Not delivering hta or exe

[SoniaKhan]

I tried all steps, but no luck for me. python script only shows Received Get method from IP. then nothing happened.

[bhdresh]

Could you share the commands and screenshots to understand the setup?

[hiaby]

Hi, bro, the same problem) I m using vps debian 8. Create rtf using the toolkit (ex. Ip 185.xx.1xx.175) with apache2 running! When the Invoice.rtf successfully created I run apache2 stop, then run the python command -M with the same ip(185.xx.1xx.175)/malicious.exe tmp/malicious.exe. when i open rtf on the remote victim machine(ip95.29.xxx.xxx) nothing happens

[hiaby]

However when i run it locally using msf i get the meterpreter

[hiaby]

Ups, testing on Win7 sp2

[horllste]

did you open the ports on your vps?

[hiaby]

Yes.port 80 open

[hiaby]

With python server running when you connect to server ip directly via browser the hta gets downloaded . Even if i open the hta nothing happens

[bhdresh]

@hiaby, are you testing on windows? Try Linux.

[hiaby]

No, i have a linux vps. I try to open malicious.rtf on win7 .

[hiaby]

Can you make a video of remote work. I can give you access to my vps if you need..

[hiaby]

A tutorial type like for version 2 on youtube

[hiaby]

[hiaby]

So as you see when I open the malicious rtf it gets 2 Get requests and nothing happens next...

[hiaby]

And what is eror no 104 connection fefused by peer

[bhdresh]

@hiaby, what is the IE version on target? Also, make sure you have copied your exe payload to /tmp folder if you specify -l /tmp/iexplorer.exe argument.

[hiaby]

Yes I did copy to tmp. Should I make any extra configurations to apache2 perhaps? IE version 11 Are you sure the hta file is correct? I tested again locally (kali in wmware, win 7 host machine) it sometimes fails to create malicious rtf.. just a blank rtf as an output. However yesterday it worked locally perfectly well with a meterpreter shell.. What if i put the maliciuos.exe in the var/www/html myself, then run python ** -l /var/www/html..

[hiaby]

Does it only work on port 80?

[hiaby]

Can I make it listen on 443?

[hiaby]

May it is a problem connected with ports? When using hta + local payload same port to connect? Interference?

[hiaby]

It gets hta, hta runs to download main payload from the same location same port ...when meterpreter is used it uses different port, right?

[hiaby]

So one must have two vps to run... one to host the hta and the python server, another to host the payload.. or ..

[bhdresh]

payload and hta both will be delivered by python script on specified port which is default 80, the -l argument will let script know from where it should read the payload when a request to exe is received.

[bhdresh]

Try with no obfuscation -x 0 argument to ensure that obfuscation is not breaking the structure of RTF.

[hiaby]

Ok. By the way how do i stop the py server.. any command? When using vps i have to reboot all the time )))

[hiaby]

Now testing versio 18/04/2017 - with server.py and manual rtf creation

[hiaby]

Yes version 1 works perfect!!!

[hiaby]

[hiaby]

[hiaby]

So it is about obfuscation, bro...

[hiaby]

Hopefully you have time to fix the issue. Thanks for your big work.

[hiaby]

Perhaps you should make a separate obfuscation tool for it.. to use it in manual mode...

[bhdresh]

Glad that it worked for you.

Meanwhile you could try to generate another obfuscated RTF file and check again, the script generates dynamic RTF each time.

[bhdresh]

Can you try to generate non-obfuscated RTF with -x 0 argument using v3.0 script and check again?

[hiaby]

Ok I will. But I m dying for a sleep... will check tomorrow

[bhdresh]

Sure, thanks.