[Dailydave] Better, more FLAME-like, penetration testing
Moses
moses at moses.io
Fri Sep 27 14:10:47 EDT 2013
This is an interesting concept. I may have 'seen' this in use in other
systems like a SOA based system but truly interesting. One end of the
system is injected and merely builds a message passing channel while the
other end does the heavy lifting. Very freaking scary. Very freaking
awesome. Very freaking scary still.
This is pretty genius, I would imagine it doesn't rely on any scripting
technology like javascript, instead it would rely on the text within
PDF's. I am not sure how operationally you would get someone to open a
large number of PDF's but its still a salient idea.
This is very similar to how some of the agents that used comment code in
http would work. Will this be a part of Canvas going forward and be
parallel to MosDef?
Dave Aitel wrote:
> One of the core features is that there are channels into and out of
> the core message pumps, and these are themselves hot-swappable. So for
> PDF exploits, one of the channels you'll use is a PDF sniffer that
> sits in the PDF reader and looks at all new PDF's for signed messages
> from the C&C. It can then use these to update itself with, say, a
> bi-directional ICMP channel, or a Twitter/IMGUR channel (slightly
> higher bandwidth). Or a local exploit, of course.
More information about the Dailydave
mailing list