[framework] Meterpreter Reverse HTTP(s) Payloads after last update

Sherif El-Deeb archeldeeb at gmail.com
Fri Sep 30 09:06:41 CDT 2011 

Last time I asked for help, I attached console output, my configurations,
and everything I felt will help defining the issue, I suggest you do the
same.

About the AV detection issue, just google "evading av with metasploit", and
you will eventually come to the conclusion that if you want your stuff to
become undetected, you will HAVE TO CODE SOMETHING ON YOUR OWN, period.

connection issues: plz provide more info.
Regards,
On Sep 30, 2011 4:48 PM, "Enis Sahin" <enis.c.sahin at gmail.com> wrote:
> Oh and additional information.
>
> I've tried using the previous version of the payload since it still
doesn't
> get detected by AV. But, setting the lhost in multi/handler to the actual
> IP, dyndns URL of the Modem and 0.0.0.0 results in the same connection
> problem.
>
>
>
> On 30 September 2011 16:06, Enis Sahin <enis.c.sahin at gmail.com> wrote:
>
>> Hi everybody,
>>
>> I've had the chance to test the windows/meterpreter/reverse_http payload
>> for an APT demonstration project in a conrporate environment recently.
>>
>> Before the update on September 23 both the http and https versions had
>> connection problems upon session connection, it would go idle and session
>> wouldn't accept any commands. The Wireshark capture show that the initial
>> response packet had the error "This program cannot be run in Dos mode".
But
>> it was undetected by the AV solution used.
>>
>> After the update, the AV immediately detects the malicious file as soon
as
>> it is extracted from the zip file. I know that the AV detects the reverse
>> http payload because using the same fileformat exploit with a reverse tcp
>> connection payload doesn't get detected. The same goes for the previous
>> version of the paylod, I still have the version with connection problems
(in
>> a file created with the same file format exploit) and it stays undetected
on
>> the desktop.
>>
>> As a side note I've used the same encoding for all payloads I've tried to
>> be able to identify the reason for detection.
>>
>> Any ideas about why the payload gets detected after the update?
>>
>> Thanks.
>> Enis
>>
>> --
>> http://www.enissahin.com | http://twitter.com/enis_sahin
>>
>>
>
>
> --
> http://www.enissahin.com | http://twitter.com/enis_sahin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20110930/d143654e/attachment.html>

More information about the framework mailing list