mailing list archives
Payload windows/meterpreter/reverse_htpp does not work (anymore ?) on a Vista/SP2 victim
From: Bak <bak0un1n3 () live com>
Date: Wed, 1 Jun 2011 08:52:31 -0400
First, I'm not even sure that should be a feature.
Though not explicitly mentioned (the windows/meterpreter/reverse_htpp
payload's info states that it "Tunnels communication over HTTP using IE
6"), the payload works like a charm using an XP(SP3)/IE8 victim.
But using a Vista/IE8 victim:
1) Attacker side stucks at "Sending PassiveX DLL (125952 bytes)".
2) Victim browser complains with a "Your security level settings puts
your computer at risk" warning.
Note that the above behaviors are both observed by natron in his (old)
post (see bellow).
So far, I've come to:
- This thread (http://seclists.org/metasploit/2009/q1/235) seems
- natron has posted
in 2009 a workaround compatible with IE 7; unfortunately the article
didn't specify the tested OS (XP,Vista,7,...)
- and his fix has already been merged into passivex.rb in the Metasploit
SVN trunk, and source code states that it should also work with IE8
(though still not mentions the targeted OS).
- The issue #291 (http://dev.metasploit.com/redmine/issues/291) may
also be relevant, but that would be a regression, as the ticket is now
closed for one year.
- The issue #3093 (http://dev.metasploit.com/redmine/issues/3093) also
came to me, but the proposed fix is again already merged to passivex.rb
(though the ticket is still New).
I've tried the tip proposed by natron to reveal the second
iexplore.exe's window (http://seclists.org/metasploit/2009/q1/287) in
the hope of getting more info, but the window's remain invisible (though
the process actually exists).
I've spent the night to hide my test malware behavior within steps in a
Tower of Hanoi recursive solution, and now gracefully evades Kaspersky,
I'm just missing it working on Vista to have some rest.
[note: the way I hide the payload setup and activation should not impact
its proper behavior]
I've also tested with windows/meterpreter/reverse_tcp, which is too
undetected by all my targeted AVs (using my stupid Tower of Hanoi
thing), but sometimes triggers "This application is trying to connect
to Internet ...!". Going through an IE instance, as does
windows/meterpreter/reverse_http, bypasses this limitation: generally
the AV automatically adds a rule for us.
Any thought, advices, pointers, or encouragement welcome.
- Payload windows/meterpreter/reverse_htpp does not work (anymore ?) on a Vista/SP2 victim Bak (Jun 01)