Metasploit mailing list archives

Re: Meterpreter Reverse_HTTPS dies

From: Rob Fuller <mubix () room362 com>
Date: Thu, 3 Mar 2011 11:03:24 -0500

Does a different payload work? reverse_tcp for example. And reverse_https
doesn't use ActiveX so you shouldn't be seeing a iexplorer.exe running
unless of course if that's what you named your payload. It could be a
problem on your listener end.

Can you pastebin your process from start to finish? What exploit are you
running? Is it just a built binary?

--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org


On Thu, Mar 3, 2011 at 4:00 AM, JOhn Mistikopoulos <
mailtest1223133456 () gmail com> wrote:

I have tried numerous scenarios such as:
1. Middle proxy servers (more than 3 different web proxy software)
2. A single proxy server
3. No proxy server
4. Over the internet and locally (get the same error)
5. Tested with different service packs (WinXP SP1, SP3, Win7)
6. Tested with IE6, unpatched.
7. Tested with different user accounts and group policies.
8. Tested in Symantec and McAfee Endpoint protection (none marked it as a
threat)
9. Tested without any AV protection or Firewall-IPS.

When I run the payload (for example the "exe" file in an unprotected PC -
no AV, no IPS) I got the its name on the task manager just for a while and
then dies.
HoweverI don't see any instance of iexplorer.exe running.



On Wed, Mar 2, 2011 at 5:35 PM, HD Moore <hdm () metasploit com> wrote:

On 2/28/2011 6:13 AM, JOhn Mistikopoulos wrote:

And then, the listener stops giving any other info.
I went to the victim PC and realized that the payload exe had already

dies.

I couldn't see it on the task manager.
Concurrently, I had been running wireshark.
The two last packets were:
1. Victim => Listener (RST, ACK)
2. Listener => Victim (FIN, ACK)

Finally I don't get any connections.
Does anyone know how to fix this?


Is there any network proxy/filter between the target and yourself? Is
the target running an endpoint protection product or HIPS? Is the target
process a user-process (IE) or a system process (assuming IE/user-land)?

The reverse_https payload is finicky based on the WinInet profile of the
user running the code.

-HD
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Feb 28)
- Re: Meterpreter Reverse_HTTPS dies HD Moore (Mar 02)
  - Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 03)
    - Re: Meterpreter Reverse_HTTPS dies Rob Fuller (Mar 03)
    - Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 04)
    - Re: Meterpreter Reverse_HTTPS dies Rob Fuller (Mar 04)
    - Re: Meterpreter Reverse_HTTPS dies JOhn Mistikopoulos (Mar 09)
    - Re: Meterpreter Reverse_HTTPS dies Gerasimos Kassaras (Mar 09)
    - Re: Meterpreter Reverse_HTTPS dies ricky-lee birtles (Mar 09)
    - Re: Meterpreter Reverse_HTTPS dies Jerry (Mar 09)
    - Re: Meterpreter Reverse_HTTPS dies c0lists (Mar 03)