[framework] my handler has been p0wned ?
al1c3andb0b at lavabit.com
Wed Mar 16 09:30:59 PDT 2011
On 03/16/2011 04:05 PM, c0lists wrote:
> had you tried it(1), you would have seen that if you connect to your
> IP/port the handler would attempt to send you the stage too. Add that
> you are listening on a commonly scanned port this isnt too surprising.
You're right, a simple netcat connect triggers the staging step. And I
hadn't tried it. Thanks
Actually, the scan option touched me, but lightly as I thought there
should be a protocol between the stager and the handler, involving a
custom scanner to fingerprint the MSF handler and an exploit at hand to
abuse it, which is IMHO not the kind of tools used by either script
kiddies nor large criminal organizations who perform untargeted scans.
But obviously, keeping the stager shorter was preferred, at the price of
being revealed through a simple connect scan.
At least I'm right on my last point: the Internet is continuously
scanned for vulnerable hosts at a terrible pace.
More information about the framework