Metasploit mailing list archives
RPCScan v2.03 vs exploit msrpc_dcom_ms03_026
From: hdm at metasploit.com (H D Moore)
Date: Thu, 19 Aug 2004 09:39:32 -0500
On Thursday 19 August 2004 09:25, Israel Torres wrote:
I have run *Foundstone's RPCScan v2.03 on a SP4 system to find that it is resulting in VULNERABLE. When I use and configure msrpc_dcom_ms03_026 (with either win32_reverse, or win32_reverse_vncinject) The following error is returned:
The machine does not appear to be vulnerable, are you sure that the system has not been patched? The Foundstone tool may suffer from the same problem as most checks for MS03-026, anyone system MS03-039 or later patches applied will appear vulnerable.
I have run this exploit on this machine unpatched and it operated as expected (successfully exploitable with either payload above). Is foundstone's tool just not working correctly? (as it seems)
Yup. The changes that Microsoft made in the patches that followed MS03-026 (039 and above) cause the system to react to the test requests the same way it did when it was vulnerable. XP SP2 will result in the tests for 026 and 039 false positving. If you are using the Nessus scanner, a fix was commited for XP SP2 only a week or two ago.
The last question I have been unable to find an answer for is setting the TARGET does not work by simply stating: set TARGET 2K set TARGET Windows 2K since both result in Target: Target Not Specified only set TARGET ALL will configure for Target: Windows NT SP6/2K/XP ALL
This is covered in the documentation; the value of TARGET is a number corresponding to the desired target. The show targets command will list each target and the the number to use to select it. This is somewhat obtuse, but it keeps us from having to come up with short-hand target names. For example: msf apache_chunked_win32 > show targets Supported Exploit Targets ========================= 0 Windows NT/2K Brute Force 1 Windows 2000 2 Windows NT msf apache_chunked_win32 > set TARGET 2 TARGET -> 2 This selects Windows NT as the target. -HD
Thanks for your help, Israel Torres Exploit and Payload Options =========================== Exploit: Name Default Description -------- ------ ------- ------------------ required RHOST itest The target address required RPORT 135 The target port Payload: Name Default Description -------- -------- ------- ------------------------------------------ optional EXITFUNC seh Exit technique: "process", "thread", "seh" required LHOST itorres Local address to receive connection required LPORT 4321 Local port to receive connection Target: Windows NT SP6/2K/XP ALL
Current thread:
- RPCScan v2.03 vs exploit msrpc_dcom_ms03_026 Israel Torres (Aug 19)
- RPCScan v2.03 vs exploit msrpc_dcom_ms03_026 H D Moore (Aug 19)
- RPCScan v2.03 vs exploit msrpc_dcom_ms03_026 odinanne (Aug 20)
- RPCScan v2.03 vs exploit msrpc_dcom_ms03_026 Carric Dooley (Aug 21)
- RPCScan v2.03 vs exploit msrpc_dcom_ms03_026 H D Moore (Aug 19)