Digital Section Landscape-

Front matter: .............................................................................................................................. 1

Introduction: ........................................................................................................................................... 1
Description of the vulnerability, exploit, and attack software: .......................................................... 1
Anatomy of an attack: ................................................................................................................................... 2
Recommendations for preventing the attack: ......................................................................................... 8
Related software ................................................................................................................................. 9
Conclusion....................................................................................................................................... 9
References ............................................................................................................................... 10

Front matter:
My Exploit CVE-2003-0352 Microsoft RPC DCOM Interface Overflow (Metasploit exploit:
exploit/windows/dcerpc/ms03_026_dcom)
word count- “2114”

Introduction:
To begin my report I will firstly note the attack software in which I used was “Kali Linux”,
which allowed me to use all the different tools and utilities to carry out my attack. Kali Linux
is a large piece of software which has countless installed penetrable programs already
installed on it. These pre-installed programmes are the ones which are needed to use to carry
out my exploit on the windows 2000 virtual machine. [1]. The way in which I used kali Linux
was through a virtual machine ‘Oracle’ which allowed me to download the Vm’s needed to
do the exploit. The Vulnerability which I used allowed me to stack buffer overflow in the
RPCSS service, the vulnerability was formed by the ‘Last Stage of Delirium research group’
which has caused it to be widely exploited ever since.[2]

Description of the vulnerability, exploit, and attack software:

The vulnerability is which this windows 2000 server had, was before 16th July 2003 when the
patch came out to prevent this exploit, which was that the exploit would manipulate the ports
which were open and ready to be exploited. The systems which are also vulnerable to this
exploit is the ‘windows NT 4.0’ ‘windows NT 4.0 Terminal server edition’ ‘windows 2000’
‘windows xp’ ‘windows server 2003’. The exploit is a buffer overflow on the rpcss and what
a buffer overflow in this case does is that it allows full granted access to implement a code of
my choice on a targeted machine which is then left exploited. The way in which this
vulnerability will be exploited is that the requested ports of 135, 139, 445 or 593[3] are open
for this remote machine, this causes a program that could communicate with a vulnerable
server over an affected TCP/UDP port to send a specific kind of malformed RPC message
[3]. These ports are usually blocked by the firewall on any modern computers however if
they are open then there would be no need to require additional privileges. It is possible for
any user to send RPC messages to the RPCSS due to the system being affected in a way to
exploit this vulnerability. By default all the installed versions of windows on peoples
computers allowed a connection to be made to the affected system to then exploit it. My
exploit allowed me to gain remote admin access. When I did the exploit I was able to retrieve
files, or add files to the windows 2k server from kali Linux. The attack software in which I
used was ‘Kali Linux’ this is a software in which I used due to it having all the pre installed
pieces of software on it, allowing me to use Armitage to launch the attack on the windows
2000 server which was the basic way of doing it to compare the two exploits in which I did
worked the same, the other way I did it was through msf, (Metasploit framework) where I
proceeded to carry out commands as I will talk about on the anatomy of attack section, to
then where I will command it to exploit. Another piece of software in which I used which
was pre installed on kali Linux was Nmap which is a utility tool which allows you to port
scan, this is how I got the ip address from the windows 2000 server from Kali Linux. Kali
Linux is a free download which allows you to use various commands such as ‘msf > search
type:exploit platform:’Windows 2000’ to see the exploits in which I could use due to the
vulnerabilities on that piece of programme. This allows you to skip the process of searching
for vulnerabilities and exploits online as kali Linux shows you what you could or can use.

Anatomy of an attack:
Step 1 & 2
To begin this attack I loaded up my kali Linux on my oracle platform and loaded up
metasploit framework to begin my exploit. Once completing this I then did the command ‘use
exploit’ and typed the exploit in which I wanted to use into kali Linux, which was ‘use
exploit/windows/dcerpc/ms03_026_dcom’. Step 2 of this is then to show the Options of the
exploit chosen to see what the current state of the hosts are set as. This allows me to then see
what I need to change, such as the rhost and the lhost, the rhost needs to be linked with the
windows 2k vm, and the lhost is the ip address which is on the kali linux operating system.
Step 3
Step 3 Is to set the RHOST IP Address to the win 2K server which is collected through a tool
in kali Linux called Nmap, this allowed me to collect the IP addresses of my opened VM’s, to
prove I have got the ip address through the tool you can compare it to the photo where I
‘ipconfig’ on the cmd on windows 2k. Nmap is a tool which allowed me to ‘scan’ across the
network to see what was being used. This allowed me to then pick up the ip address from
the windows 2k vm.
Step 4
Step 4 is to then set the ‘PAYLOAD windows/shell/reverse_tcp’ this causes the machine to
communicate back to the attacking machine.

