Home page logo

metasploit logo Metasploit mailing list archives

Re: Unreliable exploitation with ms08_067_netapi ?
From: Richard Miles <richard.k.miles () googlemail com>
Date: Thu, 3 Jun 2010 21:30:46 +0000

Again, very informative. Thanks.

Slide 21 (and 19 for the share name, but printers turned out to work better)

Very interesting document. This product from immunity appear to be
nice, if it does all it claims...

Restarting doesn't work because the services end up in different
processes. You can, however set SMBPIPE to "SRVSVC", but this might
require authentication if simple file sharing is not enabled on a newer
version of Windows.

Nice to now, more one shot. Router is not a option for this vuln?

You can set SMBUser/SMBPass in the exploit and it should be able to
fingerprint the language properly.

I get surprised it do not appear when I call show options.

My first try was strange.

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[-] Exploit failed: Login Failed: The server responded with error:
STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[*] Exploit completed, but no session was created.

My credential is a network credential of a restricted user, so I did
guessed a parameter name...

msf exploit(ms08_067_netapi) > set SMBDomain mydomainname.tld

And I was all curious to see the magic.

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 R2 Service Pack 2 - lang:Unknown
[-] Could not determine the exact language pack
[*] Auto-targeting failed, use 'show targets' to manually select one
[*] Exploit completed, but no session was created.

The result was exactly the same as without credential. I'm missing something?

I also used SRVSVC and target 9 (NX) as suggested.

msf exploit(ms08_067_netapi) > set target 9
target => 9
msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Attempting to trigger the vulnerability...
[-] Exploit failed: Connection reset by peer
[*] Exploit completed, but no session was created.

Exactly the same.

I also was thinking, this exploit do not restart the machine if the
exploitation fail, if the box is vulnerable it's very probable the
target also will be SMBv2 DoS, which could help us to force a reboot
to give another try. There is such a exploit at Metasploit?

There are a number of SMB DoS bugs under auxiliary/dos/windows/smb/,
including some for SMBv2 flaws.

Based on a target vuln to ms08-067 do you suggest me some in special?

I tried without success.

msf auxiliary(ms09_001_write) > exploit

Attempting to crash the remote host...
datalenlow=65535 dataoffset=65535 fillersize=72
datalenlow=55535 dataoffset=65535 fillersize=72
datalenlow=45535 dataoffset=65535 fillersize=72
datalenlow=35535 dataoffset=65535 fillersize=72

Nothing happened.

msf auxiliary(rras_vls_null_deref) > exploit

[*] Binding to 8f09f000-b7ed-11ce-bbd2-00001a181cad:0.0 () ncacn_np:[\ROUTER]
[-] Auxiliary failed: RuntimeError Could not bind to
8f09f000-b7ed-11ce-bbd2-00001a181cad:0.0 () ncacn_np:[\ROUTER]
[-] Call stack:
[-]   /test/trunk/lib/rex/proto/dcerpc/client.rb:266:in `bind'
[-]   /test/trunk/lib/rex/proto/dcerpc/client.rb:47:in `initialize'
[-]   /test/trunk/lib/msf/core/exploit/dcerpc.rb:124:in `new'
[-]   /test/trunk/lib/msf/core/exploit/dcerpc.rb:124:in `dcerpc_bind'
[-]   (eval):66:in `run'
[*] Auxiliary module execution completed
msf auxiliary(rras_vls_null_deref) > set SMBPIPE SRVSVC

msf auxiliary(ms06_063_trans) > exploit

[*] Connecting to the target system...
[*] Sending bad SMB transaction request 1...
[*] Sending bad SMB transaction request 2...
[*] Sending bad SMB transaction request 3...
[*] Sending bad SMB transaction request 4...
[*] Sending bad SMB transaction request 5...
[*] Auxiliary module execution completed

nothing happen.

msf auxiliary(ms09_050_smb2_session_logoff) > exploit

[*] Targeting host
[*] Sending the exploit packet (192 bytes)...
[*] Response received. The target system is not vulnerable:
[*] Auxiliary module execution completed

msf auxiliary(rras_vls_null_deref) > exploit

Most of the others the connection is reseted by per, probable because
the previous failed exploitation at ms08_067?

msf auxiliary(ms09_050_smb2_session_logoff) > exploit

[*] Targeting host
[*] Sending the exploit packet (192 bytes)...
[-] Auxiliary failed: Errno::ECONNRESET Connection reset by peer
[-] Call stack:
[-]   /test/trunk/lib/rex/io/stream.rb:44:in `syswrite'
[-]   /test/trunk/lib/rex/io/stream.rb:44:in `write'
[-]   /test/trunk/lib/rex/io/stream.rb:140:in `timed_write'
[-]   /test/trunk/lib/rex/io/stream.rb:171:in `put'
[-]   (eval):63:in `run'
[*] Auxiliary module execution completed

[*] Binding to 8f09f000-b7ed-11ce-bbd2-00001a181cad:0.0 () ncacn_np:[\SRVSVC]
[-] Auxiliary failed: Rex::Proto::SMB::Exceptions::ErrorCode The
server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162
[-] Call stack:
[-]   /test/trunk/lib/rex/proto/smb/client.rb:176:in `smb_recv_parse'
[-]   /test/trunk/lib/rex/proto/smb/client.rb:1011:in `create'
[-]   /test/trunk/lib/rex/proto/smb/client.rb:985:in `create_pipe'
[-]   /test/trunk/lib/rex/proto/smb/simpleclient.rb:280:in `create_pipe'
[-]   /test/trunk/lib/rex/proto/dcerpc/client.rb:128:in `smb_connect'
[-]   /test/trunk/lib/rex/proto/dcerpc/client.rb:65:in `socket_check'
[-]   /test/trunk/lib/rex/proto/dcerpc/client.rb:40:in `initialize'
[-]   /test/trunk/lib/msf/core/exploit/dcerpc.rb:124:in `new'
[-]   /test/trunk/lib/msf/core/exploit/dcerpc.rb:124:in `dcerpc_bind'
[-]   (eval):66:in `run'

It would be odd to have an AV product new enough to catch this as but
installed on a system unpatched against a vuln from 2008.

I was reading the post again more carefully and it told that what
catch was a overflow protection of the AV. I will consider buy a
mcafee av.

2008...long time. ms08_067 is the last exploit (for the last vuln)
that affect most windows attacking directly, not? I mean, without talk
about client-sides, or other services, just talking about native
services from Microsoft installed by default like file sharing, RPC,
etc. Or there is a better one to test?

I tried at one point and couldn't find any working combinations of
opcodes. This is kind of pointless in the real world, as you would need
to know exactly the right patch level to choose the correct target.

Too bad. What about the major versions without any patch? Like

Windows Server 2003 R1 + combination with service packs
Windows Server 2003 R2 + combination with service packs

Looks a good idea?

Humm... for this kind of exploit is impossible to brute force this
address values, like in old overflows where ret brute force was
possible? I mean, if used together with a SMBv2 DOS exploit it could
work, not? Or exploitation is too different on recent days?

Too different. The SP2 targets use 5 different hardcoded addresses; you
can try building targets for as many combinations as possible, then
cycling the targets, but each target will take a few hours to get right.

First I have to make a smb DOS exploit work after a failed
exploitation on ms08_067, then I will move to this idea. 5 different
hardcoded address appear a lot of stuff for a few hours. I believe you
are thinking in some optimization, like a minimum and maximum address
for this addresses, not?

Thanks again.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]