Metasploit questions.
Results 1 to 8 of 8

Thread: Metasploit questions.

  1. #1
    Junior Member
    Join Date
    Jan 2007
    Posts
    5

    Metasploit questions.

    Hi.
    I'm trying to figure out how Metasploit works, but when i try to use an exploit on my own computer, I get this: [*] Starting Reverse Handler.[*] Waiting for connections to http://127.0.0.1:8080 ...
    It waits forever!
    When i try to use the same exploit, targetet at my other computer, I get this:
    Processing exploit request (Internet Explorer Object Type Overflow)...
    Using payload: win32_reverse[*] Starting Reverse Handler.
    [-] Failed to create local HTTP listener on 8080[*] Exiting Reverse Handler.

    What's wrong? Is my firewall blocking something, or am I doing something wrong? I've also tried to set HTTPPORT to port 80, but I get the same error.
    And I have another question. Is it possible to run an exploit against another computer, if the target is running a firewall? If yes, why is this possible?

    .. Itsmedave ..

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    What exploit? What target? How did you set things up?
    Is it possible to run an exploit against another computer, if the target is running a firewall? If yes, why is this possible?
    Depends on the exploit, the target and, more importantly, how that exploit is transferred to the target.

    If you know how a firewall works and what the exploit does you can answer your own question.

    Welcome to AO
    Last edited by SirDice; January 21st, 2007 at 01:25 PM.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    Jan 2007
    Posts
    5
    Thanks for the welcome!
    I'll give you some more details on my first attempt(s):

    I'm using the Metasploit Framework 2.6, the Web Console.
    Target is running Windows XP SP2, using Internet Explorer v6.
    Exploit used: "Internet Explorer Object Type Overflow"
    Payload: win32_reverse
    HTTPPORT: 8080
    EXITFUNC: seh
    LHOST: 192.168.1.100 (I've also tried to replace this with my IP and 127.0.0.1)
    LPORT: 4321
    Preferred Encoder: Default encoder
    Nop Generator: Default generator

    When I try to run the exploit, this is what Metasploit tells me:
    Processing exploit request (Internet Explorer Object Type Overflow)...
    Using payload: win32_reverse[*] Starting Reverse Handler.
    [-] Failed to create local HTTP listener on 8080[*] Exiting Reverse Handler.

    I have tried this, with my target's firewall on and off, nothing works.
    As i'm totally new with Metasploit, I have no idea on what i'm doing wrong. So far, I haven't got anything to work in Metasploit, i've read whatever documents I could find about Metasploit, but it hasn't helped me - Hopefully someone inhere can give me a few pointers.

    Edit: After reading this http://www.microsoft.com/technet/sec.../MS03-020.mspx, I don't think SP2 is vulnerable to this exploit, however, I've tried a few other exploits too, and they all give me the same error :"[-] Failed to create local HTTP listener on 8080". I've also tried to use other ports than 8080, but i still got the same errormsg. What am I doing wrong?
    Last edited by itsmedave; January 22nd, 2007 at 12:32 AM.

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    start with a windows box that you don`t patch, then try your exploits. Many of the metasploit exploits will not worked against an up to date, patched, box. Metasploit is not overflowing with 0day exploits. The message you are seeing is consitent with the box not being vulnerable.
    Quis custodiet ipsos custodes

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Quote Originally Posted by R0n1n
    start with a windows box that you don`t patch, then try your exploits. Many of the metasploit exploits will not worked against an up to date, patched, box. Metasploit is not overflowing with 0day exploits. The message you are seeing is consitent with the box not being vulnerable.
    "[-] Failed to create local HTTP listener on 8080[*]"

    ^-- That's consistent with a box not being vulnerable???

    I'm very confused... I'm pretty sure that creating a local listener would have a) nothing to do with the target box and b) have nothing to do with being vulnerable or not...


    Dave,

    Check out 'netstat' from the command line... Generally if you can't create a listener it's one of two things... a) You don't have sufficient permissions to create the socket b) Another piece of software is already listening on that port..

    So when you check netstat you're looking for a line that identifies port 8080 in use as a listening port.

    I would highly suggest playing with true "remote exploits"... as they are going to be easier to get a feel for...(They also won't have the HTTPPORT requirement)...

    The exploits you're playing with require the user to browse to the page in question in order to be exploited... so metasploit is attempting to create a pseudo HTTP server on port 8080... and, for some reason, is failing..

    You can see some demo videos I did for a presentation on metasploit at http://www.computerdefense.org/?p=53
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #6
    Junior Member
    Join Date
    Jan 2007
    Posts
    5
    Quote Originally Posted by R0n1n
    start with a windows box that you don`t patch, then try your exploits.
    Yea, that might be worth a try.

    Quote Originally Posted by HTRegz
    I'm very confused... I'm pretty sure that creating a local listener would have a) nothing to do with the target box and b) have nothing to do with being vulnerable or not...
    My thoughts too. I did a netstat, but nothing was hogging port 8080. Thanks for the link, I'll have a look at those demo videos.
    I'll try playing around with Metasploit from the command prompt instead of the Web Console, allthough I can't see why that should make a difference.

    Thanks for the advice, and please let me know if you guys have got any more ideas/suggestions.

  7. #7
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    There are two reasons why it would create a local listener:

    1) You specified a reverse shell, which means the victim system will attempt to connect back to yours with a specified protocol/port. In order for that to work, your system would have to open that port locally with a program/daemon that would be able to handle the protocol specified in your shell choice (for example, reverse_vnc).

    2) (what you've done) The exploit relies on a client vulnerability on the remote system. What metasploit is attempting to do is setup a web page with the exploit code necessary to take advantage of the vulnerability on the remote system (the clue should be that its an Internet Explorer vulnerability). Because it will require getting the user of the remote/victim system to go to your malicious web page (XSS is great for this), you will need to make LHOST a routeable/reachable address for the victim (if the victim is not on your local network, 192.168.X.X will not work, you'll need to use your publicly routeable address) and unless you are using something like VMWARE, 127.0.0.1 will never work for an exploit of this nature b/c to the victim, the exploit will try to launch/connect to localhost, which it will consider to be itself (ie, its localhost, not yours).

    Since you actually have specified both a reverse shell AND a client attack, the exploit is actually a web server running on 8080 and your reverse shell should be opening up on tcp/4321. If you are having problems with a particular shell not working properly (it happens for a variety of reasons), try a different one (like a cmd shell (not a reverse one), or VNC if you aren't worried about the user seeing you take over their system and seeing the nice MetaSploit courtesy window )....

    Hope that helps steer you in the right direction.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  8. #8
    Junior Member
    Join Date
    Jan 2007
    Posts
    5
    Thanks, that cleared up some stuff for me.
    Everytime i learn something new, I end up googling new questions for hours - so this time, I'll try another exploit.
    I've looked at the other exploits available in Metasploit, and I figure a phpBB exploit might be easier for me to do atm. I'll try to setup a phpBB on a free webspace somewhere, and then try to exploit that instead.
    It's very likely i'll be back with even more questions in a day or two.
    Last edited by itsmedave; January 23rd, 2007 at 12:56 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •