Queries on CABRIGHTSTOR exploit

[mmiller at hick.org (mmiller at hick.org)]

On Thu, Oct 27, 2005 at 12:29:42PM +0530, 3 shool wrote:
> On Wed, Oct 26, 2005 at 06:06:05PM +0530, 3 shool wrote:
> > LHOST: my local machine IP 192.168.1.3 <http://192.168.1.3/> <
> http://192.168.1.3>
> > RHOST: vulnerable servers IP
> > TARGET: 0
> > PAYLOAD: win32, win32_reverse_ord, win32_reverse_ord_vncinject
> > CMD: dir
> >
> >
> > Just a guess, but is the vulnerable machine somewhere else on the
> > internet or is on the local LAN? In other words, can the vulnerable
> > machine communicate with 192.168.1.3 <http://192.168.1.3>? I'd guess
> > that's what your
> > problem is. You might be better of using the bind payloads if you're
> > unsure, although you will be subject to any inbound filtering the target
> > machine has. It's also possible that the address being used by the
> > exploit may not be working correctly on the target machine. You'd need
> > to do some analysis to determine this.
>
> The vulnerable machine is on internet. But I also tried the CMD execution
> payload which I feel should work in this case. And there isn't a bind
> payload for this module. Any idea how can I create one?
>
> I would appreciate some more pointers from experts.

Well, the command that you were sending is 'dir'.  I'm assuming that you
were expecting to see some sort of output.  The problem is that the
command execution payload does not pipe output over a socket (because it
doesn't establish any sort of connection).  Therefore, it's possible
that the command is indeed executing but you just aren't seeing
it (furthermore, dir is an intrinsic command to the command shell).
Indeed, it does look like there is limited space for the payload (which
is why you aren't seeing the bind payloads).  

Your best bet is to probably do a port forward on the NAT device that
you're using to communicate with the internet such that you can make use
of the reverse payloads.  Alternatively, you could execute a more
meaningful command.