Metasploit mailing list archives
Re: New Javascript Packer: JSidle
From: Miguel Rios <miguelrios35 () yahoo com>
Date: Sat, 10 Jul 2010 07:10:16 -0700 (PDT)
Yes, thanks for your contribution. I just took a quick look at your code and it looks pretty innovative. Of course there will inevitably be a delay which could have an effect on the different exploits, but I like the idea. Regarding metasploit's ability to create PDFs I wonder if it's possible to use an existing pdf rather than the blank one. That way if the client is not vulnerable he'll see a nice pdf and not become suspicious. Also it maybe easier to hide from AV if you have a bigger legit pdf to play with. Finally I have noticed that NOD32 detects the metasploit produced PDFs when they're encrypted (an easy simple way that cuts down on detections) which seems counterintuitive. Trying to get the newer libtiff and adobe_flashplayer_newfunction exploits past AVs is getting harder and harder, so your java packer is a welcome addition. If anyone knows what NOD is keying on in the libtiff and flashplayer PDFs do let me know please. --- On Sat, 7/10/10, Spring Systems <korund () hotmail com> wrote: From: Spring Systems <korund () hotmail com> Subject: Re: [framework] New Javascript Packer: JSidle To: framework () spool metasploit com Date: Saturday, July 10, 2010, 1:26 PM Thanks for good addon. The JSidle packer conception based on delivering script with time delay? Will this affect on the execution speed of exploit? The other good thing would be to implement the polymorphic encryption algorithm, to make the Javascript codes that can transmute and protect themselves. This will provide very good protection. Regards, spring
Date: Sat, 10 Jul 2010 00:34:49 +0200 From: sven.taute () gmail com To: framework () spool metasploit com Subject: [framework] New Javascript Packer: JSidle Hi all, I developed a new javascript packer that should solve the current problems with AV detection and perform better than the existing obfuscators. It uses some new concepts explained in a blog post and in more detail in the latest Issue of the HITB magazine: http://relentless-coding.blogspot.com/2010/07/new-javascript-packer-jsidle.html http://magazine.hitb.org The code is available here: http://github.com/svent/jsidle Patches for Metasploit: http://github.com/svent/jsidle/tree/master/metasploit/ I patched two existing exploit modules to show the usage, the aurora exploit for web-based ones and the adobe_geticon exploit to show the usage for PDF files. The javascript part of web-based exploits should not be detected by AV (using static analysis). Virustotal detection for the PDF dropped from 17/41 to 9/41 - as obfuscation is not that common in PDF files, some scanners still flag the file as suspicious using a generic detection. - Sven _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. Get busy. -----Inline Attachment Follows----- _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- New Javascript Packer: JSidle Sven Taute (Jul 09)
- Re: New Javascript Packer: JSidle Spring Systems (Jul 10)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 10)
- Re: New Javascript Packer: JSidle Jonathan R (Jul 10)
- Re: New Javascript Packer: JSidle John Strand (Jul 10)
- Re: New Javascript Packer: JSidle Spring Systems (Jul 11)
- Re: New Javascript Packer: JSidle Thierry Zoller (Jul 11)
- Re: New Javascript Packer: JSidle Spring Systems (Jul 11)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 10)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 11)
- Re: New Javascript Packer: JSidle Sven Taute (Jul 12)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Re: New Javascript Packer: JSidle Thorgul (Jul 13)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Re: New Javascript Packer: JSidle Spring Systems (Jul 10)