Metasploit mailing list archives
Re: Meterpreter Reverse HTTP(s) Payloads after last update
From: Sherif El-Deeb <archeldeeb () gmail com>
Date: Fri, 30 Sep 2011 17:06:41 +0300
Last time I asked for help, I attached console output, my configurations, and everything I felt will help defining the issue, I suggest you do the same. About the AV detection issue, just google "evading av with metasploit", and you will eventually come to the conclusion that if you want your stuff to become undetected, you will HAVE TO CODE SOMETHING ON YOUR OWN, period. connection issues: plz provide more info. Regards, On Sep 30, 2011 4:48 PM, "Enis Sahin" <enis.c.sahin () gmail com> wrote:
Oh and additional information. I've tried using the previous version of the payload since it still
doesn't
get detected by AV. But, setting the lhost in multi/handler to the actual IP, dyndns URL of the Modem and 0.0.0.0 results in the same connection problem. On 30 September 2011 16:06, Enis Sahin <enis.c.sahin () gmail com> wrote:Hi everybody, I've had the chance to test the windows/meterpreter/reverse_http payload for an APT demonstration project in a conrporate environment recently. Before the update on September 23 both the http and https versions had connection problems upon session connection, it would go idle and session wouldn't accept any commands. The Wireshark capture show that the initial response packet had the error "This program cannot be run in Dos mode".
But
it was undetected by the AV solution used. After the update, the AV immediately detects the malicious file as soon
as
it is extracted from the zip file. I know that the AV detects the reverse http payload because using the same fileformat exploit with a reverse tcp connection payload doesn't get detected. The same goes for the previous version of the paylod, I still have the version with connection problems
(in
a file created with the same file format exploit) and it stays undetected
on
the desktop. As a side note I've used the same encoding for all payloads I've tried to be able to identify the reason for detection. Any ideas about why the payload gets detected after the update? Thanks. Enis -- http://www.enissahin.com | http://twitter.com/enis_sahin-- http://www.enissahin.com | http://twitter.com/enis_sahin
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Sherif El-Deeb (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Sherif El-Deeb (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)