Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pdfs & msfencode

From: HD Moore <hdm () metasploit com>
Date: Mon, 19 Oct 2009 21:41:33 -0500
On Mon, 2009-10-19 at 21:01 -0500, Brian Milliron wrote:

I've been playing with some of the pdf exploit modules on metasploit.
All of them are being detected by anti-virus though.  Is there any way
to pipe the payload through msfencode before the pdf is generated to
help obfuscate?  A simple yes or no from one of the dev team would be
helpful.


You can try to apply the JS encoding techniques from the browser
exploits to the heap fill code in the PDF. Alternatively, you can use
something like JS Minifier to "compress" the JS code:
 - http://www.jslab.dk/tools.minify.php

If you want to obfuscate based on the PDF format and not the JS, take a
look at the following:

http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/

The *only* thing msfencode does is take shellcode, encode it with one or
more encoders, and then pack that into a one kind of file or another.
The issue you are running into is the JS/scripting inside the PDF, not
the payload at all.

-HD

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: