mailing list archives
Re: Better, more FLAME-like, penetration testing
From: Moses <moses () moses io>
Date: Fri, 27 Sep 2013 14:10:47 -0400
This is an interesting concept. I may have 'seen' this in use in other
systems like a SOA based system but truly interesting. One end of the
system is injected and merely builds a message passing channel while the
other end does the heavy lifting. Very freaking scary. Very freaking
awesome. Very freaking scary still.
This is pretty genius, I would imagine it doesn't rely on any scripting
PDF's. I am not sure how operationally you would get someone to open a
large number of PDF's but its still a salient idea.
This is very similar to how some of the agents that used comment code in
http would work. Will this be a part of Canvas going forward and be
parallel to MosDef?
Dave Aitel wrote:
One of the core features is that there are channels into and out of
the core message pumps, and these are themselves hot-swappable. So for
PDF exploits, one of the channels you'll use is a PDF sniffer that
sits in the PDF reader and looks at all new PDF's for signed messages
from the C&C. It can then use these to update itself with, say, a
bi-directional ICMP channel, or a Twitter/IMGUR channel (slightly
higher bandwidth). Or a local exploit, of course.
Dailydave mailing list
Dailydave () lists immunityinc com