Combining the Quicktime "Marshaled_pUnk" exploit with JSidle

• 2010-09-16
• javascript  
• antivirus  
• metasploit  

The Quicktime “Marshaled_pUnk” exploit works well with a Javascript packer to circumvent AV detection as it solely relies on Javascript code. Quite often a web based exploit needs a special setting (HTML objects, data files etc.) beside the Javascript code and therefore makes it easier to create an AV signature.

The current metasploit module for the exploit (see here) has a detection rate of 14 / 43 on VirusTotal.
After changing a few lines to use the JSidle packer (patches on github) the detection drops to zero, no further customization needed.

As the packer is available for over 2 months now, it seems to work quite well.