Metasploit mailing list archives
Re: Unreliable exploitation with ms08_067_netapi ?
From: HD Moore <hdm () metasploit com>
Date: Thu, 03 Jun 2010 12:01:25 -0500
On 6/3/2010 11:09 AM, Richard Miles wrote:
Thanks, very informative.Not really. The only way we can reliably detect the remote language pack is using the printer driver technique published by Immunity.Can you please point me to this paper?
http://www.immunitysec.com/downloads/MacroReliability.odp Slide 21 (and 19 for the share name, but printers turned out to work better)
On operating systems that do not allow the print drivers to be enumerated without authentication, it is not possible to identify the language pack. If you can figure out the language pack on your own, you can set it, but thats why we have 50+ targets.There is a way to use the metasploit smb scanner with a credential to identify it? I mean, sometimes we have a restricted account credential, if a restricted/normal user credential allows to enumerate it, there is a new light on the dark, not?
You can set SMBUser/SMBPass in the exploit and it should be able to fingerprint the language properly.
Appear that restart the server service and browser service service is not enough to give another shot too. Do you know other if there is another trick instead of reboot?
Restarting doesn't work because the services end up in different processes. You can, however set SMBPIPE to "SRVSVC", but this might require authentication if simple file sharing is not enabled on a newer version of Windows.
I also was thinking, this exploit do not restart the machine if the exploitation fail, if the box is vulnerable it's very probable the target also will be SMBv2 DoS, which could help us to force a reboot to give another try. There is such a exploit at Metasploit?
There are a number of SMB DoS bugs under auxiliary/dos/windows/smb/, including some for SMBv2 flaws.
Hummm, interesting.See this description http://forums.remote-exploit.org/backtrack3-howtos/18556-playing-ms08_067-a-4.html
It would be odd to have an AV product new enough to catch this as but installed on a system unpatched against a vuln from 2008.
Maybe add target of 2003 SP2 with all patches less one up to the one that fix ms08-67? Or it could be useless in real world?
I tried at one point and couldn't find any working combinations of opcodes. This is kind of pointless in the real world, as you would need to know exactly the right patch level to choose the correct target.
Humm... for this kind of exploit is impossible to brute force this address values, like in old overflows where ret brute force was possible? I mean, if used together with a SMBv2 DOS exploit it could work, not? Or exploitation is too different on recent days?
Too different. The SP2 targets use 5 different hardcoded addresses; you can try building targets for as many combinations as possible, then cycling the targets, but each target will take a few hours to get right. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Unreliable exploitation with ms08_067_netapi ? Richard Miles (Jun 03)
- Re: Unreliable exploitation with ms08_067_netapi ? HD Moore (Jun 03)
- Re: Unreliable exploitation with ms08_067_netapi ? Richard Miles (Jun 03)
- Re: Unreliable exploitation with ms08_067_netapi ? HD Moore (Jun 03)
- Re: Unreliable exploitation with ms08_067_netapi ? Richard Miles (Jun 03)
- Re: Unreliable exploitation with ms08_067_netapi ? Richard Miles (Jun 03)
- Re: Unreliable exploitation with ms08_067_netapi ? HD Moore (Jun 03)