Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Metasploit vs ANI

From: saad at docisland.org (Saad Kadhi)
Date: Mon, 2 Apr 2007 13:58:30 +0200

On Apr 2, 2007, at 10:58 AM, Nicolas RUFF wrote:


I've just been testing ANI/HTTP payload against XPSP2 and Vista,  
and the
Web page seems somewhat "corrupted". As a result, IE displays ASCII
characters without even crashing.

I cannot even see the "anih" header. The page might be GZIP'ed even if
default options are set to turn off all evasion techniques. What do  
you
think ?


It looks like I have similar results with XPSP2 and IE7 with a  
Windows Update run as of today Apr 2, 12:00 PM CEST.


Filtered Wireshark transcript below (non-printable characters  
removed).

---------------------------------------------------------------------- 
-----------
GET /lol HTTP/1.1

[...]

Here is mine:
---
GET /patch.html/ 
oeJxHVBAW2QFNlxVVEc1ldTJhFhZVErJ3lIwQtkFep9ggF90zQyD.tar?ZRpysSDj=3  
HTTP/1.1
Accept: */*
Referer: http://10.1.1.13:8080/patch.html
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 10.1.1.13:8080
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/octet-stream
Content-Length: 54396
Connection: Keep-Alive

<html><head><title>IIwfmtdniAyKevCF0ZECVHl0BZ3691SbwkQihsZQHyaiuNF2ONquH 
Lgxegjd</title></ 
head><body>zjOLdfLZLOCvJlIMkYspWM6Lrw32tY99mQmBfuSxkzhwrNDOzENXhNlvqN9ip 
PI2GwEruvXoIyqEIMFj<div style='
[...]
---

Full transcript available on request.

Regards,
--
Saad Kadhi -- http://saad.docisland.org/
"True security is born from love alone" -- Antibalas
Previous By Date Next
Previous By Thread Next

Current thread: