Metasploit mailing list archives
Re: Meterpreter Reverse HTTP(s) Payloads after last update
From: HD Moore <hdm () metasploit com>
Date: Sat, 08 Oct 2011 01:52:10 -0500
On 10/5/2011 9:32 AM, Enis Sahin wrote:
Well, not many seem to be interested in the subject but I'd like to make one final request/recommendation on the issue of reverse HTTP(s) payloads. Staged payloads are used to evade AV detection but in HTTP tunneled scenarios where a Web Gateway with AV capabilities exits using staged payloads make us go through two layers of AV (one in local, one in web gateway). Plus SSL inspection is used in some infrastructures thus utilizing HTTPS connections to download the second stage doesn't improve the outcome. If HD is following these posts I'd like to request a sinlge stage reverse HTTP(s) payload to be considered for the future versions. It is easier to use different encodings and packers for local AV evasion and test against local agents. Finding a combination of a delivery method which bypasses local AV and a second stage which bypasses web gateway AV detection is significantly harder. It seems like it would make more sense to battle on one front and use a single stage in such scenarios.
Its pretty easy to make an inline stage out of what we have today and the handle will go straight to the session if a connection comes in with /CONN as the prefix. The current process just uses stage1 to download stage2 (the entire DLL plus prefix) into RWX memory and executes it. Theoretically, all you have to do is patch the host/url/id values into the stage2 and treat it as a giant payload. Adding support for this to the framework would be nice though and I'll try to work it in soon. Thanks for the feedback -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Oct 04)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Oct 05)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Sherif El-Deeb (Oct 05)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Sherif El-Deeb (Oct 05)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update HD Moore (Oct 07)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Nov 01)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Nov 13)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Sherif El-Deeb (Oct 05)
- Re: Meterpreter Reverse HTTP(s) Payloads after last update Enis Sahin (Oct 05)