Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: my handler has been p0wned ?

From: c0lists <lists () carnal0wnage com>
Date: Wed, 16 Mar 2011 11:05:41 -0400
had you tried it(1), you would have seen that if you connect to your
IP/port the handler would attempt to send you the stage too. Add that
you are listening on a commonly scanned port this isnt too surprising.

1.http://www.room362.com/blog/2010/10/1/acceptable-questions-checklist.html

On Wed, Mar 16, 2011 at 10:54 AM, Nicolas Krassas <krasn () ans gr> wrote:

Did you upload your "testing" files to any of the av scanning sites ? eg.
virustotal ?

On Wed, Mar 16, 2011 at 4:35 PM, al1c3andb0b <al1c3andb0b () lavabit com>
wrote:


Yesterday evening, I was experimenting on how multiple encoding/packing
may alter the "executabilty" of the meterpreter reverse TCP payload. For
this, I had set up the appropriate metasploit handler on the attacker host.

In the night, I get to bed, tired of so many tries (it becomes more and
more difficult, using only encoding/packing, to get a working payload that
is not catch by AV software), and let the handler running.

When I came back to my desktop, I had a surprise:
msf exploit(handler) >
[*] Sending stage (749056 bytes) to 58.218.204.110
[*] Sending stage (749056 bytes) to 58.218.204.110
[*] Sending stage (749056 bytes) to 58.218.199.147
[*] Sending stage (749056 bytes) to 58.218.199.147
[*] Sending stage (749056 bytes) to 117.21.191.100
[*] Sending stage (749056 bytes) to 117.21.191.100
.
Rem: 749056 bytes is a little more than the raw reverse tcp/http
meterpreter payloads.

AFAIK, that may come from the base payload stager (stager.rb), or the HTTP
tunneling one (passivex.rb), as I've also experimented with the meterpreter
reverse HTTP payload.

But I don't know how to interpret these messages. Why is "my" handler
sending stages to some more or less Chinese (I've done a whois) hosts? Does
this mean a payload is executing on my computer, connected to a meterpreter
session (or other, depending on the actual payload) somewhere in China? Does
this mean someone uses my handler as a covert channel?

I didn't find anything useful either in /var/log/* nor in .msf3/logs/*.
I didn't find any obvious intruder in the process list.

So I come here with a question, and an issue.

The question first: is someone aware of an exploit that can affect the
Metasploit handlers? If there is a widespread POC of such an exploit (I
Googled a bit, and didn't find anything), could you give me a pointer? Or,
does someone has an explanation for the "sending stage" messages that does
not involve any attack?

The issue: the presence of vulnerabilities within the MSF framework
itself. This issue is strengthened by i) actually working with Metasploit
requires running with root privileges, and ii) the framework may not be
difficult to fingerprint (and even more obviously when one uses the default
handler ports).
As a consequence, for example, a campaign SE type of penetration test,
running handlers during several days, could be dangerous for the tester
himself.
Joke: do you think that MSF will eventually enters the nmap fingerprint
database, and includes an exploit to attack itself?

As a final note, the pace the Internet is scanned for vulnerable hosts is
terrible: my victim was on the DMZ and running the handlers (port 8080, my
mistake, I should have used a less common one) for less than a day before
being p0wned.

I hope I'm wrong, I hope someone will demonstrate that.

Best regards.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework




_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: