background image

The Joy of Exploitation

65

PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          Microsoft ftpd
25/tcp   open  smtp         Microsoft ESMTP 6.0.2600.2180
80/tcp   open  http         Microsoft IIS webserver 5.1
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn
443/tcp  open  https?
445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open  msrpc        Microsoft Windows RPC
1433/tcp open  ms-sql-s     Microsoft SQL Server 2005 9.00.1399; RTM
MAC Address: 00:0C:29:EA:26:7C (VMware)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS details: 

Microsoft Windows XP Professional SP2 or Windows Server 2003

 

Network Distance: 1 hop
Service Info: Host: ihazsecurity; OS: Windows

Host script results:
 smb-check-vulns:
   

MS08-067: VULNERABLE

 

   Conficker: Likely CLEAN
   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.67 seconds
msf >

Here, we call 

nmap

 from Metasploit with the 

--script=smb-check-vulns

 

plug-in at  . Notice the flags used while scanning the host with 

nmap

. The 

-sT

 is a Stealth TCP connect, which we have found to be the most reliable flag 

when trying to enumerate ports. (Others prefer 

-sS

, or Stealth Syn.) The 

-A

 

specifies advanced OS detection, which does some additional banner grabs 
and footprinting of a specific service for us.

Notice in the results from 

nmap

 that 

MS08-067: VULNERABLE

 is reported at  . 

This is a good indicator that we have a chance at exploiting this system. Let’s use 
Metasploit to find the exploit we want and attempt to compromise the system. 

This exploit is specific to the operating system version, service pack, and 

language in use on the system, a result of the exploit bypassing Data Execution 
Prevention (DEP). DEP was created to help protect against buffer overflow 
attacks by rendering the stack read-only and thereby preventing arbitrarily 
placed shellcode from executing. However, we can bypass DEP and force 
Windows to make the stack writable by performing some complex stack 
manipulation. (For more on bypassing DEP, see 

http://www.uninformed.org/

?v=2&a=4

.)

In “msf> show targets” on page 62, we used the 

show targets

 command, 

which lists each vulnerable version for this specific attack vector. Because 
MS08-067 is an exploit that is very specific regarding the OS version in use, 
we will manually set our target to make sure we trigger the correct overflow. 
Based on the 

nmap

 scan results shown in the preceding example, we can 

tell at   that the system is running Windows XP Service Pack 2. (It is also