Metasploit mailing list archives

Win32_Bind_Stg_Upexec Payload

From: mmiller at hick.org (mmiller at hick.org)
Date: Wed, 11 May 2005 09:26:08 -0500

On Wed, May 11, 2005 at 10:10:18AM -0400, jesus saves wrote:

Hi,

I am testing the above payload within my test network. I am exploiting a 
W2K machine using the rpc dcom exploit module. For testing purposes, I am 
attempting to upload and execute "notepad.exe" on my target machine. After 
executing the exploit module, I notice on my target machine that 
"metasploit.exe" is listed in the running processes, but not notepad.exe. 
With this particular payload, are the executable file names  renamed to 
"metasploit.exe" ?


Yes, uploaded processes are written to the disk as 'C:\metasploit.exe' and
then executed.  The source code for this payload can be found under:

src/shellcode/win32/standard/win32_stage_uploadexec.asm

Current thread:

Win32_Bind_Stg_Upexec Payload jesus saves (May 11)
- Win32_Bind_Stg_Upexec Payload mmiller at hick.org (May 11)