find_tag Payloads

[mmiller at hick.org (mmiller at hick.org)]

Can you take a capture between the attacking machine and the target?
The key is to observe that a four byte tag is being sent across my the
wire.  My guess is that the payload isn't actually finding the
connection on the target machine.  The attacking machine's framework has
no ability to tell at present that the target machine has found the
socket, it just assumes that it has.

The find_tag payload hasn't been extensively used, so it's possible that
there is a bug lingering somewhere.  You can do 'set TAG MSF1' which
should force an explicit tag to be used rather than a randomly generated
one.

On Thu, Aug 30, 2007 at 10:06:58AM +0200, Thomas Werth wrote:
> Dear List,
>
> I'm trying to get a find_tag payload to work. I tested several of them.
> Meterpreter and vnc at least "printf" they have opened a session. But in
> meterpreter is no communication possible (help won't show fs funcs,
> migrate timed out, use priv , too ). VNC is the same.
>
> I'm just setting a find_tag as payload and fire test exploit. DLL
> tranfer is ok. After a while searching for a connection msf tells he has
> a session. But this one isn't working.
>
> There is one tcp connection between victim and attacker, exactly that
> one where exploit is send over.
>
> What is needed to get find_tag payloads working ?
>
> Thomas