Re: exploits for client side attacks not work

[Spring Systems <korund () hotmail com>]

Thank you for helpful info. I agreel, to obfuscate the javascript is not so difficult task. But it is much
more complex to do all this manually, separately, then assemble parts
manually into the final exploit file. 
Metasploit is handy as it allows to
create exploits automatically. It would be handy, if Metasploit had
some javascript encoding/packer module which allowed to encode a
javascript and change the encoding algorithm on the fly (include adding custom
encoding manually) depending on situations or tasks. What do you think?

Best Regards,

From: atul () secfence com
Date: Tue, 22 Jun 2010 00:09:16 +0530
Subject: Re: [framework] exploits for client side attacks not work
To: korund () hotmail com
CC: framework () spool metasploit com

Hello,

Yes, only encoding the payload is not going to help you. 

As an example, in order to make the exploit undetectable, you will have to obfuscate the javascript that triggers the 
exploit (which is valid for most PDF exploits - geticon(), newplayer() et al, libtiff doesn't utilise js for 
exploitation). 



Obfuscating the javascript is not particularly difficult, and you can use publicly available js packers for the same 
(eg. http://dean.edwards.name/packer/, <- heavily used). As they are public, bear in mind, most AV's will flag it. 
Developing a custom javascript packer is also not much difficult. Also, you could pack the js again and again using 
same or different packers. 



A nice place to find obfuscated js exploits is the exploit packs, which you can get at any "underground" forum. Also 
keep checking the MDL (http://malwaredomainlist.com/) for samples. Look into them.



Another approach to make the PDF exploits undetectable is to chain the stream filters. Refer to 
http://blog.didierstevens.com/2008/05/19/pdf-stream-objects/ for details.



I know, all the above will have to be done manually, outside metasploit. But hey, metasploit is available to the AV 
guys too, and they can always generate the samples and add signature/heuristics to the ways available in the msf. So 
you will have to think differently.



Hope it helped.


Thanks,
Atul Agarwal
Secfence Technologies



On Mon, Jun 21, 2010 at 8:09 PM, Rob Fuller <mubix () room362 com> wrote:


AVs are flagging on the exploited function (or should be), which is

the basis for the exploit. Encoding the payload a million times will

not help you. You are welcome to try for yourself though.







--

Rob Fuller | Mubix

Room362.com | Hak5.org







On Mon, Jun 21, 2010 at 9:17 AM, Spring Systems <korund () hotmail com> wrote:

>

> PDF exploits for client side attacks not work at all, due 100% detection by

> AVs as exploits.

> This PDF will be useless unless Metasploit change payloads encoding scheme,

> allowing to select verious encoding options

> during the exploit creation.

> ________________________________

> Hotmail is redefining busy with tools for the New Busy. Get more from your

> inbox. See how.

> _______________________________________________

> https://mail.metasploit.com/mailman/listinfo/framework

>

>

_______________________________________________

https://mail.metasploit.com/mailman/listinfo/framework


                                          
_________________________________________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework