Re: my handler has been p0wned ?

[Nicolas Krassas <krasn () ans gr>]

Did you upload your "testing" files to any of the av scanning sites ? eg.
virustotal ?

On Wed, Mar 16, 2011 at 4:35 PM, al1c3andb0b <al1c3andb0b () lavabit com>wrote:

> Yesterday evening, I was experimenting on how multiple encoding/packing may
> alter the "executabilty" of the meterpreter reverse TCP payload. For this, I
> had set up the appropriate metasploit handler on the attacker host.
>
> In the night, I get to bed, tired of so many tries (it becomes more and
> more difficult, using only encoding/packing, to get a working payload that
> is not catch by AV software), and let the handler running.
>
> When I came back to my desktop, I had a surprise:
> msf exploit(handler) >
> [*] Sending stage (749056 bytes) to 58.218.204.110
> [*] Sending stage (749056 bytes) to 58.218.204.110
> [*] Sending stage (749056 bytes) to 58.218.199.147
> [*] Sending stage (749056 bytes) to 58.218.199.147
> [*] Sending stage (749056 bytes) to 117.21.191.100
> [*] Sending stage (749056 bytes) to 117.21.191.100
> .
> Rem: 749056 bytes is a little more than the raw reverse tcp/http
> meterpreter payloads.
>
> AFAIK, that may come from the base payload stager (stager.rb), or the HTTP
> tunneling one (passivex.rb), as I've also experimented with the meterpreter
> reverse HTTP payload.
>
> But I don't know how to interpret these messages. Why is "my" handler
> sending stages to some more or less Chinese (I've done a whois) hosts? Does
> this mean a payload is executing on my computer, connected to a meterpreter
> session (or other, depending on the actual payload) somewhere in China? Does
> this mean someone uses my handler as a covert channel?
>
> I didn't find anything useful either in /var/log/* nor in .msf3/logs/*.
> I didn't find any obvious intruder in the process list.
>
> So I come here with a question, and an issue.
>
> The question first: is someone aware of an exploit that can affect the
> Metasploit handlers? If there is a widespread POC of such an exploit (I
> Googled a bit, and didn't find anything), could you give me a pointer? Or,
> does someone has an explanation for the "sending stage" messages that does
> not involve any attack?
>
> The issue: the presence of vulnerabilities within the MSF framework itself.
> This issue is strengthened by i) actually working with Metasploit requires
> running with root privileges, and ii) the framework may not be difficult to
> fingerprint (and even more obviously when one uses the default handler
> ports).
> As a consequence, for example, a campaign SE type of penetration test,
> running handlers during several days, could be dangerous for the tester
> himself.
> Joke: do you think that MSF will eventually enters the nmap fingerprint
> database, and includes an exploit to attack itself?
>
> As a final note, the pace the Internet is scanned for vulnerable hosts is
> terrible: my victim was on the DMZ and running the handlers (port 8080, my
> mistake, I should have used a less common one) for less than a day before
> being p0wned.
>
> I hope I'm wrong, I hope someone will demonstrate that.
>
> Best regards.
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework