The Joy of Exploitation
65
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
25/tcp open smtp Microsoft ESMTP 6.0.2600.2180
80/tcp open http Microsoft IIS webserver 5.1
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399; RTM
MAC Address: 00:0C:29:EA:26:7C (VMware)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS details:
Microsoft Windows XP Professional SP2 or Windows Server 2003
Network Distance: 1 hop
Service Info: Host: ihazsecurity; OS: Windows
Host script results:
smb-check-vulns:
MS08-067: VULNERABLE
Conficker: Likely CLEAN
regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.67 seconds
msf >
Here, we call
nmap
from Metasploit with the
--script=smb-check-vulns
plug-in at . Notice the flags used while scanning the host with
nmap
. The
-sT
is a Stealth TCP connect, which we have found to be the most reliable flag
when trying to enumerate ports. (Others prefer
-sS
, or Stealth Syn.) The
-A
specifies advanced OS detection, which does some additional banner grabs
and footprinting of a specific service for us.
Notice in the results from
nmap
that
MS08-067: VULNERABLE
is reported at .
This is a good indicator that we have a chance at exploiting this system. Let’s use
Metasploit to find the exploit we want and attempt to compromise the system.
This exploit is specific to the operating system version, service pack, and
language in use on the system, a result of the exploit bypassing Data Execution
Prevention (DEP). DEP was created to help protect against buffer overflow
attacks by rendering the stack read-only and thereby preventing arbitrarily
placed shellcode from executing. However, we can bypass DEP and force
Windows to make the stack writable by performing some complex stack
manipulation. (For more on bypassing DEP, see
http://www.uninformed.org/
?v=2&a=4
.)
In “msf> show targets” on page 62, we used the
show targets
command,
which lists each vulnerable version for this specific attack vector. Because
MS08-067 is an exploit that is very specific regarding the OS version in use,
we will manually set our target to make sure we trigger the correct overflow.
Based on the
nmap
scan results shown in the preceding example, we can
tell at that the system is running Windows XP Service Pack 2. (It is also