Metasploit mailing list archives
Re: Unable to start web browser exploit on pivoted host
From: Hauke Mehrtens <hauke () hauke-m de>
Date: Sun, 23 Jan 2011 01:33:47 +0100
On 01/21/2011 07:21 PM, Hauke Mehrtens wrote:
I want to start a msf web server with a browser exploit on a already exploited host to exploit more host in the internal network visiting its website. My network configuration looks like this: Host A ----------------- Host P --------------- Host V (Attacker) (Pivoted) (Victim) 192.168.56.1/24 192.168.56.3/24 192.168.57.4/24 192.168.57.3/24 Ubuntu 10.10 Windows 2003 R2 SP2 Windows XP I am the attacker (Host A) and got a meterpreter session on the pivoted Host P. Now I want to start some web browser exploit to exploit Host V when it accesses this website. But when doing so I get the following error message: [-] Exploit exception: undefined method `on_client_connect_proc=' for #<Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpServerChannel:0x7fcac33318b0> The Host V does not have a direct network connection to the attacker. When starting the msf web server with the browser exploit on a local network interface on Host A, everything works like expected. This was done on Ubuntu 10.10 amd64 and i386 with the msf version from today. This was done with and without root rights. If this is a normal behavior and should not work, how do I forward a open port on the Host P to a web server on Host A so that Host V can access the browser Exploit? Hauke
I talked to egypt yesterday about this problem and he said that the http server is not compatible with comm, the system used to route traffic through meterpreter sessions. Today I tried to fix this problem, but it does not work completely. I am able to start a web server listing on a port on the pivoted host and it handles http requests and sends back the correct page, but it has problems, when the TCP connection is closed by the web browser. This normally does not happen after every single http request, but it happens so often that I did not get a browser exploited. I have attached the patch with my changes. I need some more informations on how the meterpreter server on the pivoted host send the TCP "close" response to the meterpreter client in metasploit. This message has to be handled correctly to fix my problem. For now in lib/rex/io/stream_abstraction.rb in the method monitor_rsock I get an exception because msf just writes some data to a closed socket. The Rex::ThreadSafe.select throws an exception, because the socket is closed. I would be happy if someone could give me a hint on how to fix this problem. Hauke
Attachment:
com-http.patch
Description:
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Unable to start Web Browser exploit on pivoted host Hauke Mehrtens (Jan 21)
- Re: Unable to start Web Browser exploit on pivoted host Sagar Belure (Jan 22)
- Re: Unable to start web browser exploit on pivoted host Hauke Mehrtens (Jan 22)