MS08-067 Authentication against NTLMv2

[hdm at metasploit.com (H D Moore)]

McAfee BO protection may still be simple to bypass. We don't implement it 
in Metasploit because its just a cat/mouse game, as soon as we change the 
shellcode loader, they can add detection for that as well. If you are 
intent on bypassing HIPS products, you need your own modified stagers 
which are intentionally not public. For McAfee, they used to check the 
calling address of LoadLibrary, if you copy the shellcode to a new 
location before loading the libraries, you bypass their protection. This 
may not be true any longer.

-HD

On Monday 10 November 2008, Juan Miguel Paredes wrote:
> The problem is like you stated.  A secure configuration would not have
> either accessible by anonymous users.  On workstations on a domain,
> the BROWSER service may even be turned off completely.  Lastly, in my
> testing of baselined systems, there is also "buffer overflow"
> detection that thwarts attempts (McAfee in my case).  It definitely
> works as long as either the BROWSER or SRVSVC named pipe is enabled
> and accessible by anonymous users (and the BO detection is turned
> off).