Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pdfs & msfencode

From: Brian Milliron <antechrist () io com>
Date: Wed, 21 Oct 2009 22:32:53 -0500


You can try to apply the JS encoding techniques from the browser
exploits to the heap fill code in the PDF. Alternatively, you can use
something like JS Minifier to "compress" the JS code:
 - http://www.jslab.dk/tools.minify.php

If you want to obfuscate based on the PDF format and not the JS, take a
look at the following:

http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/

The *only* thing msfencode does is take shellcode, encode it with one or
more encoders, and then pack that into a one kind of file or another.
The issue you are running into is the JS/scripting inside the PDF, not
the payload at all.


I've been playing around with this for a few days now.  From looking at
the hex for the generated pdf I can see metasploit is already applying
some of the obfuscation techniques listed in that paper.  That seems to
be enough for most AV, but I'm using Avast, which still picks it up.  I
tried changing around some of the obfuscations, thinking I just need to
change it enough to alter the hash.  I've become convinced that Avast is
actually reducing the file to canonical form before scanning it.  The AV
companies are catching on!  When I made "cosmetic" changes to the file
such as by replacing ASCII with hex codes, etc, it was still detected.
But when I removed even one byte of the shellcode it was no longer
detected.

        So it *is* detecting the shellcode, even in encoded form.  Yet, when I
cut the shellcode out of the pdf into another file and scanned it, Avast
had no problems with it *since it was no longer in a pdf*.  Further, if
I changed any of the structures inside the pdf such as the root catalog
in such as way as to make the pdf unreadable, again it would not be
detected as malicious, because it is no longer a valid pdf.  This tells
me the scanning engine is able to "read" pdf structures and analyze them
in a much more intelligent way than I think anyone has given them credit
for.

I suspect they have added some limited decoding capabilities to account
for this line
compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))

And if another form of encoding were appended it might just sneak by,
but I don't have the skill for that and am not certain it is all that
important anyway.  But I wanted to let you & the team know the current
methods of obfuscation may be becoming obsolete.
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: