portfwd bug - Won't bind to local address

[huperdefigo at gmail.com (Mark Baggett)]

Is there a bug in portfwd that prevents it from binding to the local
meterpreter address?  I have tried this on both a vanilla Windows 2000
and a Windows XP SP2 host running meterpreter and I get the same
results.   Am I doing something wrong or is this a bug?

When you run portfwd and don't provide the OPTIONAL -L ip address it
appears to work. You get something like this..

meterpreter > portfwd add -l 6666 -r 192.168.1.1 -p 80
[*] Local TCP relay created: 0.0.0.0:6666 <-> 192.168.1.1:80

But nothing is listening on port 6666. A quick "execute -c -f cmd.exe;
interact 1; netstat -na" shows nothing listening on the port. An NMAP
of the host confirms no listener...


Macintosh:~ mark.baggett$ nmap 10.4.4.4 -p 6666

Starting Nmap 4.76 ( http://nmap.org ) at 2009-02-03 22:47 EST
Interesting ports on 10.4.4.4:
PORT STATE SERVICE
6666/tcp closed irc

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
Macintosh:~ mark.baggett$

If I try to force the matter with a -L I get a nasty "Can't assign
requested address" message.

meterpreter > portfwd add -L 10.4.4.4 -l 6666 -r 192.168.1.1 -p 80
[-] Error running command portfwd: Can't assign requested address -
bind(2) /Applications/framework3/lib/rex/socket/comm/local.rb:138:in
`bind'/Applications/framework3/lib/rex/socket/comm/local.rb:138:in
`create_by_type'/Applications/framework3/lib/rex/socket/comm/local.rb:26:in
`create'/Applications/framework3/lib/rex/socket.rb:45:in
`create_param'/Applications/framework3/lib/rex/socket.rb:52:in
`create_tcp'/Applications/framework3/lib/rex/socket.rb:59:in
`create_tcp_server'/Applications/framework3/lib/rex/services/local_relay.rb:184:in
`start_tcp_relay'/Applications/framework3/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb:219:in
`cmd_portfwd'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`send'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`run_command'/Applications/framework3/lib/rex/post/meterpreter/ui/console.rb:94:in
`run_command'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in
`run_single'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`each'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`run_single'/Applications/framework3/lib/rex/post/meterpreter/ui/console.rb:60:in
`interact'/Applications/framework3/lib/rex/ui/text/shell.rb:123:in
`call'/Applications/framework3/lib/rex/ui/text/shell.rb:123:in
`run'/Applications/framework3/lib/rex/post/meterpreter/ui/console.rb:58:in
`interact'/Applications/framework3/lib/msf/base/sessions/meterpreter.rb:181:in
`_interact'/Applications/framework3/lib/rex/ui/interactive.rb:48:in
`interact'/Applications/framework3/lib/msf/ui/console/command_dispatcher/core.rb:918:in
`cmd_sessions'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`send'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`run_command'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in
`run_single'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`each'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`run_single'/Applications/framework3/lib/msf/ui/console/command_dispatcher/exploit.rb:143:in
`cmd_exploit'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`send'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`run_command'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in
`run_single'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`each'/Applications/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`run_single'/Applications/framework3/lib/rex/ui/text/shell.rb:127:in
`run'./msfconsole:82
meterpreter > ipconfig

Parallels OEM Adapter.
Hardware MAC: 00:1c:42:99:40:22
IP Address : 10.4.4.4
Netmask : 255.255.255.0


Here is more detail on what I am trying to do.
http://www.indepthdefense.com/2009/02/reverse-pivots-with-metasploit-how-not.html

Thanks,
Mark Baggett