Home page logo
/

metasploit logo Metasploit mailing list archives

Re: Setting triple/quad PDF exploit system
From: Spring Systems <korund () hotmail com>
Date: Tue, 29 Jun 2010 14:07:51 +0000


How to obfuscate Javascript in resulting PDF file by adjusting code in adobe_media_newplayer.rb Ruby module itself? So 
that when the module will process exploit, the code in resulting pdf will be obfuscated in different way. I mean 
slightly change few settings in this code:

    #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
    def nObfu(str)
        result = ""
        str.scan(/./u) do |c|
            if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
                result << "#%x" % c.unpack("C*")[0]
            else
                result << c
            end
        end
        result
    end


    def ASCIIHexWhitespaceEncode(str)
        result = ""
        whitespace = ""
        str.each_byte do |b|
            result << whitespace << "%02x" % b
            whitespace = " " * (rand(3) + 1)
        end
        result << ">"
    end



Regards,
Spring







Date: Tue, 29 Jun 2010 16:56:33 +0530
Subject: Re: [framework] Setting triple/quad PDF exploit system
From: sachinshinde11 () gmail com
To: korund () hotmail com; framework () spool metasploit com

Hi ,

Can you point me the link?

Collab.GetIcon() is javascript VM vulnerability(you know that) and
Libtiff is int overflow in libtiff library. But I dont think
metasploit right now can combine them together you have to do it
manually.Its simple ,you can do it , if you know the pdf file format
and have payloads :-).also see didder stevens blog for obfuscation
techniques.

additionally you can  try my tool spiderpig
(http://code.google.com/p/spiderpig-pdffuzzer/) to create your own
triple exploit system based on javascript. there is python
script(spig.py) which reads input file and write it as a javascript
code into the pdf file but limitation is ,it will only target
javascript VM.

Regards,
cons0ul

On Tue, Jun 29, 2010 at 2:47 PM, Spring Systems <korund () hotmail com> wrote:
Hi,

yes, something like this. I saw somewhere one tool(.NET application), as was
noted in description, it creates pdf which include two modules exploiting
Libtiff and Collab.Getlcon() exploits, and dedicated to execute embedded exe
file (in one pdf)

Regards,
Spring


Date: Tue, 29 Jun 2010 11:22:42 +0530
Subject: Re: [framework] Setting triple/quad PDF exploit system
From: sachinshinde11 () gmail com
To: framework () spool metasploit com
CC: korund () hotmail com

Hi ,

Are you talking about exploits that uses vulnerablilities in the PDF
javascript VM ?if yes,

then therotically it may be posssible(never tried) to create triple
exploit file system by spraying donkey way and then trying mem
currption exploits one by one.but latest trend is embedding swf
exploits in pdf.

Regards,
cons0ul

________________________________
Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
Learn more.
                                          
_________________________________________________________________
Hotmail is redefining busy with tools for the New Busy. Get more from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault