Metasploit mailing list archives

meterpreter bug, or maybe operator error

From: Joshua Smith <lazydj98 () gmail com>
Date: Fri, 15 Jan 2010 17:00:51 -0500

attacker is BT4, Ruby 1.8.7, framework 3.3.4-dev 7960, console 3.3.4-dev
8065
vic is XP SP3 and running reverse meterpreter executable (which was created
a few weeks ago) as localadmin

when trying to create a socket w/in meterpreter, I get a few errors, but the
only thing that bothers me is that the socket seems to ignore the
localport.  After specifying localport (the second time) the packet sources
from 2115 instead of 80 as directed.  It started at 2111, I ran it a few
times.
Meterpreter is vic:2110 -> attacker:6666.  I found something that seemed to
be listening on the vic on 80, I killed that, but it still uses a port near
2110.  Is there a limitation on what ports you can use, am I using the wrong
method?

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client

/usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized
constant HISTORY
/usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized
constant FILENAME_COMPLETION_PROC
/usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized
constant USERNAME_COMPLETION_PROC
/usr/lib/ruby/1.8/i486-linux/readline.so: warning: already initialized
constant VERSION

params = Rex::Socket::Parameters.new('PeerHost' => '10.1.1.1', 'PeerPort'

=> 80)
=> #<Rex::Socket::Parameters:0xb7134b80 @comm=Rex::Socket::Comm::Local,
@peerport=80, @context={}, @ssl=false, @server=false, @proto="tcp",
@peerhost="10.1.1.1", @timeout=5, @bare=false, @localport=0, @v6=false,
@retries=0, @localhost="0.0.0.0">

conn = client.net.socket.create_tcp_client(params)

=>
#<Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpClientChannel:0xb70fb3a8
@rsock=#<Socket:0xb70fb0c4>, @lsock=#<Socket:0xb70fb0b0>, @cid=1,
@client=#<Session:meterpreter 10.1.1.2:2110>, @type="stdapi_net_tcp_client",
@params=#<Rex::Socket::Parameters:0xb7134b80 @comm=Rex::Socket::Comm::Local,
@peerport=80, @context={}, @ssl=false, @server=false, @proto="tcp",
@peerhost="10.1.1.1", @timeout=5, @bare=false, @localport=0, @v6=false,
@retries=0, @localhost="0.0.0.0">, @flags=1>

conn.write("HEAD / HTTP/1.0\r\n\r\n")

=> 19

conn.get_once

NoMethodError: undefined method `get_once' for
#<Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpClientChannel:0xb70fb3a8>
        from (irb):4:in `cmd_irb'
        from
/opt/metasploit3/msf3/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:196:in
`cmd_irb'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `send'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in
`run_command'
        from
/opt/metasploit3/msf3/lib/rex/post/meterpreter/ui/console.rb:99:in
`run_command'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:201:in
`run_single'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `each'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in
`run_single'
        from
/opt/metasploit3/msf3/lib/rex/post/meterpreter/ui/console.rb:65:in
`interact'
        from /opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:134:in `call'
        from /opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:134:in `run'
        from
/opt/metasploit3/msf3/lib/rex/post/meterpreter/ui/console.rb:63:in
`interact'
        from
/opt/metasploit3/msf3/lib/msf/base/sessions/meterpreter.rb:204:in
`_interact'
        from /opt/metasploit3/msf3/lib/rex/ui/interactive.rb:48:in
`interact'
        from
/opt/metasploit3/msf3/lib/msf/ui/console/command_dispatcher/core.rb:1199:in
`cmd_sessions'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `send'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in
`run_command'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:201:in
`run_single'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `each'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in
`run_single'
        from
/opt/metasploit3/msf3/lib/msf/ui/console/command_dispatcher/exploit.rb:176:in
`cmd_exploit'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in `send'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:239:in
`run_command'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:201:in
`run_single'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in `each'
        from
/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:195:in
`run_single'
        from /opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:144:in `run'
        from ./msfconsole:92>> conn.inspect
=>
"#<Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpClientChannel:0xb70fb3a8
@rsock=#<Socket:0xb70fb0c4>, @lsock=#<Socket:0xb70fb0b0>, @cid=nil,
@client=#<Session:meterpreter 10.1.1.2:2110>,
@type=\"stdapi_net_tcp_client\",
@params=#<Rex::Socket::Parameters:0xb7134b80 @comm=Rex::Socket::Comm::Local,
@peerport=80, @context={}, @ssl=false, @server=false, @proto=\"tcp\",
@peerhost=\"10.1.1.1\", @timeout=5, @bare=false, @localport=0, @v6=false,
@retries=0, @localhost=\"0.0.0.0\">, @flags=1>"

params = Rex::Socket::Parameters.new('PeerHost' => '10.1.1.1', 'PeerPort'

=> 80, 'LocalHost' => '10.1.1.2', 'LocalPort' => 80 )
=> #<Rex::Socket::Parameters:0xb6e78ba8 @comm=Rex::Socket::Comm::Local,
@peerport=80, @context={}, @ssl=false, @server=false, @proto="tcp",
@peerhost="10.1.1.1", @timeout=5, @bare=false, @localport=80, @v6=false,
@retries=0, @localhost="10.1.1.2">

conn = client.net.socket.create_tcp_client(params)

=>
#<Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpClientChannel:0xb6e6f184
@rsock=#<Socket:0xb6e6f06c>, @lsock=#<Socket:0xb6e6f058>, @cid=4,
@client=#<Session:meterpreter 10.1.1.2:2110>, @type="stdapi_net_tcp_client",
@params=#<Rex::Socket::Parameters:0xb6e78ba8 @comm=Rex::Socket::Comm::Local,
@peerport=80, @context={}, @ssl=false, @server=false, @proto="tcp",
@peerhost="10.1.1.1", @timeout=5, @bare=false, @localport=80, @v6=false,
@retries=0, @localhost="10.1.1.2">, @flags=1>

conn.write("HEAD / HTTP/1.0\r\n\r\n SHIZ**********SHIZ")

=> 38

This results in a packet sourced from 2115, not 80

-- 
- Josh

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

meterpreter bug, or maybe operator error Joshua Smith (Jan 15)
- Re: meterpreter bug, or maybe operator error HD Moore (Jan 17)
  - Re: meterpreter bug, or maybe operator error Joshua Smith (Jan 18)