Exploiting ms09_002_memory_corruption in Windows
We all know how easy it is to exploit systems from Linux, but how about Windows users hacking Windows users? Well the premise is very much the same so I figured I'd do a write upon it and include my favorite tool Cain & Abel in on the fun. The benefit of this method is that you don't have to mail, host, or otherwise do anything to the victim to get them to be affected, though it only works on the local lan. Enjoy!
Pre-requisites
Download Metasploit Framework 3 latest developmental snapshot
Download the Ruby one click installer
Download Ruby-Gtk2
Download Cain & Abel
Installation
Install Ruby in any directory (Ex: c:\Ruby).
Install Ruby-gtk2 to same directory as Ruby.
Unpack Metasploit 3 to any directory (Ex: c:\msf)
Install Cain & Abel to default directory, install WinPcap 4.1 Beta 5 (included)
Procedure
Open a command prompt (Start -> Run... -> cmd.exe) and change directory to where you unpacked your metasploit files.
Enter ruby msfgui in the command prompt and ruby will run and the Metasploit gui will run. Great, once this is done, minimize it..
Open Cain, select sniffer, scan for hosts... take note of the IP you wish to attack. Now we switch to the APR tab and setup APR between the gateway and your victim. After this is done go down to the APR tab, clien in the APR window and press the blue plus sign, add your router's gateway IP and you victim's, hit ok, now go to the APR-DNS menu and enter a host to spoof, I know for a fact I'm testing against a machine that opens google as its start page, so I redirect that to my own IP and hit the nuclear logo to start APR. You can verify what pages your victim is browsing using Wireshark or some other packet sniffer.
Great, we're halfway there, open up Metasploit again and select exploits -> windows -> browser -> ms09_002_memory_corruption, right click and hit execute. Select the only target it works on (Winxpsp2-3, win vista sp0), hit forward. On the payload list select windows/shell/reverse_tcp, hit forward. Leave srvhost at 0.0.0.0 but change srvport to 80 and click forward, hit apply. You are now ready, go back to Cain and select to enable APR, wait for victim to open their browser and you have a shell with their privileges... the rest I leave up to you.
Pre-requisites
Download Metasploit Framework 3 latest developmental snapshot
Download the Ruby one click installer
Download Ruby-Gtk2
Download Cain & Abel
Installation
Install Ruby in any directory (Ex: c:\Ruby).
Install Ruby-gtk2 to same directory as Ruby.
Unpack Metasploit 3 to any directory (Ex: c:\msf)
Install Cain & Abel to default directory, install WinPcap 4.1 Beta 5 (included)
Procedure
Open a command prompt (Start -> Run... -> cmd.exe) and change directory to where you unpacked your metasploit files.
Enter ruby msfgui in the command prompt and ruby will run and the Metasploit gui will run. Great, once this is done, minimize it..
Open Cain, select sniffer, scan for hosts... take note of the IP you wish to attack. Now we switch to the APR tab and setup APR between the gateway and your victim. After this is done go down to the APR tab, clien in the APR window and press the blue plus sign, add your router's gateway IP and you victim's, hit ok, now go to the APR-DNS menu and enter a host to spoof, I know for a fact I'm testing against a machine that opens google as its start page, so I redirect that to my own IP and hit the nuclear logo to start APR. You can verify what pages your victim is browsing using Wireshark or some other packet sniffer.
Great, we're halfway there, open up Metasploit again and select exploits -> windows -> browser -> ms09_002_memory_corruption, right click and hit execute. Select the only target it works on (Winxpsp2-3, win vista sp0), hit forward. On the payload list select windows/shell/reverse_tcp, hit forward. Leave srvhost at 0.0.0.0 but change srvport to 80 and click forward, hit apply. You are now ready, go back to Cain and select to enable APR, wait for victim to open their browser and you have a shell with their privileges... the rest I leave up to you.
Posted by JibbaJabber at 2/28/2009 1:09 PM 
Categories: Insecurity
Tags: memory corruption ms09_002 ruby gui Metasploit exploits wireshark internet explorer lan exploits windows
Categories: Insecurity
Tags: memory corruption ms09_002 ruby gui Metasploit exploits wireshark internet explorer lan exploits windows
lol
Reply to this
man very very cool post
i try this before on my local lan but nothing happen because all my network using antiarp porgram which block and prevent every thing about dns spoofing and arp poisoning i want to know any method to defeat this program also i know the router password
thanks man good job
bye
Reply to this
Awesome. just awesome...i haven't any word to appreciate this post.....Really i am impressed from this post....the person who create this post he is a great human..thanks for shared this with us
Reply to this