my handler has been p0wned ?

[al1c3andb0b <al1c3andb0b () lavabit com>]

Yesterday evening, I was experimenting on how multiple encoding/packing 
may alter the "executabilty" of the meterpreter reverse TCP payload. For 
this, I had set up the appropriate metasploit handler on the attacker host.

In the night, I get to bed, tired of so many tries (it becomes more and 
more difficult, using only encoding/packing, to get a working payload 
that is not catch by AV software), and let the handler running.

When I came back to my desktop, I had a surprise:
msf exploit(handler) >
[*] Sending stage (749056 bytes) to 58.218.204.110
[*] Sending stage (749056 bytes) to 58.218.204.110
[*] Sending stage (749056 bytes) to 58.218.199.147
[*] Sending stage (749056 bytes) to 58.218.199.147
[*] Sending stage (749056 bytes) to 117.21.191.100
[*] Sending stage (749056 bytes) to 117.21.191.100
.
Rem: 749056 bytes is a little more than the raw reverse tcp/http 
meterpreter payloads.

AFAIK, that may come from the base payload stager (stager.rb), or the 
HTTP tunneling one (passivex.rb), as I've also experimented with the 
meterpreter reverse HTTP payload.

But I don't know how to interpret these messages. Why is "my" handler 
sending stages to some more or less Chinese (I've done a whois) hosts? 
Does this mean a payload is executing on my computer, connected to a 
meterpreter session (or other, depending on the actual payload) 
somewhere in China? Does this mean someone uses my handler as a covert 
channel?

I didn't find anything useful either in /var/log/* nor in .msf3/logs/*.
I didn't find any obvious intruder in the process list.

So I come here with a question, and an issue.

The question first: is someone aware of an exploit that can affect the 
Metasploit handlers? If there is a widespread POC of such an exploit (I 
Googled a bit, and didn't find anything), could you give me a pointer? 
Or, does someone has an explanation for the "sending stage" messages 
that does not involve any attack?

The issue: the presence of vulnerabilities within the MSF framework 
itself. This issue is strengthened by i) actually working with 
Metasploit requires running with root privileges, and ii) the framework 
may not be difficult to fingerprint (and even more obviously when one 
uses the default handler ports).
As a consequence, for example, a campaign SE type of penetration test, 
running handlers during several days, could be dangerous for the tester 
himself.
Joke: do you think that MSF will eventually enters the nmap fingerprint 
database, and includes an exploit to attack itself?

As a final note, the pace the Internet is scanned for vulnerable hosts 
is terrible: my victim was on the DMZ and running the handlers (port 
8080, my mistake, I should have used a less common one) for less than a 
day before being p0wned.

I hope I'm wrong, I hope someone will demonstrate that.

Best regards.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework