STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

Question

STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

nighymighty opened this issue 2 years ago · 3 comments

Any thoughts on why by running the python zzz_exploit.py x.x.x.x becomes like this ?

[] Target OS: Windows 5.1
[+] Found pipe 'netlogon'
[+] Using named pipe: netlogon
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x8171e930
SESSION: 0xe11493f0
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
[] make this SMB session to be SYSTEM
[+] current TOKEN addr: 0xe1d8c030
Bad TOKEN_USER_GROUP offsets detected while parsing tokenData!
RestrictedSids: 0xe1d60c30
RestrictedSidCount: 0x1f4
userAndGroupCount: 0x4c
userAndGroupsAddr: 0xe1d8c0b8
Attempting WINXP SP0/SP1 x86 TOKEN_USER_GROUP workaround
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe1d8c0b8
[] overwriting token UserAndGroups
[] have fun with the system smb session!
[-] got exception
CRITICAL:root:SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
Done

Answer 1 · 2022-10-05T13:18:07.000Z

I am having the same error here.

Any steps forward?

If using eternalblue_exploit7.py instead, I get:

shellcode size: 1013
numGroomConn: 13
Target OS: Windows 5.1
This exploit does not support this target

Answer 2 · 2023-01-05T22:05:56.000Z

Same here, any updates ?

Answer 3 · 2023-01-08T21:34:00.000Z

Hey everyone, sorry for the delayed reply. The reason the CRITICAL:root:SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.) error comes into play can be a variety of things:

Most commonly - you do not have appropriate access to a given share for SMB client to connect to. Usually the exploit targets C$ and rightly so because you should be admin. It is possible other restrictions might exists...

OR

There is AV of some sort stopping exploitation. Might be as simple as that.

Seeing as this is field tested daily by myself and others, there doesn't seem to be any bug in the exploit code itself. That said, if you would like to provide further data about your target's configuration @nighymighty then I might be able to determine what the root cause is in this case. That will allow me to diagnose if this is a problem with the exploit code that is new, or if it is simply that your target is correctly protected.

I'll leave this issue open for a bit to give time for your feedback, but otherwise I'll close it if it becomes inactive. Thank you!

As for @michele-dedonno observation. This is correct and expected. The other exploits do not support versions older than Windows 7. Please read each exploit code script carefully to see what targets are supported/tested. The zzz_exploit.py script uses the named pipe techniques from the eternal romance/champion/etc... variants and is NOT eternal blue, the rest are eternal blue. As such the zzz_exploit.py script supports almost every version given you have access to a named pipe, where the others attempt to exploit eternal blue on compatible systems (of which there are less). Because of this, windows XP (5.1) is only supported by the zzz_exploit.py script. Hope that helps!