Bug #2439

Add an executable template that is compatible with NT4

Added by Joshua J. Drake over 1 year ago. Updated about 1 year ago.

Status:Closed Start date:08/23/2010
Priority:Normal Due date:
Assignee:Joshua J. Drake % Done:

100%
Category:payloads
Target version:Metasploit 3.5.0
Resolution:worksforme Release Note:

Description

This issue was recreated to replace the accidentally deleted #2046.

Using ms01-026 with nt4sp6 doesn't work without an NT4 template EXE. We need one!

My attempts to use various EXEs from NT4 itself led to unreliability.

Related issues

related to Metasploit Framework - Bug #2438: Psexec does not work against NT4 New 08/23/2010

History

#1
Updated by Joshua J. Drake over 1 year ago

  • Category set to payloads
  • Assignee set to Joshua J. Drake
  • Target version set to Metasploit 3.5.0

Issue #2046 has been updated by Stephen Fewer.

Don't know if this is useful for this ticket but to get Meterpreter's elevator.dll working on NT4 I use the Microsoft EditBin tool (Shipped with the Win32 SDK) to patch the PE files NT headers OSVERSION and SUBSYSTEM to 4. This lets the NT4 loader load the PE file and as long as you use API calls available in NT their wont be a problem.

editbin.exe /OSVERSION:4.0 /SUBSYSTEM:WINDOWS,4.0 somefile.exe

The template EXE's could have this run over them or perhaps just patch the OSVERSION/SUBSYSTEM in ruby on the fly for NT4 targets.

Might not be useful but though it worth mentioning in case it is.

#2
Updated by Joshua J. Drake over 1 year ago

  • Assignee changed from Joshua J. Drake to HD Moore

Not sure what revs changed this, but it seems the default EXE template is now working just fine on NT4. It may have just been the different default template EXE that we are using now. Care should be taken not to use EXEs that don't run on NT4 etc...

This ticket is officially WORKSFORME at this point.

Assigning to HD for modification at his discretion.

#3
Updated by HD Moore over 1 year ago

Trying editbin (from VS2008) on the template EXEs result in:

LINK : warning LNK4241: invalid subsystem version number 4.0

#4
Updated by Joshua J. Drake over 1 year ago

  • Status changed from New to Resolved
  • Assignee changed from HD Moore to Joshua J. Drake
  • % Done changed from 0 to 100
  • Resolution set to worksforme

As previously stated, the current EXE template works on NT4. Perhaps we need to do some regression testing for EXE templates in the future.

#5
Updated by Joshua J. Drake over 1 year ago

Although EDITBIN prints that error message, the file itself appears to still be changed.

#6
Updated by Jonathan Cran about 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF