Home page logo
/

dailydave logo Dailydave mailing list archives

Re: Better, more FLAME-like, penetration testing
From: Moses <moses () moses io>
Date: Fri, 27 Sep 2013 14:10:47 -0400

This is an interesting concept. I may have 'seen' this in use in other systems like a SOA based system but truly interesting. One end of the system is injected and merely builds a message passing channel while the other end does the heavy lifting. Very freaking scary. Very freaking awesome. Very freaking scary still.

This is pretty genius, I would imagine it doesn't rely on any scripting technology like javascript, instead it would rely on the text within PDF's. I am not sure how operationally you would get someone to open a large number of PDF's but its still a salient idea.

This is very similar to how some of the agents that used comment code in http would work. Will this be a part of Canvas going forward and be parallel to MosDef?

Dave Aitel wrote:
One of the core features is that there are channels into and out of the core message pumps, and these are themselves hot-swappable. So for PDF exploits, one of the channels you'll use is a PDF sniffer that sits in the PDF reader and looks at all new PDF's for signed messages from the C&C. It can then use these to update itself with, say, a bi-directional ICMP channel, or a Twitter/IMGUR channel (slightly higher bandwidth). Or a local exploit, of course.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault