Metasploit mailing list archives

Re: uploadexec and kitrap0d

From: Miguel Rios <miguelrios35 () yahoo com>
Date: Sat, 10 Jul 2010 06:58:52 -0700 (PDT)

Just tried it. Working like a charm now. Uploaded and executed without a problem.
I should be the one thanking you for sharing so much of your knowledge. Your scripts rock and I have learned tons from 
reading you over the years.

I also noticed the kitrap0d script didn't work on the win 7 machine, probably all patched by now. I know that getprivs 
has gone through some changes so what's the best script to run right off the bat when you have meterpreter running as 
non-privileged user, before running scraper, hashdump and the like?


cheers
--- On Sat, 7/10/10, Carlos Perez <carlos_perez () darkoperator com> wrote:

From: Carlos Perez <carlos_perez () darkoperator com>
Subject: Re: [framework] Meterpreter unexpectedly closes
To: "Miguel Rios" <miguelrios35 () yahoo com>
Cc: framework () spool metasploit com
Date: Saturday, July 10, 2010, 1:45 PM

svn up and give it a try now, it should be fixed. Thanks for reporting it
On Jul 10, 2010, at 9:21 AM, Miguel Rios wrote:
Thanks Carlos.
Here's the output: running against a win 7 7600 build (english) machine.

meterpreter > run uploadexec -e /root/notepad.exe
[*] Running Upload and Execute Meterpreter script....
[*]     Uploading /root/notepad.exe....
[*]     /root/notepad.exe uploaded!
[*]     Uploaded as C:\Users\xx\AppData\Local\Temp\TMP42.exe
[-] Error in script: ArgumentError wrong number of arguments (4 for 1)
meterpreter > run uploadexec -e /root/notepad.exe -o /Q
[*] Running Upload and Execute Meterpreter script....
[*]     Uploading /root/notepad.exe....
[*]     /root/notepad.exe uploaded!
[*]     Uploaded as C:\Users\xx\AppData\Local\Temp\TMP41.exe
[-] Error in script: ArgumentError wrong number of
 arguments (4 for 1)
meterpreter > run uploadexec -e /root/notepad.exe -v
[*] Running Upload and Execute Meterpreter script....
[*]     Uploading /root/notepad.exe....
[*]     /root/notepad.exe uploaded!
[*]     Uploaded as C:\Users\xx\AppData\Local\Temp\TMP45.exe
[-] Error in script: ArgumentError wrong number of arguments (4 for 1)
meterpreter >           

--- On Sat, 7/10/10, Carlos Perez <carlos_perez () darkoperator com> wrote:

From: Carlos Perez <carlos_perez () darkoperator com>
Subject: Re: [framework] Meterpreter unexpectedly closes
To: "Miguel Rios" <miguelrios35 () yahoo com>
Cc: "Alex Polychronopoulos" <tweakier () gmail com>,
 framework () spool metasploit com
Date: Saturday, July 10, 2010, 12:49 PM

Miguel 
Do send me the output of what your getting and the command it self and I will take a look
Cheers,Carlos
On Jul 10, 2010, at 8:34 AM, Miguel Rios wroteThanks. That explains it perfectly. For some reason I thought that 
meterpreter would continuously try to connect back. Now I know I was wrong. I had tried the loop option with VBS but 
the problem is that my custom script is designed to delete itself after running the meterpreter binary, so it
 obviously won't be there to respawn meterpreter. A bit of a catch 22. 

Thinking out loud, I could either schedule it to start every x minutes (but you need to be admin to use the 'at' and 
'schtasks' I believe) or have it auto run at startup through the registry and have a listener permanently set up on the 
internet listening and ready to run a bunch of scripts like scraper, etc (by the way, any literature out there on 
setting up just meterpreter listeners and scripts on a webserver or do I have to set up the full MSF on the server?).

Thanks also to 5.K1dd for responding but Alex cleared it up perfectly. It wasn't a question of the exploited process 
dying since it's a standalone meterpreter binary I'm playing with.

