4 Replies Latest reply on Jan 15, 2012 8:33 AM by opsec

    Windows XP crash after exploit



      I'm testing out metasploit for my company and I have been going through a few tutorials on securitytube.net. However I can't seem to get an exploit to work. I scanned my Windows XP SP1 VMWare machine with nessus and have confirmed that a "MS08-067 Microsoft Windows Server Service Crafted RPC Request Handling..." exploit exists. On my windows machine I then disabled the firewall and opened up port 445.


      On my ubuntu VMWare I chose "exploit/windows/smb/ms08_067_netapi" with the following payloads:



      and a few others.


      I set the LHost, the RHOST and then run exploit. I usually get these messages:


      [*] Started reverse handler on

      [-] Exploit exception: Login Failed: Connection reset by peer

      [*] Exploit completed, but no session was created.


      [*] Started bind handler

      [-] Exploit exception: The connection was refused by the remote host (

      [*] Exploit completed, but no session was created.


      [*] Started reverse handler on

      [*] Automatically detecting the target...

      [*] Fingerprint: Windows XP - Service Pack 3 - lang:Unknown

      [*] We could not detect the language pack, defaulting to English

      [*] Selected Target: Windows XP SP3 English (AlwaysOn NX)

      [*] Attempting to trigger the vulnerability...

      [*] Exploit completed, but no session was created.


      When I get as far as the "Exploit completed, but no session was created." one... my windows Xp box brings up this error:

      "Generic Host Process for Win32 Services has encountered a problem and needs to close..."


      I know that this has been asked a lot on the web but I can't seem to find a straight answer that works. I scanned using nessus to make sure that machine is exploitable, the windows xp box has only SP1, I disbaled  the firewall, I opened ports.... what am I missing?


      Here are my options:

      msf  exploit(ms08_067_netapi) > show options


      Module options (exploit/windows/smb/ms08_067_netapi):


         Name     Current Setting  Required  Description

         ----     ---------------  --------  -----------

         RHOST  yes       The target address

         RPORT    445              yes       Set the SMB service port

         SMBPIPE  browser          yes       The pipe name to use (BROWSER, SRVSVC)



      Payload options (windows/vncinject/reverse_tcp):


         Name      Current Setting  Required  Description

         ----      ---------------  --------  -----------

         AUTOVNC   true             yes       Automatically launch VNC viewer if present

         EXITFUNC  thread           yes       Exit technique: seh, thread, process, none

         LHOST  yes       The listen address

         LPORT     4444             yes       The listen port

         VNCHOST        yes       The local host to use for the VNC proxy

         VNCPORT   5900             yes       The local port to use for the VNC proxy



      Exploit target:


         Id  Name

         --  ----

         0   Automatic Targeting


      Thank you!

        • Re: Windows XP crash after exploit


          • Re: Windows XP crash after exploit

            Dear eagleeye,


            The reason you will not get a successful exploit on a Virtual Machine is because the Virtual Machine is running Windows XP (regardless of service pack) in a Chroot Jail Cell.


            If you install your copy of Windows XP SP1 on a spare computer laying around, you may find it will produce totally different results.


            Your trying to Pwn Chroot old buddy, thats why it's not doing anything! One of the advantages of running XP in a Virtual instance.. Your services are hidding in the Cloud!


            I can think of a multitude of reasons why it wont work, AppArmor, SELinux, grSecurity, PaX, ASLR.. When your running a virtual machine it's actually far more secure than the original. Hence my bets on Chroot!


            In a twisted kind of way that can be hours of fun, OS X or Windows XP SP3 in a Virtual Machine with a hardened TCP/IP Stack running on Hardened Linux.. Gives a whole new realm to the words IDS & Honeypot.



            Come on kiddies do your worst, you cant touch this & we know it... Where will they end up, oh at the Chroot prompt of course! Congratulations you have effectively hacked your way into nothing. An excellent opertunity to ask them, if they've ever heard of the expression "Could not hack their way out of a paper bag!"

              • Re: Windows XP crash after exploit

                WinXP doesn't have ASLR, and running in a VM doesn't confer magical abilities to the guest OS.


                As for the reason for the crash, it might be something simple like a bad target. That module has about a zillion targets; see http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi


                Try picking a specific one for your target, paying attention to whatever localization language that might be running, and note the warning in the description of the module:


                The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts.

                1 of 1 people found this helpful
                  • Re: Windows XP crash after exploit

                    If I had a nickle everytime someone tells me I am doing it wrong.




                    And in the "heres one I baked earlier" dept.


                    01010600C0EDDD13030000000A0002100000000000000000000000000000DEADBEEF000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000063825363 3501083D07010000DEADBEEF0C09536861646F773130313C084D53465420352E30370C010F03062C 2E2F1F21F92BFC2B03DC0100FF00000000000000


           - Australia - Comin to the BBQ?


                    Got to hand it to the little bugger for persistance..


                    Made it from Box 1 to into the Militirized Zone made it from Box 2 to be turned into Electron's digitised across the airwaves from Box 3 to Box 4 channeling Box 5.


                    Staged a UDP Bootpc into a TCP Handler across port 80 tunneling from 4 to 5 going to only to be thwarted at the last hurdle because nobody should be sniffing around DEAD BEEF unless they're here for the Party!