Re: psexec/meterpreter wonky behavior?

[Rob Fuller <mubix () room362 com>]

AV usually runs a scan on a binary and can keep a lock on the file for
a while. The most I've seen is 5 minutes -ish but it depends on the
hoops an AV goes through with new binaries on a system, as well as how
it locks and unlocks files.

Another possibility is Meterpreter didn't let go of it after the
upload. Happens on rare occasions for me but migrating and killing the
process I was in usually mitigates that issue.

--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org



On Wed, Apr 18, 2012 at 6:18 PM, macubergeek <macubergeek () comcast net> wrote:
> So I've identified boxes which use a default local Admin account.
> I psexec into a box with those creds and am presented with a meterpreter
> shell  sweet
> I upload wce.exe
> drop to a shell and attempt to execute it, I'm presented with this error:
> The process cannot access the file because it is being used by another
> process.
> I try to delete wce.exe and get the same error.
>
> I guessed that AV is blocking me.
>
> I get back on the same box the next day I drop to a shell, I can execute
> wce.exe just fine and then delete it just fine.
>
> Does anyone know what happened here? AV is the only explanation I can think
> of. I've been googling this for days now….
>
>
> Jim
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> %49%66%20%79%6F%75%20%63%61%6E%20%72%65%61%64%20%74%68%69%73%20%79%6F%75%20%6E%65%65%64%20%74%6F%20%67%65%74%20%61%20%67%69%72%6C%66%72%69%65%6E%64%2E
>
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework