Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

RPCScan v2.03 vs exploit msrpc_dcom_ms03_026

From: hdm at metasploit.com (H D Moore)
Date: Thu, 19 Aug 2004 09:39:32 -0500
On Thursday 19 August 2004 09:25, Israel Torres wrote:

I have run *Foundstone's RPCScan v2.03 on a SP4 system to find that it
is resulting in VULNERABLE.
When I use and configure msrpc_dcom_ms03_026 (with either
win32_reverse, or win32_reverse_vncinject)
The following error is returned:


The machine does not appear to be vulnerable, are you sure that the system 
has not been patched? The Foundstone tool may suffer from the same 
problem as most checks for MS03-026, anyone system MS03-039 or later 
patches applied will appear vulnerable.


I have run this exploit on this machine unpatched and it operated as
expected (successfully exploitable with either payload above). Is
foundstone's tool just not working correctly? (as it seems)


Yup. The changes that Microsoft made in the patches that followed MS03-026 
(039 and above) cause the system to react to the test requests the same 
way it did when it was vulnerable. XP SP2 will result in the tests for 
026 and 039 false positving. If you are using the Nessus scanner, a fix 
was commited for XP SP2 only a week or two ago.


The last question I have been unable to find an answer for is setting
the TARGET does not work by simply stating:
set TARGET 2K
set TARGET Windows 2K
since both result in Target: Target Not Specified
only set TARGET ALL will configure for Target: Windows NT SP6/2K/XP ALL


This is covered in the documentation; the value of TARGET is a number 
corresponding to the desired target. The show targets command will list 
each target and the the number to use to select it. This is somewhat 
obtuse, but it keeps us from having to come up with short-hand target 
names. For example:

msf apache_chunked_win32 > show targets
                                                                                                                
Supported Exploit Targets
=========================
                                                                                                                
  0  Windows NT/2K Brute Force
  1  Windows 2000
  2  Windows NT

msf apache_chunked_win32 > set TARGET 2
TARGET -> 2

This selects Windows NT as the target. 

-HD



Thanks for your help,
Israel Torres

Exploit and Payload Options
===========================

  Exploit:    Name      Default    Description
  --------    ------    -------    ------------------
  required    RHOST     itest      The target address
  required    RPORT     135        The target port

  Payload:    Name        Default    Description
  --------    --------    -------
------------------------------------------

  optional    EXITFUNC    seh        Exit technique: "process",
"thread", "seh"
  required    LHOST       itorres    Local address to receive
connection required    LPORT       4321       Local port to receive
connection

  Target: Windows NT SP6/2K/XP ALL
Previous By Date Next
Previous By Thread Next

Current thread: