Metasploit mailing list archives
Meterpreter Reverse HTTP(s) Payloads after last update
From: Enis Sahin <enis.c.sahin () gmail com>
Date: Fri, 30 Sep 2011 16:06:52 +0300
Hi everybody, I've had the chance to test the windows/meterpreter/reverse_http payload for an APT demonstration project in a conrporate environment recently. Before the update on September 23 both the http and https versions had connection problems upon session connection, it would go idle and session wouldn't accept any commands. The Wireshark capture show that the initial response packet had the error "This program cannot be run in Dos mode". But it was undetected by the AV solution used. After the update, the AV immediately detects the malicious file as soon as it is extracted from the zip file. I know that the AV detects the reverse http payload because using the same fileformat exploit with a reverse tcp connection payload doesn't get detected. The same goes for the previous version of the paylod, I still have the version with connection problems (in a file created with the same file format exploit) and it stays undetected on the desktop. As a side note I've used the same encoding for all payloads I've tried to be able to identify the reason for detection. Any ideas about why the payload gets detected after the update? Thanks. Enis -- http://www.enissahin.com | http://twitter.com/enis_sahin
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Sherif El-Deeb (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Sherif El-Deeb (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)