.

ms03_026_dcom help please

<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Sat May 26, 2012 3:33 pm

ms03_026_dcom help please

Hi guys, i start working in my new lab to learn metasploit completely so i used ms03_026_dcom exploit to attack to a windows xp machine but i cant get access is any body know why? here is the complete details:


ms03_026 vulnerability
=================================================
Lab setup:

Attacker Machine: Bactrack 5 R2 Gnome
      IP Address: 192.168.137.67
Victem's Machine: Windows XP SP 3
      IP Address: 192.168.137.165
=================================================
Victem's Portscan output:

PORT     STATE SERVICE
21/tcp   open  ftp
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
=================================================
Metasploit Framework 4.2

Exploit= windows/dcerpc/ms03_026_dcom
Payload= windows/meterpreter/bind_tcp

Module options (exploit/windows/dcerpc/ms03_026_dcom):

  Name   Current Setting  Required  Description
  ----   ---------------  --------  -----------
  RHOST  192.168.137.165  yes       The target address
  RPORT  135              yes       The target port


Payload options (windows/meterpreter/bind_tcp):

  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
  LPORT     4444             yes       The listen port
  RHOST     192.168.137.165  no        The target address


Exploit target:

  Id  Name
  --  ----
  0   Windows NT SP3-6a/2000/XP/2003 Universal
=================================================
Exploitation Process output

[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.137.165[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.137.165[135] ...
[*] Sending exploit ...
[*] Exploit completed, but no session was created.
=================================================


Thankx
Last edited by cyber.spirit on Sat May 26, 2012 9:21 pm, edited 1 time in total.
ICS Academy Network Security Certified
<<

24772433

User avatar

Newbie
Newbie

Posts: 34

Joined: Thu Oct 20, 2011 3:22 pm

Location: UK

Post Sat May 26, 2012 5:21 pm

Re: ms03_026_dcom help please

The RHOST IP should be the victim machine's IP ie x.x.x.67. RHOST is remote host, not local.

Steve.
<<

ZeroOne

Jr. Member
Jr. Member

Posts: 59

Joined: Tue Apr 24, 2012 7:41 am

Post Sat May 26, 2012 7:35 pm

Re: ms03_026_dcom help please

24772433 wrote:The RHOST IP should be the victim machine's IP ie x.x.x.67. RHOST is remote host, not local.

Steve.


not if he is running a test on LAN. which seems he does.
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Sat May 26, 2012 9:20 pm

Re: ms03_026_dcom help please

ZeroOne wrote:
24772433 wrote:The RHOST IP should be the victim machine's IP ie x.x.x.67. RHOST is remote host, not local.

Steve.


not if he is running a test on LAN. which seems he does.



SOOO sorry guys i typed ip address places wrongly so here is thwecorrect info:

Attacker Machine: Bactrack 5 R2 Gnome
     IP Address: 192.168.137.67
Victem's Machine: Windows XP SP 3
     IP Address: 192.168.137.165

i modified the first post too so you can check it too

i really dont know what is my problem everything seems to be ok help me pls
Last edited by cyber.spirit on Sat May 26, 2012 9:25 pm, edited 1 time in total.
ICS Academy Network Security Certified
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sun May 27, 2012 12:53 am

Re: ms03_026_dcom help please

Your victim machine is running XP service pack 3 which is not vulnerable.  This is an old bug, you'll need an unpatched Windows machine to test it. 
BS in IT, CISSP, MS in IS Management (in progress)
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Sun May 27, 2012 3:21 am

Re: ms03_026_dcom help please

ok unicityd  so you think which SP of windows xp is vulnerable?
and which msf exploit is compatible with Windows XP SP3?
ICS Academy Network Security Certified
<<

24772433

User avatar

Newbie
Newbie

Posts: 34

Joined: Thu Oct 20, 2011 3:22 pm

Location: UK

Post Sun May 27, 2012 7:06 am

Re: ms03_026_dcom help please

As mentioned, it's an old exploit and since patched. You could try seeing if kb823980 is installed separately in Add Remove programs and uninstall. This will work.
<<

Gromic

User avatar

Newbie
Newbie

Posts: 38

Joined: Sat Nov 26, 2011 4:44 pm

Post Sun May 27, 2012 1:07 pm

Re: ms03_026_dcom help please

Hi cyber.spirit

I guess you go through Viveks Videos on Metasploit, right?!

As far as I know the RPC-dcom exploit has been patched in SP1 or 2 ...not 100% sure at the moment.

However, the exploit will definately work with an unpatched Win XP - so no SPs (I tested that). Also make sure to disable any (Windows-) firewall.
Thinking .... Please Wait...
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Sun May 27, 2012 2:48 pm

Re: ms03_026_dcom help please

Yes gromic
Your Guess is absolutely true.so first if it patched in sp1-2 then why we can see windows 2003 in exploit target range?
then i wanna ask you something what is your opinion about this video serious?
ICS Academy Network Security Certified
<<

ZeroOne

Jr. Member
Jr. Member

Posts: 59

Joined: Tue Apr 24, 2012 7:41 am

Post Sun May 27, 2012 3:09 pm

Re: ms03_026_dcom help please

who on earth will be using XP with no SPs and with a disabled firewall lol, even if the exploit worked, what's the point of getting access to a host threw that exploit whithout knowing what is really happening at the back end and how does these exploits exactly work.
Last edited by ZeroOne on Sun May 27, 2012 3:13 pm, edited 1 time in total.
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Sun May 27, 2012 5:43 pm

Re: ms03_026_dcom help please

no body! i know its so easy to hack but i want a msf expliot like dcom which can execute codes remotely. To hack windows xp  sp3
ICS Academy Network Security Certified
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sun May 27, 2012 9:05 pm

Re: ms03_026_dcom help please

Subscribe to the Bugtraq and Full-Disclosure mailing lists.  They are used for reporting and discussing new vulnerabilities.  Unfortunately, any tool/exploit you see announced there won't work for long on any system that is kept up to date. 

