metasploit-framework July 2010 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] New Javascript Packer: JSi

Re: [framework] New Javascript Packer: JSidle

From: Miguel Rios <miguelrios35_at_nospam>
Date: Tue Jul 13 2010 - 10:02:43 GMT
To: Sven Taute <>

No problem. Glad to help out.
Although after much messing around the framework I got myself into a bit of trouble:

msf exploit(adobe_geticon) > exploit

[-] Exploit failed: uninitialized constant Rex::Exploitation::JSidle
[*] Exploit completed, but no session was created.

Why am I getting the uninitialized constant error? I must have broken something. Anyone else getting this error?

--- On Mon, 7/12/10, Sven Taute <> wrote:

From: Sven Taute <>
Subject: Re: [framework] New Javascript Packer: JSidle
To: "Miguel Rios" <>
Cc:, "Jonathan R" <>
Date: Monday, July 12, 2010, 5:30 PM

Thanks for testing. I think it is very difficult to permanently
circumvent the detection of malicious javascript in PDF files. In
contrast to web-based exploits, AV can flag the usage of JS obfuscation
as malicious, though it does not see the real exploit (therefore the
"generic" detection).

In the first development phase I only targeted web-based exploits - the
usage for PDFs was more of a side product.

- Sven

On Sun, 11 Jul 2010 10:59:53 -0700 (PDT)
Miguel Rios <> wrote:

> Well, just thought I'd share my results with NOD after applying the
> jsidle patch for new icon adobe exploit. Bottom line, NOD still flags
> it as PDF/Exploit.Gen. Tried encrypting it also and it did cut down
> on detections but NOD still flags it as PDF/Exploit.Gen. Seems NOD is
> doing a pretty good job in flagging malicious PDFs.
> --- On Sat, 7/10/10, Jonathan R <> wrote:
> From: Jonathan R <>
> Subject: Re: [framework] New Javascript Packer: JSidle
> To: "Miguel Rios" <>,
> Date: Saturday, July 10, 2010, 11:15 PM
> NOD prides themselves on having one of the best heuristics engines, so
> I believe NOD would mark the PDF as suspicious and not a specific
> threat. You can do what many malware writers do and split the PDF into
> multiple parts and you can narrow the range of where/what in the PDF
> is getting flagged. Then change things accordingly.
> This idea of delaying code to bypass detection has been brought up
> before by well known virus writers like Z0mbie and Second Part To
> Hell/[rRlf].
><--- Z0mbie's Paper
><--- SPTH/rHlf
> This is all based upon the fact that a anti virus like Norton or NOD
> can only spend about 3 or 4 seconds on each file. Otherwise a AV scan
> would take to long.