Home page logo
/

metasploit logo Metasploit mailing list archives

Re: exploits for client side attacks not work
From: Atul Agarwal <atul () secfence com>
Date: Tue, 22 Jun 2010 00:09:16 +0530

Hello,

Yes, only encoding the payload is not going to help you.

As an example, in order to make the exploit undetectable, you will have to
obfuscate the javascript that triggers the exploit (which is valid for most
PDF exploits - geticon(), newplayer() et al, libtiff doesn't utilise js for
exploitation).

Obfuscating the javascript is not particularly difficult, and you can use
publicly available js packers for the same (eg.
http://dean.edwards.name/packer/, <- heavily used). As they are public, bear
in mind, most AV's will flag it. Developing a custom javascript packer is
also not much difficult. Also, you could pack the js again and again using
same or different packers.

A nice place to find obfuscated js exploits is the exploit packs, which you
can get at any "underground" forum. Also keep checking the MDL (
http://malwaredomainlist.com/) for samples. Look into them.

Another approach to make the PDF exploits undetectable is to chain the
stream filters. Refer to
http://blog.didierstevens.com/2008/05/19/pdf-stream-objects/ for details.

I know, all the above will have to be done manually, outside metasploit. But
hey, metasploit is available to the AV guys too, and they can always
generate the samples and add signature/heuristics to the ways available in
the msf. So you will have to think differently.

Hope it helped.


Thanks,
Atul Agarwal
Secfence Technologies


On Mon, Jun 21, 2010 at 8:09 PM, Rob Fuller <mubix () room362 com> wrote:

AVs are flagging on the exploited function (or should be), which is
the basis for the exploit. Encoding the payload a million times will
not help you. You are welcome to try for yourself though.



--
Rob Fuller | Mubix
Room362.com | Hak5.org



On Mon, Jun 21, 2010 at 9:17 AM, Spring Systems <korund () hotmail com>
wrote:

PDF exploits for client side attacks not work at all, due 100% detection
by
AVs as exploits.
This PDF will be useless unless Metasploit change payloads encoding
scheme,
allowing to select verious encoding options
during the exploit creation.
________________________________
Hotmail is redefining busy with tools for the New Busy. Get more from
your
inbox. See how.
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]