the channels you'll use is a PDF sniffer that sits in the PDF reader and looks at all new PDF's for signed messages from the C&C. It can then use these to update itself with, say, a bi-directional ICMP channel, or a Twitter/IMGUR channel (slightly higher bandwidth). Or a local exploit, of course.
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Better, more FLAME-like, penetration testing Dave Aitel (Sep 26)
- Re: Better, more FLAME-like, penetration testing Daniel Clemens (Sep 27)
- Re: Better, more FLAME-like, penetration testing Dave Aitel (Sep 27)
- Re: Better, more FLAME-like, penetration testing Dave Aitel (Sep 27)
- Re: Better, more FLAME-like, penetration testing Moses (Sep 27)
- Re: Better, more FLAME-like, penetration testing Daniel Clemens (Sep 27)