Nmap Development mailing list archives
Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service
From: Dražen Popović <drazen.popovic () fer hr>
Date: Mon, 31 May 2010 19:30:04 +0200
On Mon, 2010-05-31 at 13:52 +0000, Richard Miles wrote:
2010/5/31 Dražen Popović <drazen.popovic () fer hr>:On Mon, 2010-05-31 at 00:49 +0000, Richard Miles wrote:Interesting. But for the others that required a credential, this credential need to be a administrative credential? Or it can be a normal user?This service is used for managing the network configuration, so admin privs are required. I must try it to be sure...I'll get back to you.
Here's an update on credentials needed to gain a shell on a vulnerable Win2000SP4: 1) User: not set, Password: not set, Type: NULL session, Shell: no with STATUS_ACCESS_DENIED on "\router" smb pipe. 2) User: Guest, Password: not set, Group/Type: Guest Account Note: If Guest account disable you get STATUS_ACCOUNT_DISABLED. Else Shell: yes. MSF: meterpreter > getuid Server username: NT AUTHORITY\SYSTEM NMAP: Host script results: |_smb-check-ms06_025: MS06_025 alive!!! 3) User: user, Password: set, Group/Type: Users, Shell: yes MSF: meterpreter > getuid Server username: NT AUTHORITY\SYSTEM NMAP: Host script results: |_smb-check-ms06_025: MS06_025 alive!!! 4)User: Administrator, Password: set, Group/Type: Administrators, Shell: yes. MSF: meterpreter > getuid Server username: NT AUTHORITY\SYSTEM NMAP: Host script results: |_smb-check-ms06_025: MS06_025 alive!!! So as you can see the test shows that the vulnerable code can be reached with lower than admin credentials. @Ron A very cool idea! =) Have you considered making a little NSE exploiting framework? Nothing too fancy, just simple as connect-back shellcodes and such. Regards, Dražen. P.S. Vulnerable WinXP testing pending... -- Laboratory for Systems and Signals Department of Electronic Systems and Information Processing Faculty of Electrical Engineering and Computing University of Zagreb _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Dražen Popović (May 28)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Richard Miles (May 28)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Dražen Popović (May 30)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Richard Miles (May 30)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Dražen Popović (May 31)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Richard Miles (May 31)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Dražen Popović (May 31)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Ron (May 31)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Richard Miles (Jun 01)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Dražen Popović (Jun 02)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service David Fifield (Jun 02)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Dražen Popović (May 30)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Richard Miles (May 28)
- Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service Ron (May 31)