Blackhattrick | Metasploit - Windows 2003 Server Exploitation with ms08_067_netapi vulnerability

In this article we will focus on exploitation a Windows 2003 server through the Microsoft directory service vulnerability.

We have performed a port scan with Nmap and we have observed that microsoft-ds service is open on port 445.

The use of this service is for file sharing activities in Windows environments.

Microsoft-ds Service is Open

Next step will be to open the metasploit framework in order to find the appropriate exploit that it will give us access to the remote server.

We already know that the port 445 is for the SMB service. So our search will be on the SMB exploits like the netapi.

Specifically the exploit that we are going to use is the ms08_067_netapi which exploits a parsing flaw in the path canonicalization code of NetAPI32.dll.

Search for the netapi Exploit

So we are configuring the exploit with the appropriate IP addresses and we will use as a payload the meterpreter service.

Netapi Exploit Configuration

Now it is time to run the exploit against the target machine and as we can see from the image below it successfully opened a meterpreter session.

Exploitation with the Netapi

We can use the sysinfo command of the meterpreter in order to discover our first information about the Windows 2003 Server.

Note:

The microsoft-ds is a very common service in Windows machines. Most of the servers will have this service enabled so it will be very easy to exploit them except if they are using a firewall that filters the port 445.Remember that this exploit will only work against a Windows 2003 Server it will work only in the following versions: Windows 2003 SP0,Windows 2003 SP1 and Windows 2003 SP2.

Share Your Knowledge................................by comment