If you want to have something reliable that is going to work on a fully patched system, then you either need to write your own exploits and keep them secret or find someone willing to share their zero-days with you (not likely unless you're paying).

There's nothing wrong with playing with a completely unpatched system to test out a tool like Metasploit to learn how it works, but you don't need to learn the exploits themselves.  Exploits have a short shelf life.  MS03-026 is from 2003 (hence MS03); it's ancient.

If you want to target Windows XP SP3 systems, your best bet is to use exploits targeting applications like Acrobat or Flash.  Those are less likely to be up to date.  Of course, you'll have to find some way to get the user to run the exploit.

You should probably look for some of the other getting started threads on this site and follow the suggestions for reading/learning/experimenting.  You need to build up a skill set rather than looking for a magic bullet.  Occasionally a magic bullet does come along, but they don't last. 
BS in IT, CISSP, MS in IS Management (in progress)
<<

Gromic

User avatar

Newbie
Newbie

Posts: 38

Joined: Sat Nov 26, 2011 4:44 pm

Post Mon May 28, 2012 6:48 am

Re: ms03_026_dcom help please

+1 to what unicityd wrote.

@ZeroOne I agree with you on that. But as unicityd wrote ... it's not the point to have a working exploit with which you can hack a gazillion of machines, but to learn how Metasploit as a tool functions. And here I think for learning purposes it's totally fine to follow along an "old" exploit just to see what options there are, how to use them ...and so on... So, see it as a "walk before you can run" thing ;o).

One thought on "who on earth will be using XP with no SPs", though. Think about all the people who run a stolen/hacked copy of XP (or Vista or Win7) on their machines with update services disabled in panic of not getting caught ... I heared this can be quite common in Third World countries. I don't know any statistics to show this though... it was just a thought...so please don't get me on this ;o)...

But you are probably right, in times of vista, win7 an unpatched copy of XP might be rare... (at least I have no personal experience about that...)

@ cyber.spirit
I think the patch was originally after SP1(or2) and then later added to the SPs... that's why we still see Win 2003 in target range in Metasploit (was that your question?!?)...not sure about this though...

I really like the videos on securitytube. I am quite a fan of the "visual learning approach"....since I can better remember things when someone has shown me how to do it.

Anyways, have fun with the video series!
Thinking .... Please Wait...
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon May 28, 2012 8:06 am

Re: ms03_026_dcom help please

By no way am I a metasploit expert.  But as with all pen testing, just because a scan says something might be vulnerable, doesn't make it so.  Metasploit does have the ability to do a quick check but it will be basing it on a few factors.  open ports, responses received and version of software will contain some of these clues to the system being exploitable.  But, information could be wrong or you may not be getting the full story.  Part of your learning should be to read up on the vulnerability reports for the systems.  You can subscribe to Microsoft's security bulletins as well as keep your eyes on Bugtraq like unicityd recommended.  If you run an nmap scan against the target and it comes back saying it is Win XP SP3 then look through your lists to see what it might be vulnerable to.  Remember, extended support ends soon so security patches will become limited soon.

I am sure you are now wondering about developing your own exploits.  Well if you have some decent assembly knowledge, that will be your language of choice to reverse engineer the kernel libraries in Windows.  There are some courses that cover this as well as some books out there.  You will need to get comfortable with Assembly to make decent exploits and find 0-days.  And assembly is a frigid cow of a language :D  definitely not as warm and fuzzy as Python or Ruby :D  But it can unlock a wealth of information from systems if you can navigate the dump.  Another tool that will be helpful is the Windows SDK, with some fun virtual serial ports you can connect to a system and run the debugger against it to see all the goings on and even send commands to it to see what breaks or how it behaves.

As for ZeroOne, you would be surprised how many legit copies of XP are still running around without the latest patches and service packs.  And as I said before Microsoft will be ending support:
http://windows.microsoft.com/en-us/wind ... nd-support
Granted those with XP SP3 are good until 2014.  But that gives big organizations and enterprises enough time to roll-out Windows 7 in a non-holy-shit-we-gotta-move manner.  It is also sad to know that there are still Windows 2000 and NT4 servers out there in production. 

On final note, any new testers out there should be looking toward Windows 7, 8 and Server 2008.  If you are in school, by the time you get out, those will be the primary systems out there.  Always keep your mind on what will be out there when you graduate.

Ok, probably more than you needed.  But hopefully you find it helpful.
Certs: GCWN
(@)Dewser
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Mon May 28, 2012 8:24 am

Re: ms03_026_dcom help please

OK thank you both yeah i agree too in third world countries you can find many of unpatched OS, and 3xban i never say a machine is vulnerable until i get access to it even if port scanner says its vulnerable. but some of exploits in msf is not designed for old machines for example:

Windows/browser/wabdav_dll_hijacker

with this exploit u can get access to W2K8 R2 (If the admin is fool lol)
ICS Academy Network Security Certified
Next

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software