Manual MS08-067 Issue

Hi,
I am trying learn how to do exploits without Metasploit and I though good old MS08_067 would be a good place to start. I have amended a Python script to include the elements needed for exploiting an SP2 box. But I cannot get it to work. I can see the exploit communicating and trying to authenticate through wire shark but it seems my payload isn’t triggering. Can anyone help please?

Are you trying this exploit?

If not, do you mind sharing your python code so I can try.

I would need the same help as well: 40279 doesn’t work for me. Of course I’ve replaced the shell code with one generated for my IP address, I’ve left the same NOPs though.
pentest/ms08-067.py at master · jivoi/pentest · GitHub doesn’t work either, however pentest_old/ms08-067-nc.py at master · 3mrgnc3/pentest_old · GitHub works fine, which is very weird as they are the same code.
I’m working on LEGACY trying to exploit it the manual way, I have a multi/handler running in metasploit and I wait for a shell in vain

hi guys, not sure if it’ll help months later, but I created a modified version of the MS08-067 exploit that is a little more flexible. It has logic to address differing payload lengths and also allows attempts on port 139 over NetBIOS sessions, something the Metasploit ruby code seems to handle well but I hadn’t seen it implemented in Python.

If direct exploitation with Metasploit isn’t working this probably won’t work either, but it’s worth a shot.

Anyways, here it is:

@Veilios said:
hi guys, not sure if it’ll help months later, but I created a modified version of the MS08-067 exploit that is a little more flexible. It has logic to address differing payload lengths and also allows attempts on port 139 over NetBIOS sessions, something the Metasploit ruby code seems to handle well but I hadn’t seen it implemented in Python.

If direct exploitation with Metasploit isn’t working this probably won’t work either, but it’s worth a shot.

Anyways, here it is:
https://github.com/andyacer/ms08_067

Great! thank you!

Hello guys i tried to use this exploit Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067) - Windows remote Exploit, i generate my shellcode with msfvenom with meterpreter payload and shell payload and i modify the exploit to enter my shellcode and i have my session in metasploit albut always exploit failed, but connection refused from 10.10.10.4:443 what did bad?, any sugestions?

@Veilios said:
hi guys, not sure if it’ll help months later, but I created a modified version of the MS08-067 exploit that is a little more flexible. It has logic to address differing payload lengths and also allows attempts on port 139 over NetBIOS sessions, something the Metasploit ruby code seems to handle well but I hadn’t seen it implemented in Python.

If direct exploitation with Metasploit isn’t working this probably won’t work either, but it’s worth a shot.

Anyways, here it is:
GitHub - andyacer/ms08_067: Updating MS08-067 Python exploit script

Nice one :slight_smile:

@m4r10m4chuc4 said:
Hello guys i tried to use this exploit Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067) - Windows remote Exploit, i generate my shellcode with msfvenom with meterpreter payload and shell payload and i modify the exploit to enter my shellcode and i have my session in metasploit albut always exploit failed, but connection refused from 10.10.10.4:443 what did bad?, any sugestions?

Is the Version or patch level supported in the exploit?

@halfluke said:
https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py doesn’t work either, however https://github.com/3mrgnc3/pentest_old/blob/master/ms08-067-nc.py works fine, which is very weird as they are the same code.

I customized it ??

try another port maybe> @3mrgnc3 said:

@halfluke said:
https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py doesn’t work either, however https://github.com/3mrgnc3/pentest_old/blob/master/ms08-067-nc.py works fine, which is very weird as they are the same code.

I customized it ??

thanks

It’s a long story and an old thread, but the main point for me was that I needed to add a NOP sled in the actual payload generation, along with the one already existing in the exploit

@monkeychild said:

@m4r10m4chuc4 said:
Hello guys i tried to use this exploit Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067) - Windows remote Exploit, i generate my shellcode with msfvenom with meterpreter payload and shell payload and i modify the exploit to enter my shellcode and i have my session in metasploit albut always exploit failed, but connection refused from 10.10.10.4:443 what did bad?, any sugestions?

