Handler failed to bind to WAN IP

Hey Folks,

i tried to exploit (CVE-2021-26855) my exchange 2016 lab via VPN to a different Location.

Handler failed to bind to xxx.xxx.xxx.xxx:xxxx

XXX = my WAN IP from VPN

In VPN Portal i configured RPF (Remote Port Forward) and it works fine with Tests but i cant bind it on exploits… any idea?

so i can exploit my server but still waiting for payload

[] https://xxx.xxx.xxx.xxx:443 - Attempt to exploit for CVE-2021-27065
[
] Preparing the payload on the remote target
[*] Writing the payload on the remote target
[!] Waiting for the payload to be available
[!] Waiting for the payload to be available

Would be easier to help if we got any details about your VPN setup and Lab network…
But let’s troubleshoot some basics first:

Open the port that your exploit opens on your attacker box (nc -lvnp VPN_PRIVATE_IP:PORT)

  • Connect to it from a known-good (not outbound-firewalled) public IP (curl http://VPN_PUBLIC_IP:PORT), if it doesn’t come through, that “VPN Portal RPF” is not doing DNAT correctly
    If you can connect from the known-good public IP:
  • Connect to it from your victim, if it doesnt come through, the victim network prevents connections to the public VPN IP
    Note: VPN_PRIVATE_IP should be the IP assigned to your VPN network interface, eg. 10.8.0.2.

If connections come through from the victim, maybe:

  • The exploit listener just isn’t bound to the VPN_PRIVATE_IP
  • The VPN mingles with MTU, try lowering your VPN network interface MTU (eg. 1200)
  • The exploit itself requires access to services blocked by a firewall on any end (“waiting for payload to be available” sounds like the payload never fully deployed through the exploit, or it’s trying to access something that isn’t accessible from outside the victim network)
  • The payload requires access to services blocked by a firewall on any end (like opening a port, which requires DNAT on the victim side, instead of a reverse shell?)

Also, just to make sure, it’s not a site-to-site VPN, since you’re using the VPN public IP?
Attacker → [VPN] → VPN_PUBLIC_IP → VICTIM_PUBLIC_IP → VICTIM_PRIVATE_IP?

Edit: I’ve read the title again, and you wrote you bind to the public IP? That can’t work if none of your attack box’s network interfaces has the VPN_PUBLIC_IP directly assigned on it.

Binding to the IP means the program opens the TCP/UDP endpoint to listen for that IP/Port. And you can’t bind to something you don’t have…
Just change the Handler bind IP to your VPN_PRIVATE_IP (so the handler knows where to listen), and make sure the Payload connects back to your VPN_PUBLIC_IP (victim can’t route to your VPN_PRIVATE_IP, so you have to set that separately).

Hey NoMad,

yes this is correctly. RPF works, i tried with simplehttpserver on this port and see my files.

Attacker → [VPN] → VPN_PUBLIC_IP → VICTIM_PUBLIC_IP → VICTIM_PRIVATE_IP

This is the scenario exactly :slight_smile:

So i must configure this right?

SRVHOST: ATTACKER_VPN_PUBLIC_IP
SRVPORT: ATTACKER_VPN_PUBLIC_IP_PORT (RPF)
RHOST: VICTIM_PUBLIC_IP
RPORT: VICTIM_PUBLIC_IP_PORT
LHOST: ATTACKER_VPN_PRIVATE_IP (IP from VPN Client)
LPORT: ATTACKER_VPN_PUBLIC_IP_PORT (RPF)

Thanks Buddy :slight_smile:

SRVHOST/SRVPORT should be switched with LHOST/LPORT.
I don’t use metasploit, but I found this website about metasploit behind a NAT: https://onehostcloud.hosting/metasploit-meterpreter-nat/

SRVHOST is the bind address for the exploit to accept connections on:

SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.

LHOST is a host(name) for the meterpreter payload to connect back to:

LHOST yes The local listener hostname
LPORT 443 yes The local listener port

i have no more ideas what the problem can be, i tried all combination… here my test settings, it works and exploit uploaded but still waiting for connection

VPN Portforwarding for TCP 5555 configured

LAN IP Kali Linux: 192.192.192.1
LAN IP VPN OVPN: 172.172.172.1
WAN IP Ethical Attacker: 185.185.185.1
WAN IP LAB Exchange 2016: 155.155.155.1
LAN IP LAB Exchange 2016: 192.1.1.1

RHOST = 155.155.155.1
RPORT = 443

SRVHOST = 185.185.185.1
SRVPORT = 5555

LHOST = 172.172.172.1
LPORT = 8080

Log:
[] 155.155.155.1:443 Attempt to exploit for CVE-2021-27065
[] Preparing the payload on the remote target
[*]Writing the payload on the remote target
[!] Waiting for the payload to be available
[!] Waiting for the payload to be available
[!] Waiting for the payload to be available
[!] Waiting for the payload to be available