Metasploit mailing list archives
Metasploit vs ANI
From: rhyskidd at gmail.com (Rhys Kidd)
Date: Mon, 2 Apr 2007 22:03:49 +0800
The page might be GZIP'ed even if default options are set to turn off all evasion techniques. What do you think ?
Wireshark automatically decompresses any standard Content-Encoding or Transport-Encoding on HTTP traffic, so you are viewing the page as the browser rendering engine would later see it.
I've just been testing ANI/HTTP payload against XPSP2 and Vista, and the Web page seems somewhat "corrupted". As a result, IE displays ASCII characters without even crashing. I cannot even see the "anih" header.
You won't be able to see the anih header in the HTML, as the .ani file is loaded as binary data, through the use of the CSS "cursor" attribute. When all the <div> style CSS comment junk is removed, you should see the relevant CSS as being:
CursOR: URL("/lol/aOqmmblrCLUVJrY0R1he7O3U
dKPxCcb20QvZMSROQ9J5czCyXrQMFHNHP9crTdcLPaUBODji.wav?qZY=1".);
In your packet capture you should see another request for the file at the URL listed above (randomised per run). As explained by A. Sotirov, the relevant exception handler permits multiple attempts at the exploit as access violation exceptions are handled gracefully. HTH, Rhys -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070402/1353422b/attachment.htm>
Current thread:
- Metasploit vs ANI, (continued)
- Metasploit vs ANI Fabrice MOURRON (Apr 04)
- Metasploit vs ANI security (Apr 05)
- Metasploit vs ANI Jerome Athias (Apr 05)
- Metasploit vs ANI security (Apr 05)
- Metasploit vs ANI Thomas Werth (Apr 11)
- Metasploit vs ANI Donnie Werner (Apr 05)
- Metasploit vs ANI Jerome Athias (Apr 04)
- Metasploit vs ANI Jerome Athias (Apr 04)
- Metasploit vs ANI Josh Caster (Apr 03)
- Metasploit vs ANI Nicolas RUFF (Apr 02)