Re: HTTP encoding for ms10_xxx_ie_css_clip

[David Porcello <DPorcello () vermontmutual com>]

Thanks Will! I've tried many of the built-in msf HTTP/HTML obfuscators so I'll give the daftlogic a try.

I am however lost on what I should be obfuscating. I know how to generate JS payloads with msfpayload, but in this case 
I believe the client AV is triggering on the exploit itself, not the payload. When I run this exploit with no payload 
defined, the client AV still blocks a JS execute and prevents the exploit from running. It appears the detection is 
happening within the browser before the exploit even runs. 

Btw, thanks for putting together this tremendously useful writeup!!
Dave.

-----Original Message-----
From: Will Metcalf [mailto:william.metcalf () gmail com] 
Sent: Thursday, December 02, 2010 11:07 AM
To: David Porcello
Cc: framework () spool metasploit com
Subject: Re: [framework] HTTP encoding for ms10_xxx_ie_css_clip

This seemed to work for me..
http://www.daftlogic.com/projects-online-javascript-obfuscator.htm

See "metaencoded.html" for ie6 that worked when I tested...  Of course
this was tested on 11/09.. so your mileage may vary.
http://rules.emergingthreats.net/research/WMetcalf-CVE-2010-3962/

Regards,

Will

On Thu, Dec 2, 2010 at 9:45 AM, David Porcello
<DPorcello () vermontmutual com> wrote:
> Hi all - I'm having an issue with client AV (McAfee) detecting ms10_xxx_ie_css_clip as "JS/Exploit-BO.gen". I've 
> tried enabling SSL and all Metasploit evasion options:
>
> HTML::base64 Enable HTML obfuscation via an embeded base64 html object (accepted: none, plain, single_pad, 
> double_pad, random_space_injection)
> HTML::javascript::escape Enable HTML obfuscation via HTML escaping (number of iterations)
> HTML::unicode Enable HTTP obfuscation via unicode (accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, 
> utf-32be)
> HTTP::chunked Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
> HTTP::compression Enable compression of HTTP responses via content encoding (accepted: none, gzip, deflate)
> HTTP::header_folding Enable folding of HTTP headers
> HTTP::junk_headers Enable insertion of random junk HTTP headers
> TCP::max_send_size Maximum tcp segment size. (0 = disable)
> TCP::send_delay Delays inserted before every send. (0 = disable)
>
> Has anyone found a combination of encoders that has worked well for AV bypass? Is there a way to obfuscate this 
> module with a 3rd-party obfuscator (such as Dean Edward's packer or javascriptobfuscator.com) and then re-import for 
> use in Metasploit?
>
> Dave.
>
> NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named 
> above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender 
> immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are 
> not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, 
> distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited.
>
> Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the 
> responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for 
> any loss or damage arising if such a virus or defect exists.
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework