i tried to exploit (CVE-2021-26855) my exchange 2016 lab via VPN to a different Location.
Handler failed to bind to xxx.xxx.xxx.xxx:xxxx
XXX = my WAN IP from VPN
In VPN Portal i configured RPF (Remote Port Forward) and it works fine with Tests but i cant bind it on exploits… any idea?
so i can exploit my server but still waiting for payload
[] https://xxx.xxx.xxx.xxx:443 - Attempt to exploit for CVE-2021-27065
[] Preparing the payload on the remote target
[*] Writing the payload on the remote target
[!] Waiting for the payload to be available
[!] Waiting for the payload to be available
Would be easier to help if we got any details about your VPN setup and Lab network…
But let’s troubleshoot some basics first:
Open the port that your exploit opens on your attacker box (nc -lvnp VPN_PRIVATE_IP:PORT)
Connect to it from a known-good (not outbound-firewalled) public IP (curl http://VPN_PUBLIC_IP:PORT), if it doesn’t come through, that “VPN Portal RPF” is not doing DNAT correctly
If you can connect from the known-good public IP:
Connect to it from your victim, if it doesnt come through, the victim network prevents connections to the public VPN IP
Note: VPN_PRIVATE_IP should be the IP assigned to your VPN network interface, eg. 10.8.0.2.
If connections come through from the victim, maybe:
The exploit listener just isn’t bound to the VPN_PRIVATE_IP
The VPN mingles with MTU, try lowering your VPN network interface MTU (eg. 1200)
The exploit itself requires access to services blocked by a firewall on any end (“waiting for payload to be available” sounds like the payload never fully deployed through the exploit, or it’s trying to access something that isn’t accessible from outside the victim network)
The payload requires access to services blocked by a firewall on any end (like opening a port, which requires DNAT on the victim side, instead of a reverse shell?)
Also, just to make sure, it’s not a site-to-site VPN, since you’re using the VPN public IP?
Attacker → [VPN] → VPN_PUBLIC_IP → VICTIM_PUBLIC_IP → VICTIM_PRIVATE_IP?
Edit: I’ve read the title again, and you wrote you bind to the public IP? That can’t work if none of your attack box’s network interfaces has the VPN_PUBLIC_IP directly assigned on it.
Binding to the IP means the program opens the TCP/UDP endpoint to listen for that IP/Port. And you can’t bind to something you don’t have…
Just change the Handler bind IP to your VPN_PRIVATE_IP (so the handler knows where to listen), and make sure the Payload connects back to your VPN_PUBLIC_IP (victim can’t route to your VPN_PRIVATE_IP, so you have to set that separately).
i have no more ideas what the problem can be, i tried all combination… here my test settings, it works and exploit uploaded but still waiting for connection
VPN Portforwarding for TCP 5555 configured
LAN IP Kali Linux: 192.192.192.1
LAN IP VPN OVPN: 172.172.172.1
WAN IP Ethical Attacker: 185.185.185.1
WAN IP LAB Exchange 2016: 155.155.155.1
LAN IP LAB Exchange 2016: 192.1.1.1
RHOST = 155.155.155.1
RPORT = 443
SRVHOST = 185.185.185.1
SRVPORT = 5555
LHOST = 172.172.172.1
LPORT = 8080
Log:
155.155.155.1:443 Attempt to exploit for CVE-2021-27065
Preparing the payload on the remote target
[*]Writing the payload on the remote target
[!] Waiting for the payload to be available
[!] Waiting for the payload to be available
[!] Waiting for the payload to be available
[!] Waiting for the payload to be available
