Bug #2515
windows/meterpreter/reverse_https doesn't honor original LHOST
| Status: | Closed | Start date: | 09/10/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Resolution: | fixed | Release Note: |
Description
In binary form the aforementioned payload doesn't honor the LHOST set when it was built during its second stage sent by multi/handler. This breaks tunneling in many situations
A couple solutions exist that I can see:- An advanced option be able to be set to have multi/handler send different LHOSTs in second stage based on the patch tags built into the reverse_https payload
- Have the payload pass it's original options to multi/handler during the initial stage (not really optimal)
- Give the initial stage the ability to try multiple IP addresses (making LHOST effectively LHOSTS). So if a connection occurs, the payload is smart enough to keep running the 1st stage until multi/handler sends it an IP it can actually send to.
History
Updated by Rob Fuller over 1 year ago
Also, it might do to revisit #445
Updated by HD Moore over 1 year ago
This doesn't make sense to me; if the second-stage host is wrong (what you enter in multi/handler), then just set it to the correct value by hand. If the payload can still connect to its hardcoded first-stage LHOST, then there is no reason you can't set the second-stage name to match this in multi/handler. Adding an override is easy for the second stage, but I am not sure this makes sense given the above.
Updated by Rob Fuller about 1 year ago
Here is the scenario:
Victim 1 -> 443 -> Attacker
Victim 2 isn't allowed to touch the internet but is allowed to touch other hosts
Attacker is using the single point of entry his IP/443 for other hosts during a phish and doesn't want to jeopardize other possible shells by dropping the multi/handler (not for too long at least)
Attacker uses netcat to forward 443 on Victim 1 to Attacker:443
Attacker generates a meterpreter payload the points at Victim 1:443
initial connection goes Victim 2 -> 443 -> Victim 1 -> 443 -> Attacker
handler picks it up and passes back the Attacker's IP to connect to
Victim 2 can't connect straight to it and drops the connection.
Granted it's a pretty corner case, but there are pretty cool implications of what could be accomplished with the option to set a fake LHOST based on the tag of a binary
Updated by Tod Beardsley 4 months ago
- Status changed from New to Resolved
- Resolution set to fixed
- 10 set to 0
Obviated by latest reverse_http stager
Updated by Jonathan Cran about 1 month ago
- Status changed from Resolved to Closed