Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Meterpreter unexpectedly closes

From: "5.K1dd" <5.k1dd () austinhackers org>
Date: Fri, 09 Jul 2010 23:57:26 -0500
If you are using an exploit of a 3rd party app, like Adobe, this can
happen.  This is because the exploit causes the app to hang, but
eventually windows will close the hung app and thus kill the shellcode
running inside.  I think some internal windows exploits may do the same
thing, when the exploited process simply dies and is respawned by the
OS.  Just normal crash handling behavior for the OS.  You need to
connect to the session quickly and migrate to a non-hung process that
will not be killed by the OS.



Hi list,
I've msfencoded a meterpreter reverse https payload using a win binary as a template. Everything seems to work fine 
when I test it in my XP SP3.
I see the outbound connection and the process running, but after about
a minute or so the process dies if there's no listener configured on
the receiving end and doesn't respawn.
What am I doing wrong here? I
must be missing something obvious. Is there a timeout option for this
reverse shell or a way to keep the process always running, even if it
can't connect to the listener? Or is this due to msfencoding the
payload somehow breaks it? I have tested that it does work properly when the listener is waiting for it, it's just 
the fact it timesout so quickly that is a pain.

Also, saw the reverse_tcp allports payload and
was wondering if there's a similar one for reverse meterpreter https.
Ideally one could configure default ports to try 1st and then keep
trying randomly the other 65000 or so to evade IDS. I know this would
increase the payload size but it would be pretty stealth egress wise.

Thanks. I do really love metasploit and the whole community behind it. You all rock.

Miguel



      


------------------------------------------------------------------------

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: