Home page logo
/

metasploit logo Metasploit mailing list archives

Re: Unreliable exploitation with ms08_067_netapi ?
From: HD Moore <hdm () metasploit com>
Date: Thu, 03 Jun 2010 12:01:25 -0500

On 6/3/2010 11:09 AM, Richard Miles wrote:
Thanks, very informative.

Not really. The only way we can reliably detect the remote language pack
is using the printer driver technique published by Immunity.

Can you please point me to this paper?

http://www.immunitysec.com/downloads/MacroReliability.odp

Slide 21 (and 19 for the share name, but printers turned out to work better)

On operating systems that do not allow the print drivers to be enumerated
without authentication, it is not possible to identify the language
pack. If you can figure out the language pack on your own, you can set
it, but thats why we have 50+ targets.

There is a way to use the metasploit smb scanner with a credential to
identify it? I mean, sometimes we have a restricted account
credential, if a restricted/normal user credential allows to enumerate
it, there is a new light on the dark, not?

You can set SMBUser/SMBPass in the exploit and it should be able to
fingerprint the language properly.


Appear that restart the server service and browser service service is
not enough to give another shot too. Do you know other if there is
another trick instead of reboot?

Restarting doesn't work because the services end up in different
processes. You can, however set SMBPIPE to "SRVSVC", but this might
require authentication if simple file sharing is not enabled on a newer
version of Windows.

I also was thinking, this exploit do not restart the machine if the
exploitation fail, if the box is vulnerable it's very probable the
target also will be SMBv2 DoS, which could help us to force a reboot
to give another try. There is such a exploit at Metasploit?

There are a number of SMB DoS bugs under auxiliary/dos/windows/smb/,
including some for SMBv2 flaws.


Hummm, interesting.See this description

http://forums.remote-exploit.org/backtrack3-howtos/18556-playing-ms08_067-a-4.html

It would be odd to have an AV product new enough to catch this as but
installed on a system unpatched against a vuln from 2008.


Maybe add target of 2003 SP2 with all patches less one up to the one
that fix ms08-67? Or it could be useless in real world?

I tried at one point and couldn't find any working combinations of
opcodes. This is kind of pointless in the real world, as you would need
to know exactly the right patch level to choose the correct target.


Humm... for this kind of exploit is impossible to brute force this
address values, like in old overflows where ret brute force was
possible? I mean, if used together with a SMBv2 DOS exploit it could
work, not? Or exploitation is too different on recent days?

Too different. The SP2 targets use 5 different hardcoded addresses; you
can try building targets for as many combinations as possible, then
cycling the targets, but each target will take a few hours to get right.

-HD
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]