metasploit-framework March 2011 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] my handler has been p0wned

Re: [framework] my handler has been p0wned ?

From: Nicolas Krassas <krasn_at_nospam>
Date: Wed Mar 16 2011 - 14:54:40 GMT
To: al1c3andb0b <>

Did you upload your "testing" files to any of the av scanning sites ? eg.
virustotal ?

On Wed, Mar 16, 2011 at 4:35 PM, al1c3andb0b <>wrote:

> Yesterday evening, I was experimenting on how multiple encoding/packing may
> alter the "executabilty" of the meterpreter reverse TCP payload. For this, I
> had set up the appropriate metasploit handler on the attacker host.
> In the night, I get to bed, tired of so many tries (it becomes more and
> more difficult, using only encoding/packing, to get a working payload that
> is not catch by AV software), and let the handler running.
> When I came back to my desktop, I had a surprise:
> msf exploit(handler) >
> [*] Sending stage (749056 bytes) to
> [*] Sending stage (749056 bytes) to
> [*] Sending stage (749056 bytes) to
> [*] Sending stage (749056 bytes) to
> [*] Sending stage (749056 bytes) to
> [*] Sending stage (749056 bytes) to
> .
> Rem: 749056 bytes is a little more than the raw reverse tcp/http
> meterpreter payloads.
> AFAIK, that may come from the base payload stager (stager.rb), or the HTTP
> tunneling one (passivex.rb), as I've also experimented with the meterpreter
> reverse HTTP payload.
> But I don't know how to interpret these messages. Why is "my" handler
> sending stages to some more or less Chinese (I've done a whois) hosts? Does
> this mean a payload is executing on my computer, connected to a meterpreter
> session (or other, depending on the actual payload) somewhere in China? Does
> this mean someone uses my handler as a covert channel?
> I didn't find anything useful either in /var/log/* nor in .msf3/logs/*.
> I didn't find any obvious intruder in the process list.
> So I come here with a question, and an issue.
> The question first: is someone aware of an exploit that can affect the
> Metasploit handlers? If there is a widespread POC of such an exploit (I
> Googled a bit, and didn't find anything), could you give me a pointer? Or,
> does someone has an explanation for the "sending stage" messages that does
> not involve any attack?
> The issue: the presence of vulnerabilities within the MSF framework itself.
> This issue is strengthened by i) actually working with Metasploit requires
> running with root privileges, and ii) the framework may not be difficult to
> fingerprint (and even more obviously when one uses the default handler
> ports).
> As a consequence, for example, a campaign SE type of penetration test,
> running handlers during several days, could be dangerous for the tester
> himself.
> Joke: do you think that MSF will eventually enters the nmap fingerprint
> database, and includes an exploit to attack itself?
> As a final note, the pace the Internet is scanned for vulnerable hosts is
> terrible: my victim was on the DMZ and running the handlers (port 8080, my
> mistake, I should have used a less common one) for less than a day before
> being p0wned.
> I hope I'm wrong, I hope someone will demonstrate that.
> Best regards.
> _______________________________________________