Metasploit mailing list archives
meterpreter bug, or maybe operator error
From: Joshua Smith <lazydj98 () gmail com>
Date: Fri, 15 Jan 2010 17:00:51 -0500
attacker is BT4, Ruby 1.8.7, framework 3.3.4-dev 7960, console 3.3.4-dev 8065 vic is XP SP3 and running reverse meterpreter executable (which was created a few weeks ago) as localadmin when trying to create a socket w/in meterpreter, I get a few errors, but the only thing that bothers me is that the socket seems to ignore the localport. After specifying localport (the second time) the packet sources from 2115 instead of 80 as directed. It started at 2111, I ran it a few times. Meterpreter is vic:2110 -> attacker:6666. I found something that seemed to be listening on the vic on 80, I killed that, but it still uses a port near 2110. Is there a limitation on what ports you can use, am I using the wrong method? meterpreter > irb [*] Starting IRB shell [*] The 'client' variable holds the meterpreter client /usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized constant HISTORY /usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized constant FILENAME_COMPLETION_PROC /usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized constant USERNAME_COMPLETION_PROC /usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized constant VERSION
params = Rex::Socket::Parameters.new('PeerHost' => '10.1.1.1', 'PeerPort'
=> 80) => #<Rex::Socket::Parameters:0xb7134b80 @comm=Rex::Socket::Comm::Local, @peerport=80, @context={}, @ssl=false, @server=false, @proto="tcp", @peerhost="10.1.1.1", @timeout=5, @bare=false, @localport=0, @v6=false, @retries=0, @localhost="0.0.0.0">
conn = client.net.socket.create_tcp_client(params)
=> #<Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpClientChannel:0xb70fb3a8 @rsock=#<Socket:0xb70fb0c4>, @lsock=#<Socket:0xb70fb0b0>, @cid=1, @client=#<Session:meterpreter 10.1.1.2:2110>, @type="stdapi_net_tcp_client", @params=#<Rex::Socket::Parameters:0xb7134b80 @comm=Rex::Socket::Comm::Local, @peerport=80, @context={}, @ssl=false, @server=false, @proto="tcp", @peerhost="10.1.1.1", @timeout=5, @bare=false, @localport=0, @v6=false, @retries=0, @localhost="0.0.0.0">, @flags=1>
conn.write("HEAD / HTTP/1.0\r\n\r\n")
=> 19
conn.get_once
NoMethodError: undefined method `get_once' for #<Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpClientChannel:0xb70fb3a8> from (irb):4:in `cmd_irb' from /opt/metasploit3/msf3/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:196:in `cmd_irb' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `send' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `run_command' from /opt/metasploit3/msf3/lib/rex/post/meterpreter/ui/console.rb:99:in `run_command' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:201:in `run_single' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `each' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `run_single' from /opt/metasploit3/msf3/lib/rex/post/meterpreter/ui/console.rb:65:in `interact' from /opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:134:in `call' from /opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:134:in `run' from /opt/metasploit3/msf3/lib/rex/post/meterpreter/ui/console.rb:63:in `interact' from /opt/metasploit3/msf3/lib/msf/base/sessions/meterpreter.rb:204:in `_interact' from /opt/metasploit3/msf3/lib/rex/ui/interactive.rb:48:in `interact' from /opt/metasploit3/msf3/lib/msf/ui/console/command_dispatcher/core.rb:1199:in `cmd_sessions' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `send' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `run_command' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:201:in `run_single' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `each' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `run_single' from /opt/metasploit3/msf3/lib/msf/ui/console/command_dispatcher/exploit.rb:176:in `cmd_exploit' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `send' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `run_command' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:201:in `run_single' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `each' from /opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `run_single' from /opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:144:in `run' from ./msfconsole:92>> conn.inspect => "#<Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpClientChannel:0xb70fb3a8 @rsock=#<Socket:0xb70fb0c4>, @lsock=#<Socket:0xb70fb0b0>, @cid=nil, @client=#<Session:meterpreter 10.1.1.2:2110>, @type=\"stdapi_net_tcp_client\", @params=#<Rex::Socket::Parameters:0xb7134b80 @comm=Rex::Socket::Comm::Local, @peerport=80, @context={}, @ssl=false, @server=false, @proto=\"tcp\", @peerhost=\"10.1.1.1\", @timeout=5, @bare=false, @localport=0, @v6=false, @retries=0, @localhost=\"0.0.0.0\">, @flags=1>"
params = Rex::Socket::Parameters.new('PeerHost' => '10.1.1.1', 'PeerPort'
=> 80, 'LocalHost' => '10.1.1.2', 'LocalPort' => 80 ) => #<Rex::Socket::Parameters:0xb6e78ba8 @comm=Rex::Socket::Comm::Local, @peerport=80, @context={}, @ssl=false, @server=false, @proto="tcp", @peerhost="10.1.1.1", @timeout=5, @bare=false, @localport=80, @v6=false, @retries=0, @localhost="10.1.1.2">
conn = client.net.socket.create_tcp_client(params)
=> #<Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpClientChannel:0xb6e6f184 @rsock=#<Socket:0xb6e6f06c>, @lsock=#<Socket:0xb6e6f058>, @cid=4, @client=#<Session:meterpreter 10.1.1.2:2110>, @type="stdapi_net_tcp_client", @params=#<Rex::Socket::Parameters:0xb6e78ba8 @comm=Rex::Socket::Comm::Local, @peerport=80, @context={}, @ssl=false, @server=false, @proto="tcp", @peerhost="10.1.1.1", @timeout=5, @bare=false, @localport=80, @v6=false, @retries=0, @localhost="10.1.1.2">, @flags=1>
conn.write("HEAD / HTTP/1.0\r\n\r\n SHIZ**********SHIZ")
=> 38 This results in a packet sourced from 2115, not 80 -- - Josh
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- meterpreter bug, or maybe operator error Joshua Smith (Jan 15)
- Re: meterpreter bug, or maybe operator error HD Moore (Jan 17)
- Re: meterpreter bug, or maybe operator error Joshua Smith (Jan 18)
- Re: meterpreter bug, or maybe operator error HD Moore (Jan 17)