3

I created a windows/meterpreter/reverse_https powershell payload using the python script provided at the end of this article. In the first run, the meterpreter session opened successfully, when I closed it and tried to execute the powershell command again, I got a "Windows PowerShell has stopped working" error. Any ideas?

PS : the target machine is runnig windows 7 SP1 64 bit.

  • Powershell is a pretty reliable method of code execution. When you run the payload for the second time, do you have the handler listening ready? – void_in Mar 09 '14 at 16:44
  • Yes, the handler was already listening. The error occured before powershell could connect to the handler, since my firewall didn't even prompt me to allow the connection like in the first run (I'm using Eset Smart Security, set to interactive filtering mode) –  Mar 09 '14 at 17:46
  • 1
    The code in that article is pretty rough. Perhaps it doesn't exit out of PS cleanly and hangs the process? – schroeder Mar 11 '14 at 16:13
  • Much has changed in the world of Metasploit payloads. Can you generate the payload through msfvenom and then run it on the target machine through powersploit or any other means? – void_in May 27 '15 at 04:46

1 Answers1

2

ESET Smart Security is powerful against malware such as meterpreter because it analyzes the behavior of the application after it is executed. Using heuristics, it flags certain behavior or actions as suspicious. It then terminates the process and blacklists the application. That could be the reason why it was executed successfully the first time but not after.

You can try for yourself in a VM to examine this matter more closely.

Adi
  • 43,808
  • 16
  • 135
  • 167
martin
  • 21
  • 2