Meterpreter Reverse HTTP(s) Payloads after last update

[Enis Sahin <enis.c.sahin () gmail com>]

Hi everybody,

I've had the chance to test the windows/meterpreter/reverse_http payload for
an APT demonstration project in a conrporate environment recently.

Before the update on September 23 both the http and https versions had
connection problems upon session connection, it would go idle and session
wouldn't accept any commands. The Wireshark capture show that the initial
response packet had the error "This program cannot be run in Dos mode". But
it was undetected by the AV solution used.

After the update, the AV immediately detects the malicious file as soon as
it is extracted from the zip file. I know that the AV detects the reverse
http payload because using the same fileformat exploit with a reverse tcp
connection payload doesn't get detected. The same goes for the previous
version of the paylod, I still have the version with connection problems (in
a file created with the same file format exploit) and it stays undetected on
the desktop.

As a side note I've used the same encoding for all payloads I've tried to be
able to identify the reason for detection.

Any ideas about why the payload gets detected after the update?

Thanks.
Enis

-- 
http://www.enissahin.com | http://twitter.com/enis_sahin

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework