smb-psexec and Windows XP

[Ron <ron () skullsecurity net>]

If any of you followed my SMB development closely, you'll know I could
never get the smb-psexec script (previously known as smb-pwdump) working
against Windows XP. Nothing I did worked, and I tried every logical and
even most illogical fixes. Today, though, somebody brought it up again
and I decided to do whatever it took to fix it.

My plan was to take a packet dump of Metasploit's windows/smb/psexec
module and a packet dump of mine, side by side, and make every single
field in mine identical to HDMoore's till it worked. I basically did
that already, months ago, but I only updated fields that might possibly
be remotely relevant. This time, though, I was going to change 100% of
everything till it worked.

Well, as luck would have it, the second field I changed (after flags2)
was pid, or "ProcessID". From Implementing CIFS:
==
PID:     The "Process ID".
This value is set by the client, and is intended as an identifier for
the process sending the SMB request. The most important thing to note
regarding the PID is that file locking and access modes are maintained
relative to the value in this field.
==

So, it's a totally irrelevant field. I always set it to 0. Turns out,
setting it to anything *except* 0 totally fixes the problem.

I strongly suspect that this is a Windows bug -- it's trying to use the
ProcessID handle for an identifier somewhere that it shouldn't, and it's
failing as a result. I could be wrong, though.

Anyway, it's a great relief to get this working after many months of
having it eat away at my soul. :)

Ron

-- 
Ron Bowes
http://www.skullsecurity.org/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/