Post Mon Feb 23, 2009 10:22 pm

Embedded MS08-067

Just blogged about MS08-067 ... 08067.aspx

I ran a rather routine Nessus scan of a network and noticed in the report that one of the devices was flagged as being vulnerable to MS08-067. Upon closer inspection I found out that this was an embedded device (sorry, not providing specifics on what it was). I thought it was rather interesting so I decided to use MetaSploit to confirm.

After starting msfconsole I selected the ms08-067 exploit (windows/smb/ms08_067_netapi) with the meterpreter payload (windows/meterpreter/reverse_tcp) and sure enough I could pop the box. All the meterpreter commands I ran worked just like an XP box. I could have run anything I wanted, such as a keylogger to capture credentials.

I tried the VNC payload (windows/vncinject/bind_tcp) and sent the exploit again. After a few seconds I had a view of the desktop. Lots of nice information would be there.

As a test I tried to write a file to the file system and then rebooted the box. When it came back up and I exploited the box again the file was gone. The "no write" option prevented my attack from persisting, but it didn't stop it from happening. How often does an embedded device get rebooted anyhow? Once it was popped it would probably only be booted during a power failure and for all intents and purposes could be considered persistent.

All I have left to do is figure out how to patch it.

Don't forget about those embedded devices (printers, terminals, security panels, etc) since they [realisticly] never get patched. If there isn't obvious  useful information on them you can sometimes gain usernames or passwords that are used elsewhere. Don't forget to pillage anything you get access to. In my case I was able to do a hashdump and get the hashes that I could crack.
Last edited by timmedin on Mon Feb 23, 2009 10:24 pm, edited 1 time in total. |