Is the Version or patch level supported in the exploit?

Yep I did it finaly my msfvenom payload was bad, i tried other way and finally work it

Type your comment> @Veilios said:

hi guys, not sure if it’ll help months later, but I created a modified version of the MS08-067 exploit that is a little more flexible. It has logic to address differing payload lengths and also allows attempts on port 139 over NetBIOS sessions, something the Metasploit ruby code seems to handle well but I hadn’t seen it implemented in Python.

If direct exploitation with Metasploit isn’t working this probably won’t work either, but it’s worth a shot.

Anyways, here it is:
GitHub - andyacer/ms08_067: Updating MS08-067 Python exploit script

@Veilios Thanks so much!!! Working on OSCP right now and didn’t want to be forced into the Metasploit module. This worked like a champ! I was getting frustrated with the other ones and they weren’t working. Good work! Thanks again! Saving this to exploits folder.

Type your comment> @Veilios said:

hi guys, not sure if it’ll help months later, but I created a modified version of the MS08-067 exploit that is a little more flexible. It has logic to address differing payload lengths and also allows attempts on port 139 over NetBIOS sessions, something the Metasploit ruby code seems to handle well but I hadn’t seen it implemented in Python.

If direct exploitation with Metasploit isn’t working this probably won’t work either, but it’s worth a shot.

Anyways, here it is:
GitHub - andyacer/ms08_067: Updating MS08-067 Python exploit script

Thanks I could not get the others to work but this went through!

Hello All, Tried running this, I get sending stage on the handler, but no shell. It works fine with metasploit, but wanted to do this manually. I have run 3 or 4 different python codes, and no luck. Am I missing an update on Impacket or python maybe? any help?

I just had this same issue and got past it. It was an issue with the shellcode length. Needed to be exactly 410 bytes.

I used the following sploit: Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067) - Windows remote Exploit

I generated my shellcode with msfvenom and added NOP bytes (\x90) to the front of the shellcode to reach exactly 410 bytes.

To help with accuracy, I added a line after the shellcode to print the shellcode byte count in my local copy of the script (Python v3.x):
print(len(shellcode))

Took me way too long to figure that out and tried too many things leading up to that! I hope that helps!

Type your comment> @DamianThomas said:

I just had this same issue and got past it. It was an issue with the shellcode length. Needed to be exactly 410 bytes.

I used the following sploit: Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067) - Windows remote Exploit

I generated my shellcode with msfvenom and added NOP bytes (\x90) to the front of the shellcode to reach exactly 410 bytes.

To help with accuracy, I added a line after the shellcode to print the shellcode byte count in my local copy of the script (Python v3.x):
print(len(shellcode))

Took me way too long to figure that out and tried too many things leading up to that! I hope that helps!

Hi, there. Thanks a lot for your tips. It works for me. Really helpful.

When you generate the shellcode with msfvenom, it will tell you the length of your shellcode. I used that to calculate how many NOP bytes I need.

Thanks Fella, this worked perfectly. Appreciated! @Veilios said:

hi guys, not sure if it’ll help months later, but I created a modified version of the MS08-067 exploit that is a little more flexible. It has logic to address differing payload lengths and also allows attempts on port 139 over NetBIOS sessions, something the Metasploit ruby code seems to handle well but I hadn’t seen it implemented in Python.

If direct exploitation with Metasploit isn’t working this probably won’t work either, but it’s worth a shot.

Anyways, here it is:
GitHub - andyacer/ms08_067: Updating MS08-067 Python exploit script

@DamianThomas said:
I just had this same issue and got past it. It was an issue with the shellcode length. Needed to be exactly 410 bytes.
Took me way too long to figure that out and tried too many things leading up to that! I hope that helps!

This worked for me, but how did you figure out the payload needed to be exactly 410 bytes? Is there a program that can tell you how many bytes the buffer is??