Payload Handler issues in MSF 3.0-r3

[hdm at metasploit.com (H D Moore)]

The stable tree (2.x) behaves the same way. The alternative would require 
every exploit to explicitly start the payload handler, which IMO is more 
boilerplate and not very useful in the long run. Most exploits have a 
very small time window between the initial exploit launch and when the 
payload has been injected. I agree that with some exploits, such as 
netvault, this can seem a bit silly, since the payload handler starts 
running way before the exploit could have possibly finished. If the 
behavior bothers you, just switch to a handler that doesn't generate 
traffic (any of the *reverse* payloads for instance).

-HD

On Thursday 29 June 2006 11:17, Rhys Kidd wrote:
> While the port 4444 attempts are simply met with a RST flag until the
> bind socket is correctly initialised, I?m wondering why the attempts
> begin so early. This particular exploit does take some time to run
> through the exploitation process, and the ret overwrite doesn?t occur
> until we have made ~6 further attempts to connect to the vulnerable
> service after the payload is delivered. 
> Can anyone shed some light on why the payload handler is so eager?