Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unable to start web browser exploit on pivoted host

From: Hauke Mehrtens <hauke () hauke-m de>
Date: Sun, 23 Jan 2011 01:33:47 +0100
On 01/21/2011 07:21 PM, Hauke Mehrtens wrote:

I want to start a msf web server with a browser exploit on a already
exploited host to exploit more host in the internal network visiting its
website.

My network configuration looks like this:
Host A ----------------- Host P --------------- Host V
(Attacker)            (Pivoted)               (Victim)
192.168.56.1/24               192.168.56.3/24
                      192.168.57.4/24         192.168.57.3/24
Ubuntu 10.10          Windows 2003 R2 SP2     Windows XP

I am the attacker (Host A) and got a meterpreter session on the pivoted
Host P. Now I want to start some web browser exploit to exploit Host V
when it accesses this website. But when doing so I get the following
error message:

[-] Exploit exception: undefined method `on_client_connect_proc=' for
#<Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpServerChannel:0x7fcac33318b0>

The Host V does not have a direct network connection to the attacker.
When starting the msf web server with the browser exploit on a local
network interface on Host A, everything works like expected.

This was done on Ubuntu 10.10 amd64 and i386 with the msf version from
today. This was done with and without root rights.

If this is a normal behavior and should not work, how do I forward a
open port on the Host P to a web server on Host A so that Host V can
access the browser Exploit?

Hauke


I talked to egypt yesterday about this problem and he said that the http
server is not compatible with comm, the system used to route traffic
through meterpreter sessions.

Today I tried to fix this problem, but it does not work completely.
I am able to start a web server listing on a port on the pivoted host
and it handles http requests and sends back the correct page, but it has
problems, when the TCP connection is closed by the web browser. This
normally does not happen after every single http request, but it happens
so often that I did not get a browser exploited.

I have attached the patch with my changes. I need some more informations
on how the meterpreter server on the pivoted host send the TCP "close"
response to the meterpreter client in metasploit. This message has to be
handled correctly to fix my problem.

For now in lib/rex/io/stream_abstraction.rb in the method monitor_rsock
I get an exception because msf just writes some data to a closed socket.

The Rex::ThreadSafe.select throws an exception, because the socket is
closed.

I would be happy if someone could give me a hint on how to fix this problem.

Hauke

Attachment: com-http.patch
Description: 

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: