Ironsquirrel - Encrypted exploit delivery for the masses

This project aims at delivering browser exploits to the victim browser in an encrypted fashion. Ellyptic-curve Diffie-Hellman (secp256k1) is used for key agreement and AES is used for encryption.
By delivering the exploit code (and shellcode) to the victim in an encrypted way, the attack can not be replayed. Meanwhile the HTML/JS source is encrypted thus reverse engineering the exploit is significantly harder.
If you have no idea what I am talking about, Google for "How to hide your browser 0-days", and check my presentation. Or check out it on Youtube: Or slides on Slideshare:


Mandatory dependencies - clone the IRONSQUIRREL project, cd into the project directory, and run the following commands:
sudo apt-get install ruby-dev
bundle install
Actually nokogiri and gibberish gems will be installed.
Optional dependency (for Powershell based environment aware encrypted payload delivery): Ebowla


  1. Clone the IRONSQUIRREL project
  2. Install the prerequisites
  3. (Optional) Edit IRONSQUIRREL.rb
    1. Change the listen port
    2. If Ebowla is used, configure the paths
  4. (Optional) If Ebowla is used, configure genetic.config.ecdh in the Ebowla install directory
ruby IRONSQUIRREL.rb --exploit full_path_to_exploit


ruby IRONSQUIRREL.rb --exploit /home/myawesomeusername/IRONSQUIRREL/exploits/alert.html
After that, visit the webserver from a browser. Example output:
Listening on 2345
GET / HTTP/1.1
GET /sjcl.js HTTP/1.1
GET /dh.js HTTP/1.1
GET /client_pub.html?cl=SOifQJetphU2CvFzZl239nKPYWRGEH23ermGMszo9oqOgqIsH5XxXi1vw4P4YFWDqK6v4o4jIpAVSNZD1x5NTw%3D%3D HTTP/1.1
GET /final.html HTTP/1.1
GET /sjcl.js HTTP/1.1
The end

Powered by Blogger.