5

I'm working with some exploit code for the MS08-067 vulnerability from ExploitDB.

The section: WNetAddConnection2(&nr, "", "", 0)* fails with an error of 67 (ERROR_BAD_NET_NAME), but I don't know why.

I'm using the correct IP as the argument for the program, against an XP SP2 VM which is vulnerable to MS08-067 (I've exploited it with Metasploit).

Has anyone used this code before and come across this? Any help would be appreciated.

*Extended Code:

server = argv[1];
_snprintf_s(unc, sizeof(unc), "\\\\%s\\pipe", server);
unc[sizeof(unc) -1] = 0;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = unc;
nr.lpProvider = NULL;

printf("connect %s ipc$ .... ", server);

DWORD error;
if ((error = WNetAddConnection2(&nr, "", "", 0)) != 0) 
{
    printf( "failed\n" );
    return 0;
}
Synthetic Ascension
  • 141
  • 1
  • 5
  • 2
    I'm shooting in the dark but it seem like that error is referencing in invalid / nonexistent resource. Maybe the syntax of the name? – Henry F Feb 26 '17 at 23:05
  • `_snprintf_s` seemed to be giving only the IP, so I hardcoded in the path but the function still fails? I tried it with just the IP (no `\\pipe` on the end) in `unc` then it connects and proceeds, but nothing happens. – Synthetic Ascension Feb 27 '17 at 09:34
  • When you observed the value of '_snprintf_s' during prime-time, it did not include the pipe as it should? (Side note: I was unaware that there was a standalone exploit targeting this vuln, I'm really glad that it exists. Thought it was a Metasploit-only). – Henry F Mar 01 '17 at 03:53
  • Have you tried using this: https://www.exploit-db.com/exploits/7132/ And update the return address with the one here: – grepNstepN Oct 06 '17 at 19:19

1 Answers1

0

Well if your goal is just to exploit MS08-67 (and not make this code you found work) have you tried using this: https://www.exploit-db.com/exploits/7132/

Unfortunatley, you may not be able to just update the return address with the one here, as its for WinXPsp0/1: https://www.exploit-db.com/exploits/40279/

Last, disassemble the netapi32.dll on your WinXPsp2 yourself to determine an appropriate return address.

grepNstepN
  • 610
  • 4
  • 15
  • OP doesn't mention anything about a return address, but asks why a function of the exploit is not working. Additionally they've already stated they were able to exploit w/ Metasploit so your linking to the exploit-db exploit is not helpful. – DKNUCKLES Oct 06 '17 at 19:30
  • OP doesn't mention whether or not their objective is exploitation or merely to test the PoC. I merely stated helpful solutions if their objective is exploitation. – grepNstepN Oct 14 '17 at 20:45