Testing a exploit - connection but no action
Hey guys,
I tried pulling a exploit off milw0rm - Mozilla Firefox 3.5 Heap Spray Exploit to be exact - and I've gone ahead and set it up running. It tells me to have someone connect on port 80 but when I do, nothing happens. Firefox just says "Failed to establish a connection".
I've checked nmap and the port does open so it appears the exploit is trying to do its job. Tcpdump also shows there is an attempt of a connection of some sort.
Mozilla Firefox 3.5 (Font tags) Remote Heap Spray Exploit <-- Link to the exploit im trying to use.
Results from konsole:
Listening on port 80.
Have someone connect to you.
Type <control>-c to exit..
Any idea whats not working here? If you need any more info to be able to help me - let me know and Ill be glad to share.
Thanks in advance,
Wolf
I'm wondering - are you making the completely un-obvious mistake of thinking that because nothing appears you have not got a connection?
After a small amount of time, try typing "id" and hitting enter (obviously without the quotes).
Just curious, I've seen it before (but haven't tried this one out just yet I think, so might not be the case).
Also does tcpdump ONLY show one "attempt" at connection, or do you get the full SYN/SYN+ACK/ACK going... and then the blank screen?
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
Are you using a vulnerable version of the browser?
And don't forget to shut down apache before starting metasploit:
/etc/init.d/apache2 stop
And Gitsnik is right, do you see the SYN, SYN/ACK, ACK?
Auswaertsspiel
My results
Ok so this is what i get:
Type <control>-c to exit..
10.0.1.7 - - [20/Sep/2009 17:18:39] "GET / HTTP/1.1" 200 -
[-] Exploit sent... [-]
[-] Wait about 30 seconds and attempt to connect.[-]
[-] Connect to IP Address: 10.0.1.7 and port 5500 [-]
10.0.1.7 - - [20/Sep/2009 17:18:40] "GET /favicon.ico HTTP/1.1" 200 -
10.0.1.7 - - [20/Sep/2009 17:18:43] "GET /favicon.ico HTTP/1.1" 200 -
id
.
I am fairly certain this is a vulnerable version im running - since it matches the exploit specs. Anyone test this out before? Im used to running exploits with metasploit - if I run it individually like this are there some commands I should be using?
Firefox crash very fast on this one. So, when u start the exploit and run
nmap you will get.
~nmap -sS -p 5500 192.168.1.3
Starting Nmap 4.85BETA10 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2009-09-21 03:01 CEST
Interesting ports on sp3-a27ca57edb8 (192.168.1.3):
PORT STATE SERVICE
5500/tcp open hotline
MAC Address: 00:0C:29:05:3B:53 (VMware)
but only after sec or less the nmap show the that port is closed
Starting Nmap 4.85BETA10 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2009-09-21 03:01 CEST
Interesting ports on sp3-a27ca57edb8 (192.168.1.3):
PORT STATE SERVICE
5500/tcp closed hotline
MAC Address: 00:0C:29:05:3B:53 (VMware)
I'm not sure about the 30sec so i found the solution.Code:[-] Wait about 30 seconds and attempt to connect.[-]
Make some loop for "nc [victim box] 5500" and start it before the firefox try to connect to attackers 80. So that 5500 port won't close before you connect with nc to it.
And you will get cmd with no problem ,with this exploit from milw0rm.Code:#!/bin/bash while [ 1 ] do nc 192.168.1.3 5500 sleep 1 done
One more thing i forgot,
it is a bindshell there, as you can see in the exploit.
So you got to connect to the port (5500 port) that opens on victim box. As i explained in earlier reply.Code:// windows/shell_bind_tcp - 317 byte
You were probably useing reverse_tcp with the msf. And the meterpreter.
so,
It's a raw binding of shell to port. No meterpreter commands, just cmd. I think.Code:Im used to running exploits with metasploit - if I run it individually like this are there some commands I should be using?
Thanks for the reply.
I tested out the NC bash script but it didnt work for me. I just get a connection timed out from nc results. So still no success on this exploit for me
Any tips?
Side Note: to others.... be sure to check your iptables! My original troubles in this was a result from previous iptable settings.
Hopefully this isnt the case....the sploit says version 3.5 - im on 3.5.3 .....?
Isn't that the latest release? If so, it's probably not vulnerable.Originally Posted by wolf17
edit: http://blog.mozilla.com/security/200...in-firefox-35/
Update: This vulnerability has been fixed in Firefox 3.5.1, released Thursday, July 16, 2009
Thanks for the link.
Yep seems its patched.
Posting Permissions
