Bug #809
Issue with the check command while using a specific smb exploit.
| Status: | Closed | Start: | 02/04/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | Metasploit 3.4 | |||
| Resolution: |
Description
- # ###### ##### ## #### ##### # #### # #####
- ## # # # # # # # # # # # #
- ## # ##### # # # #### # # # # # # #
- # # # ###### # ##### # # # # #
- # # # # # # # # # # # # #
- # ###### # # # #### # ###### #### # #
=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+- -=[ 501 exploits - 240 auxiliary
+- -=[ 192 payloads - 23 encoders - 8 nops
=[ svn r8367 updated today (2010.02.04)
msf > use windows/smb/ms05_039_pnp
msf exploit(ms05_039_pnp) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf exploit(ms05_039_pnp) > check
[*] Connecting to the SMB service...
[-] Exploit check failed: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The SMB server did not reply to our request
*[-] Call stack:
[-] /opt/metasploit3/msf3/lib/rex/proto/smb/simpleclient.rb:201:in `login'
[-] /opt/metasploit3/msf3/lib/msf/core/exploit/smb.rb:109:in `smb_login'
[-] (eval):125:in `pnp_probe'
[-] (eval):182:in `check'
msf exploit(ms05_039_pnp) > set rhost 192.168.200.109
rhost => 192.168.200.109
msf exploit(ms05_039_pnp) > check
[*] Connecting to the SMB service...
[-] Exploit check failed: Rex::ConnectionTimeout The connection timed out (192.168.200.109:445).
Call stack:
[-] /opt/metasploit3/msf3/lib/rex/socket/comm/local.rb:251:in `create_by_type'
[-] /opt/metasploit3/msf3/lib/rex/socket/comm/local.rb:32:in `create'
[-] /opt/metasploit3/msf3/lib/rex/socket.rb:45:in `create_param'
[-] /opt/metasploit3/msf3/lib/rex/socket/tcp.rb:34:in `create_param'
[-] /opt/metasploit3/msf3/lib/rex/socket/tcp.rb:24:in `create'
[-] /opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:95:in `connect'
[-] /opt/metasploit3/msf3/lib/msf/core/exploit/smb.rb:69:in `connect'
[-] (eval):124:in `pnp_probe**'
[-] (eval):182:in `check'*
msf exploit(ms05_039_pnp) > uname -r
[*] exec: uname -r
2.6.30.9
msf exploit(ms05_039_pnp) > uname -a
[*] exec: uname -a
Linux bt 2.6.30.9 #1 SMP Tue Dec 1 21:51:08 EST 2009 i686 GNU/Linux
msf exploit(ms05_039_pnp) >
This might also occur to other smb exploits that use the check validation to see if the host can be compromised.
if you guys need more information don't hesitate to ask!
History
Updated by HD Moore about 1 month ago
It looks like your target system was already in a bad state; the Login failed before the check even ran. Try a fresh reboot of the target and running the check again (without exploiting it first).
Updated by Marc-Andre Meloche about 1 month ago
Well, i retried and i still get the same output, the exploit works! but i get the same errors..
Updated by HD Moore about 1 month ago
Did you run check before running the exploit, after a fresh reboot? The login error/connection refused combo only occurs if the service is dead and dying from a previous attempt.
Updated by Marc-Andre Meloche about 1 month ago
Rebooted both machines, here is the result.
msf exploit(ms05_039_pnp) > check
[*] Connecting to the SMB service...
[*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.200.109[\browser] ...
[-] Exploit check failed: RuntimeError Could not bind to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.200.109[\browser]
[-] Call stack:
[-] /opt/metasploit3/msf3/lib/rex/proto/dcerpc/client.rb:266:in `bind'
[-] /opt/metasploit3/msf3/lib/rex/proto/dcerpc/client.rb:47:in `initialize'
[-] /opt/metasploit3/msf3/lib/msf/core/exploit/dcerpc.rb:124:in `new'
[-] /opt/metasploit3/msf3/lib/msf/core/exploit/dcerpc.rb:124:in `dcerpc_bind'
[-] (eval):129:in `pnp_probe'
[-] (eval):182:in `check'
i can see it connects but the call stack i simply don't understand, if you say it's normal, then i apologize for the inconveniance!!
Just trying to help!
Updated by HD Moore about 1 month ago
That error just indicates the target system is not running the vulnerable DCERPC component (it could not bind to it).
Updated by Marc-Andre Meloche about 1 month ago
i have retried with a vulnerable server and everything works.
Sorry.