Curious to see if there is any news or development regarding the all_ports possibility for this payload, like with 
reverse_tcp. That would be super stealth and highly effective at egressing the most
 restrictive networks.

P.S. off topic here but I'm also having trouble with the uploadexec script. I manage to upload my notepad.exe binary to 
%temp% but it doesn't execute and the script spits out some error message about wrong count (4 of 1 or something like 
that) or missing argument. Does this have something to do with the -o switch? Is it mandatory? I just want my binary to 
be silently executed but I must be missing something stupidly obvious. Time to sleep maybe.

--- On Sat, 7/10/10, Alex Polychronopoulos <tweakier () gmail com>
 wrote:

From: Alex Polychronopoulos <tweakier () gmail com>
Subject: Re: [framework] Meterpreter unexpectedly closes
To: "Miguel Rios" <miguelrios35 () yahoo com>
Cc: framework () spool metasploit com
Date: Saturday, July 10, 2010, 8:28 AM

Meterpreter is designed to not persistently trying to connect back to the handler, it tries once and then dies, so 
you're not doing something wrong. What you can do here is try the msfencode -t
 loop_vbs option which converts the payload into a vbscript and runs it every 5 seconds by default (you can change this 
by editing the generated .vbs file).


On Sat, Jul 10, 2010 at 3:33 AM, Miguel Rios <miguelrios35 () yahoo com> wrote:

Hi list,
I've msfencoded a meterpreter reverse https payload using a win binary as a template. Everything seems to work fine 
when I test it in my XP SP3.
I see the outbound connection and the process running, but after about
a minute or so the process dies if there's no listener configured on
the receiving end and doesn't respawn.
What am I doing wrong here? I
must be missing something obvious. Is there a timeout option for this
reverse shell or a way to keep the process always running, even if it
can't connect to the listener? Or is this due to msfencoding the
payload somehow breaks it? I have tested that it does work properly when the listener is waiting for it, it's just the 
fact it timesout so quickly that is a pain.

Also, saw the reverse_tcp allports payload and
was wondering if there's a similar one for reverse meterpreter https.
Ideally one could configure default ports to try 1st and then keep
trying randomly the other 65000 or so to evade IDS. I know this would
increase the payload size but it would be pretty stealth egress wise.

Thanks. I do really love metasploit and the whole community behind it. You all rock.

Miguel



      
_______________________________________________

https://mail.metasploit.com/mailman/listinfo/framework













      _______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Meterpreter unexpectedly closes Miguel Rios (Jul 09)
- Re: Meterpreter unexpectedly closes 5.K1dd (Jul 09)
- Re: Meterpreter unexpectedly closes Alex Polychronopoulos (Jul 10)
  - Re: Meterpreter unexpectedly closes Miguel Rios (Jul 10)
    - Re: Meterpreter unexpectedly closes Carlos Perez (Jul 10)
    - Re: Meterpreter unexpectedly closes Miguel Rios (Jul 10)
    - Re: Meterpreter unexpectedly closes Carlos Perez (Jul 10)
    - Re: uploadexec and kitrap0d Miguel Rios (Jul 10)
    - Re: uploadexec and kitrap0d Carlos Perez (Jul 10)
    - Re: uploadexec and kitrap0d Devin Kinch (Jul 11)
    - Re: uploadexec and kitrap0d Rob Fuller (Jul 12)
    - Re: uploadexec and kitrap0d Carlos Perez (Jul 12)
    - php_include confusion Jeffs (Jul 12)
    - Re: php_include confusion egypt (Jul 12)
    - Re: php_include confusion HD Moore (Jul 12)
    - Re: uploadexec and kitrap0d Carlos Perez (Jul 12)
- Re: Meterpreter unexpectedly closes Joshua J. Drake (Jul 10)
  - Re: Meterpreter unexpectedly closes CED (Jul 10)

(Thread continues...)