search

Cn33liz / VBSMeter

VBS Reversed TCP Meterpreter Stager
86 stars 26 forks source link

Problem with meterpreter post exploit #2

Open callycab opened 7 years ago

callycab commented 7 years ago

Hi, thanks for your VBSMeter, great job. I am using in combo with a macro VBA to generate your VBS, and the result is very interesting. However, I have some problems with my meterpreter session: using some basics commands and meterpreters functions is working (cd, pwd, cat, download, sysinfo), but when i want to use others like migrate or screenshot, my session dies everytime. Moreover, sometimes my session dies 1 second after the connection works.

Could it be possible to know how did you generate your payload (Sub run in the .vbs) ? I have tried to generate several with msfvenom, the problem is that they never pass the AV like yours. Moreover, it could be interesting for me to generate some other payloads like revers_https.

thanks,

Cn33liz commented 7 years ago

Hi Cedric,

Could it be that the office application is causing this issue? If you run vbsmeter from a macro it is running inside the excel/word process. Do you have the same issues if you run the payload from wscript.exe? Btw i also have a reverse http(s) version. It's in a subfolder on my git for both the js and vbs version.

https://github.com/Cn33liz/VBSMeter/tree/master/VBSWebMeter

I also have a vba version which you can use as a excel macro:

https://github.com/Cn33liz/MacroMeter/blob/master/MacroMeter.vba

Let me know if you have the same issue running the js/vbs straight from cscript/wscript and you could also try my vba/macro version.

Grtz

Cornelis

Op wo 13 sep. 2017 om 13:56 schreef Cédric CALLY--CABALLERO < notifications@github.com>

Hi, thanks for your VBSMeter, great job. I am using in combo with a macro VBA to generate your VBS, and the result is very interesting. However, I have some problems with my meterpreter session: using some basics commands and meterpreters functions is working (cd, pwd, cat, download, sysinfo), but when i want to use others like migrate or screenshot, my session dies everytime. Moreover, sometimes my session dies 1 second after the connection works.

Could it be possible to know how did you generate your payload (Sub run in the .vbs) ? I have tried to generate several with msfvenom, the problem is that they never pass the AV like yours. Moreover, it could be interesting for me to generate some other payloads like revers_https.

thanks,

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Cn33liz/VBSMeter/issues/2, or mute the thread https://github.com/notifications/unsubscribe-auth/ADqH5gDP6vcF6YfNiRo2gwNEoXkyZ304ks5sh8L5gaJpZM4PV_rB .

callycab commented 7 years ago

Thanks for the very fast answer.

You are right, the problem seems to be that vbsmeter was running inside word process.

Thanks, for the MacroMeter link, it seems to work pretty good ! Great job

EDIT: in fact no, it seems to not be running inside the word process, because it is possible to kill the word process and the meterpreter is still working

callycab commented 7 years ago

Oups sorry, I reopen the issue because i have a problem: Word crash when the macro is executed. So, I loose the meterpreter. Moreover, the "set AutoRunScript post/windows/manage/migrate NAME=notepad.exe" is not working for me, so i can't migrate the meterpreter before the crash (some seconds).

Have you got an idea ?

Cn33liz commented 7 years ago

What version of win/office are you using? Did you tried on another machine? I haven't seen this issue yet, so could you try it on another machine or look at the eventlogs why word is crashing.

Op wo 13 sep. 2017 om 15:16 schreef Cédric CALLY--CABALLERO < notifications@github.com>

Oups sorry, I reopen the issue because i have a problem: Word crash when the macro is executed. So, I loose the meterpreter. Moreover, the "set AutoRunScript post/windows/manage/migrate NAME=notepad.exe" is not working for me, so i can't migrate the meterpreter before the crash (some seconds).

Have you got an idea ?

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/Cn33liz/VBSMeter/issues/2#issuecomment-329164150, or mute the thread https://github.com/notifications/unsubscribe-auth/ADqH5nGBWNOVfJohut5penBnARMB6i5Rks5sh9WGgaJpZM4PV_rB .

RomainGarcia commented 7 years ago

Hi, I work with Cedric. Our version of Word if Word 2016 (16.0.8326.2096) 32 bits. Word just crashes and we don't have any specific error message (just Windows saying Word crashed). Thanks

thehillionaire commented 6 years ago

Hi Cn33liz, Thank you for writing so many great penetration testing tools! I seem to be having a similar issue to this when executing this script using wscript.exe or cscript.exe. The meterpreter session will open, but wscript will crash before the meterpreter process can migrate to notepad.exe. is there something I might be doing wrong or something else I can try? Thanks again!