Re: psexec/meterpreter wonky behavior?

[Jim Kelly <macubergeek () comcast net>]

Rob
Thanks I'm not certain at this point that AV is the culprit. I'll try the migrate suggestion. Thanks.
Jim



On Apr 18, 2012, at 10:46 PM, Rob Fuller <mubix () room362 com> wrote:

> AV usually runs a scan on a binary and can keep a lock on the file for
> a while. The most I've seen is 5 minutes -ish but it depends on the
> hoops an AV goes through with new binaries on a system, as well as how
> it locks and unlocks files.
>
> Another possibility is Meterpreter didn't let go of it after the
> upload. Happens on rare occasions for me but migrating and killing the
> process I was in usually mitigates that issue.
>
> --
> Rob Fuller | Mubix
> Certified Checkbox Unchecker
> Room362.com | Hak5.org
>
>
>
> On Wed, Apr 18, 2012 at 6:18 PM, macubergeek <macubergeek () comcast net> wrote:
> > So I've identified boxes which use a default local Admin account.
> > I psexec into a box with those creds and am presented with a meterpreter
> > shell  sweet
> > I upload wce.exe
> > drop to a shell and attempt to execute it, I'm presented with this error:
> > The process cannot access the file because it is being used by another
> > process.
> > I try to delete wce.exe and get the same error.
> >
> > I guessed that AV is blocking me.
> >
> > I get back on the same box the next day I drop to a shell, I can execute
> > wce.exe just fine and then delete it just fine.
> >
> > Does anyone know what happened here? AV is the only explanation I can think
> > of. I've been googling this for days now….
> >
> >
> > Jim
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > %49%66%20%79%6F%75%20%63%61%6E%20%72%65%61%64%20%74%68%69%73%20%79%6F%75%20%6E%65%65%64%20%74%6F%20%67%65%74%20%61%20%67%69%72%6C%66%72%69%65%6E%64%2E
> >
> >
> >
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework