Thursday, July 26, 2007

New Twists for HTML Obfuscation in EEscan

Update 8/7/2007 - Please see www.eescan.net for additional details.

I've just finished coding up some new HTML obfuscation modules for eescan. The exploitability tests in eescan will use these obfuscators to probe for

Here are some of the obfuscators that work right now:
  • gzip
  • deflate
  • chunked
  • MPack XOR javascript encoder
  • MPack cryptor 4-pass javascript encoder
  • AJAX
  • SSL
  • HTTP over port 443
  • SSL over port 80
  • arbitrary combinations like AJAX->Mpack->gzip->chunked->SSL->port 80
My favorite so far is AJAX which breaks up the target html into a random number of arbitrary chunks, downloads each using a synchronous request, reassembles them and then eval()'s the code.

Initial testing of the Ajax modules is yielding great results against network based IDS/IPS, so-so results against proxies and good results against desktop AV/IPS suites.

Labels:

posted by Matt Richard @ 11:36 AM   1 Comments

1 Comments:

At 8/07/2007 10:23:00 PM , Anonymous Anonymous said...

I was at your talk, and am reviewing the CD now. I was sorry there wasn't a copy of your presentation on teh CD that I could find, and I'm not clear on the status of eescan as far as it being releasable/released/in the wind?

 

Post a Comment

<< Home