139/tcp open netbios-ssn Microsoft Windows netbios-ssn445/tcp open microsoft-ds Windows XP microsoft-ds3389/tcp closed ms-wbt-server
This exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts.
Nmap SMB-Vuln scan:
Set msfconsole as follows:
Execute the exploit and get meterpreter shell.