favicon.ico handler & meterpreter reverse_tcp encoder problems

[grutz at jingojango.net (Kurt Grutzmacher)]

On Thu, May 10, 2007 at 06:34:39AM -0400, jlbrown1980 at comcast.net wrote:
> Hmm, I was running it on a Windows XP Computer with IE 7 though..  The
> target computer I was using doesn't have firefox installed.  The reason
> I believe the encoder is messing something up is this.  If the
> connection is already established (browser has connected to the link),
> why would it keep trying to encode the payload, when its already been
> encoded.. unless it isn't encoding properly.

Ah, I hadn't even realized that IE7 started doing favicon. It's still
not a problem because the http server code is recognizing that the URI
being passed (/favicon.ico) isn't mapped to any expoit so it's just
dropping the request.

Part of the exploit routine regenerates shellcode on every connection to
reduce the likelihood that two machines will receive the same set of
strings, throwing off (H,N)IDS.

In on_request_uri the line:

  # Re-generate the payload, using the explicit target
  return if ((p = regenerate_payload(cli, nil, nil, target)) == nil)

does this. It's just before the send_response function. If you use curl
to send multiple requests they payload should be changing on each one.


-- 
                 ..:[ grutz at jingojango dot net ]:..
     GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
        "There's just no amusing way to say, 'I have a CISSP'."