mailing list archives
Re: exploits for client side attacks not work
From: Spring Systems <korund () hotmail com>
Date: Mon, 21 Jun 2010 20:14:17 +0000
more complex to do all this manually, separately, then assemble parts
manually into the final exploit file.
Metasploit is handy as it allows to
create exploits automatically. It would be handy, if Metasploit had
encoding manually) depending on situations or tasks. What do you think?
From: atul () secfence com
Date: Tue, 22 Jun 2010 00:09:16 +0530
Subject: Re: [framework] exploits for client side attacks not work
To: korund () hotmail com
CC: framework () spool metasploit com
Yes, only encoding the payload is not going to help you.
exploit (which is valid for most PDF exploits - geticon(), newplayer() et al, libtiff doesn't utilise js for
(eg. http://dean.edwards.name/packer/, <- heavily used). As they are public, bear in mind, most AV's will flag it.
same or different packers.
A nice place to find obfuscated js exploits is the exploit packs, which you can get at any "underground" forum. Also
keep checking the MDL (http://malwaredomainlist.com/) for samples. Look into them.
Another approach to make the PDF exploits undetectable is to chain the stream filters. Refer to
http://blog.didierstevens.com/2008/05/19/pdf-stream-objects/ for details.
I know, all the above will have to be done manually, outside metasploit. But hey, metasploit is available to the AV
guys too, and they can always generate the samples and add signature/heuristics to the ways available in the msf. So
you will have to think differently.
Hope it helped.
On Mon, Jun 21, 2010 at 8:09 PM, Rob Fuller <mubix () room362 com> wrote:
AVs are flagging on the exploited function (or should be), which is
the basis for the exploit. Encoding the payload a million times will
not help you. You are welcome to try for yourself though.
Rob Fuller | Mubix
Room362.com | Hak5.org
On Mon, Jun 21, 2010 at 9:17 AM, Spring Systems <korund () hotmail com> wrote:
PDF exploits for client side attacks not work at all, due 100% detection by
AVs as exploits.
This PDF will be useless unless Metasploit change payloads encoding scheme,
allowing to select verious encoding options
during the exploit creation.
Hotmail is redefining busy with tools for the New Busy. Get more from your
inbox. See how.
The New Busy is not the old busy. Search, chat and e-mail from your inbox.