Home page logo
/

metasploit logo Metasploit mailing list archives

Payload windows/meterpreter/reverse_htpp does not work (anymore ?) on a Vista/SP2 victim
From: Bak <bak0un1n3 () live com>
Date: Wed, 1 Jun 2011 08:52:31 -0400

First, I'm not even sure that should be a feature.

Though not explicitly mentioned (the windows/meterpreter/reverse_htpp payload's info states that it "Tunnels communication over HTTP using IE 6"), the payload works like a charm using an XP(SP3)/IE8 victim.

But using a Vista/IE8 victim:
1) Attacker side stucks at "Sending PassiveX DLL (125952 bytes)".
2) Victim browser complains with a "Your security level settings puts your computer at risk" warning. Note that the above behaviors are both observed by natron in his (old) post (see bellow).


So far, I've come to:

- This thread (http://seclists.org/metasploit/2009/q1/235) seems related, but - natron has posted (http://blog.invisibledenizen.org/2009/02/updating-passivex-handler-to-work-with.html) in 2009 a workaround compatible with IE 7; unfortunately the article didn't specify the tested OS (XP,Vista,7,...) - and his fix has already been merged into passivex.rb in the Metasploit SVN trunk, and source code states that it should also work with IE8 (though still not mentions the targeted OS).

- The issue #291 (http://dev.metasploit.com/redmine/issues/291) may also be relevant, but that would be a regression, as the ticket is now closed for one year.

- The issue #3093 (http://dev.metasploit.com/redmine/issues/3093) also came to me, but the proposed fix is again already merged to passivex.rb (though the ticket is still New).

I've tried the tip proposed by natron to reveal the second iexplore.exe's window (http://seclists.org/metasploit/2009/q1/287) in the hope of getting more info, but the window's remain invisible (though the process actually exists).

I've spent the night to hide my test malware behavior within steps in a Tower of Hanoi recursive solution, and now gracefully evades Kaspersky, I'm just missing it working on Vista to have some rest. [note: the way I hide the payload setup and activation should not impact its proper behavior]

I've also tested with windows/meterpreter/reverse_tcp, which is too undetected by all my targeted AVs (using my stupid Tower of Hanoi thing), but sometimes triggers "This application is trying to connect to Internet ...!". Going through an IE instance, as does windows/meterpreter/reverse_http, bypasses this limitation: generally the AV automatically adds a rule for us.

Any thought, advices, pointers, or encouragement welcome.
Thanks.

Bak.




_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


  By Date           By Thread  

Current thread:
  • Payload windows/meterpreter/reverse_htpp does not work (anymore ?) on a Vista/SP2 victim Bak (Jun 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault