Metasploit issues!

[Joes100]

Hi there,

I am learning about penetration testing, i have set up a Windows Server 2003 R2 Enterprise virtual machine.

It is relatively unpatched (vulnerable to ms08-067), no antivirus, windows firewall, After a Nessus scan a few of these vulnerabilities were shown.

When i use fast-track.py to exploit this vulnerability (ms08-067) i immediately get a shell running as system. However, i would like to use meterpreter for all of its features than a simple netcat of cmd.exe and fasttrack provides no way to change the payload.

So i try to exploit the machine using Metasploit, using the appropriate settings, Using exploit: ms08_067_netapi, windows/meterpreter/bind_tcp OR reverse_tcp OR a simple bind shell (to test) however i get the following error:

Code:

Exploit target:

   Id  Name
   --  ----
   9   Windows 2003 SP2 English (NX)


msf exploit(ms08_067_netapi) > exploit
[*] Handler binding to LHOST 0.0.0.0[*] Started reverse handler
[-] Exploit failed: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)[*] Exploit completed, but no session was created.

OR when trying to use SRVSVC:

Code:

Exploit target:

   Id  Name
   --  ----
   9   Windows 2003 SP2 English (NX)


msf exploit(ms08_067_netapi) > exploit
[*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler
[-] Exploit failed: The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)[*] Exploit completed, but no session was created.

When setting the target manually the exploit also fails as it cannot determine the language pack!

Please could somebody shed some light on this issue? is the metasploit exploit working correctly on R2? (Latest SVN)

Thanks,

Joe

[floyd]

only a guess, but read about the "target" command, I remember that you can specify the language pack somehow there

[Joes100]

Thanks for the reply,

I have selected Windows Server 2003 SP2 (ENGLISH) as a target as it most closely matches what i have but it still wont work!

Can anyone shed some light on this issue?

[Gitsnik]

Re-patch the fasttrack exploit with a meterpreter shellcode (or d/l one from milw0rm and do it yourself), then figure out how to set up a multi/handler - see the metasploit documentation from offensive security for a howto on that. That way you can manually run your exploit, you can figure out what are bad characters and what are not, and you will get a better idea of how these things operate.

Metasploit is an excellent tool to use, but if you can't do the basics it's going to be a lot harder with it in the long run.

[war10ck216]

Quote:

Originally Posted by Joes100

Hi there,

I am learning about penetration testing, i have set up a Windows Server 2003 R2 Enterprise virtual machine.

It is relatively unpatched (vulnerable to ms08-067), no antivirus, windows firewall, After a Nessus scan a few of these vulnerabilities were shown.

When i use fast-track.py to exploit this vulnerability (ms08-067) i immediately get a shell running as system. However, i would like to use meterpreter for all of its features than a simple netcat of cmd.exe and fasttrack provides no way to change the payload.

So i try to exploit the machine using Metasploit, using the appropriate settings, Using exploit: ms08_067_netapi, windows/meterpreter/bind_tcp OR reverse_tcp OR a simple bind shell (to test) however i get the following error:

Code:

Exploit target:

   Id  Name
   --  ----
   9   Windows 2003 SP2 English (NX)


msf exploit(ms08_067_netapi) > exploit
[*] Handler binding to LHOST 0.0.0.0[*] Started reverse handler
[-] Exploit failed: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)[*] Exploit completed, but no session was created.

OR when trying to use SRVSVC:

Code:

Exploit target:

   Id  Name
   --  ----
   9   Windows 2003 SP2 English (NX)


msf exploit(ms08_067_netapi) > exploit
[*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler
[-] Exploit failed: The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)[*] Exploit completed, but no session was created.

When setting the target manually the exploit also fails as it cannot determine the language pack!

Please could somebody shed some light on this issue? is the metasploit exploit working correctly on R2? (Latest SVN)

Thanks,

Joe

You have to "set LANG english". (without quotes). Its kinda funny how linux basically gives you the answer right in front of you and yet people still don't know how to comprehend what it is saying. I'm saying that comment in general Joe100.

[Joes100]

I have tried "set LANG english", the exploit still fails.

I am working on incorporating the shellcode for meterpreter reverse_tcp into the fast-track.py file as it is the current only alternative i can see.

If anyone else has any ideas with this they would be most appreciated. Thanks.

[war10ck216]

Your positive the firewall is down and set all the right variables for the exploit?

[Joes100]

Yes, the windows firewall is disabled and everything is set when i run "show options".

Im stuck! Has nobody ever had this issue before!

I have googled this for hours, there are a few of the same issue but seemingly no responses to it!

[Isohump]

did u try msfconsole without using fast-track.py

[Joes100]

Yep, seems to make absolutely no sense!

I can't work out how to substitute the payload in the fast-track script either as meterpreter is a much larger staged payload

I may just give up with this!!