[framework] Metasploit vs ANI
Rhys Kidd
rhyskidd at gmail.com
Mon Apr 2 09:03:49 CDT 2007
> The page might be GZIP'ed even if
> default options are set to turn off all evasion techniques. What do you
> think ?
Wireshark automatically decompresses any standard Content-Encoding or
Transport-Encoding on HTTP traffic, so you are viewing the page as the
browser rendering engine would later see it.
> I've just been testing ANI/HTTP payload against XPSP2 and Vista, and the
> Web page seems somewhat "corrupted". As a result, IE displays ASCII
> characters without even crashing.
>
> I cannot even see the "anih" header.
You won't be able to see the anih header in the HTML, as the .ani file is
loaded as binary data, through the use of the CSS "cursor" attribute.
When all the <div> style CSS comment junk is removed, you should see the
relevant CSS as being:
> CursOR: URL("/lol/aOqmmblrCLUVJrY0R1he7O3U
>
> dKPxCcb20QvZMSROQ9J5czCyXrQMFHNHP9crTdcLPaUBODji.wav?qZY=1".);
In your packet capture you should see another request for the file at the
URL listed above (randomised per run). As explained by A. Sotirov, the
relevant exception handler permits multiple attempts at the exploit as
access violation exceptions are handled gracefully.
HTH,
Rhys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20070402/1353422b/attachment.htm
More information about the framework
mailing list