WINDOWS XP - EXPLOITATION
- Layout for this exercise:
- Metasploit allows to perform a port scan on a victim, similar to the usual scan with Nmap, using this auxiliary module:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8yaxS8nnkFG4z9xQlt2lOii0brTc90L7_u-VodWBE8gtDhCkh5YdPw4UASw35bIE7niKjog_u3cpgtPr1KxYGlmQ_wbkodVonMta41LUU3OVGIbV5FZVfuZ_qRoiXOMDLhVNMkADLB3Dt/s400/screenshot.1.jpg)
- Options for this auxiliary module:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHVjsjxK3AvoBnCUOzJH0WPiGRdAWobEA-60duAWZ_ztDy3K6D2uWEf1E8uxdH2B2Q0FvPog-K65fWxKitwpz3PxDGtX9lvQyNJqp-Cb-wRVrDQYTKU2apizhBgzCRA91uILEJKZSqsqyi/s1600/screenshot.2.jpg)
- The remote host (RHOSTS) is the victim's IP, and in this case the range or ports to be scanned will be from 1 to 1000:
- The result of the scanning process is that 3 ports are open at the victim machine: 135, 139 and 445:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh77CSSxsLa61ZS96EAKUDsW3tcLztDafiQzfrYFX82wnjqurkWXgLEuK5fvfrzwB60EfiHfHd8rUDKJr97adUB286Vwsiz7bFvxgzu78NpY2TyQNpv2wK76mJCNrB76AQ8HGj0iiRYJBQg/s1600/screenshot.4.jpg)
- To exploit the victim, Metasploit provides the ms03_026_dcom exploit, based on a well known Microsoft vulnerability. This module exploits a stack buffer overflow in the RPCSS service.
https://www.rapid7.com/db/modules/exploit/windows/dcerpc/ms03_026_dcom
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_f3F2lJRJ1XvgLOkfFRREIDoUSjF8gfHf7bqSr6mY8HviLcTJ4t3ng3jkGV08RB7sMc2cwf6sEjGBYfZz1mNqWdTqFTmU_VtHAEpqeggDKFl9xxwWVNzjrdabUHGLy3POdHKFZ8Mc5t30/s1600/screenshot.5.jpg)
- A required option for this exploit is the remote host's IP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwg9XKaxniLJivd0AkRxKPmfSODzxs6qjFZGRy4_uki7nvoRbU5f5I2yOlhVXv_H4gYlKqp0R4QlmjjrfgpL4Uw0qGEi2E7BA_4QvJso6SJcIeuUBpdDlYKocpyb5c0D0WPB_y7ihihLtQ/s1600/screenshot.6.jpg)
- Setting the RHOST or victim's IP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8FXmMUXPo8crxIjoaPnB0P44rYCMtNTQlfd1BkZp4gegfk_EndtBkHE8q_ypt9wxIAEt2W6WIpKSHBR-agD6s_PX4LFjZamXYVBAEEmGnCWo2x3qkz-s4N_se4ef3SICF_nma4a4XVW6S/s1600/screenshot.7.jpg)
- Also, a shell bind payload can be used, in order to achieve a remote shell from the victim:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXWXFjujvmJyoUDj1mbb5wNGsomc3BbeQYe_FEjdj9w-c3xXNFy2BrszwWnwBlF4iTorZHdrdYOoeKmAtghGSHDuE9-RsbB-JU8MkjoDZRrt3A7WdlYPQV9tlLaVHtyd2nu66lji7reMup/s1600/screenshot.8.jpg)
- In this case, options for this payload are already established:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigSkS2cS2JywfIaaDvOT7bRe3R22Y1e1J1WTt1mOjQyxrdhMVtP-DZPzSvHZSXL5-aTaTAv7AvbmbNcdB6Djeq4qZYE7NcQvtAK5s42a4I_mAs-wrAer0hra0gcpEF99VeKHwU-lhE_2VJ/s1600/screenshot.9.jpg)
- The exploit is launched, and the successful result is the creation of a remote shell C:\WINDOWS\system32>
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_bIaku_wUdZ0m6fMG1sXfC73W98Ake1NSaU8sx_o5EkXTs_qeG_KS9V4tmrOhr2_N4jYgXhmEMsU__AnDDNzmXLjM64Alt3sJ5ewQ1dGvqIfMoVS3ZvwSCuXsPGiPFNWZWpHf6dROXwdn/s1600/screenshot.10.jpg)
-
Now, several post explotaition actions can be performed, as seen in next posts.