Step 5
Step 5 is to then set the LHOST which is the kali Linux ip address which is collected by
opening a new terminal and using the command ‘ifconfig’

Step 6
Step 6 is to run the exploit by typing the command ‘exploit’ this should successfully launch
the attack and you should now have administrator access to the remote system. I can now
exploit the vulnerabilities due to the ports being opened on this windows 2000 server, when
specific ports are open, it allows you to create a program that could communicate with a
vulnerable server over an affected TCP/UDP port to send a specific kind of malformed RPC
message[3]

Step 7
Step 7 is to use the command dir C:\which lists all the files and directories in the C:\
directory.

Step 8
Step 8 is to run the command net user to allows you to see all the user accounts on the
machine. This proves I have successfully done the exploit because the command net user
and dirC:/ wouldn’t work on a Linux, as it Is a windows command.

The malicious actions possible after doing this exploit is that I could gain access to the files
on the win2k system by searching in the directory of the C drive and downloading it,
another thing that I could do is upload a file of my choice onto their computer, this could be
an infected file and could then damage their computer if opened, a way of doing this is by
making a shortcut of a main used application such as internet explorer, which people often
use, once the person then clicks on the file they have activated the malware and causes the
computer to be infected, another way in which the exploit could be carried out even further
is by shortcutting a file with ‘bank details needed’ on it so the person fills their bank details
into a form, which I would have created myself to which you could then retrieve and
download yourself causing you to find out their personal bank details. The limitations are
that I can’t fully infect the computer due to me not being able to choose what’s being
opened on their computer, as people may be more experienced with their knowledge in
malware and choose not to open a suspicious application. A way to maintain access over my
tracks is if something is done by accident it is possible to search through the files and check
what was inputted by accident and removing it.

Step 9
By doing the next couple of steps I just was making sure the exploit worked as it is a more
basic way to run the exploit using Armitage as it requires less commands to be made and
the attack button and exploit is ready to be activated through selection.
Step 9 is to the run Armitage to start the Metasploit RPC server on the kali Linux software
and add the IP address of the win 2k server to then be able to connect. Then I did a quick
scan (OS detect) which allowed me to successfully link it to the win 2k server VM. From here
forward I right clicked on the Windows logo to then attack the VM through the
ms03_026_dcom (dcerpc), I then clicked Launch. To show that the attack has worked the
windows screen turns red.

Step 10
Step 10
As listed above I’m adding it to this step, by running the command shell you are able to run
the commands as I did on msf, and list the directories and the net user of the win 2k server,
as mentioned above this is a windows command and wouldn’t be able to done usually on a
linux system.

Recommendations for preventing the attack:

A way in which you could prevent this attack from happening is by doing an update on the
patch which altering the DCOM implementation to properly check the information passed
to it. [3] There are other ways in which you can prevent this exploit from happening, this is
by blocking the ‘udp ports’ which were vulnerable in the first place, essentially stopping any
possible RPC connection problem, this can be done by using firewall by specifically blocking
them. [3] Another recommendation to prevent an attack from happening is using a personal
firewall rather than the given Microsoft connection firewall, and then disabling ‘com
internet services and RPC over HTTP. [3] A way in preventing further damage from this
exploit is that if it happens to your computer and you notice suspicious ‘files’ ‘shortcuts’ on
your computer, you may not even know you have been exploited but if you can see
something you haven’t downloaded or done yourself then maybe you shouldn’t even click
on it, or furthermore look at the properties of the application to see if there’s anything
unusual about it.
To cause the exploit to fail, the best way would be to just block the udp ports which were
open and then blocking the connection. This should prevent the exploit from happening.

Related software
A piece of software which I used within the exploit I did was kali linux, which then allowed
me to use a tool within the software called ‘Nmap’ this allowed me to check for the open
ports, and allowed me to retrieve the ip address from my other windows 2000 VM, in sense
this will allow you to scan for ports being opened on other servers. Nmap is naturally a
utility tool for checking to see if ports are opened or closed, but through the command I
used of nmap, it showed the other Vms ip addresses. Relating to Nmap, there are
alternatives we can use to guarantee the ports we are checking are open. As we do the
nmap scan we can check what ports are open, however lets say we want to double check,
it’s a good idea to use a different tool such as arp-scan which offers the same features as
nmap so we could’ve use that to carry out the exploit as well. Another piece of software
that could have been used to do my exploit was Parrot Os’, which is an alternative software
like ‘Kali Linux’ with all pre installed programmes and tools. For my self ease I used ‘kali
Linux’ as I’ve used it many times before and know it can carry out an attack, however ‘Parrot
Os’ is that similar I could’ve used that too, as it could have used Nmap, Armitage etc.

Conclusion
My conclusion to this report is that the exploits which can be done in our society are always
upgrading as well as our security, however it always seems like the exploits are a step ahead
because once the exploits been done, the flaws which have been exploited then need to be
changed so it cant happen again. The security levels have increased dramatically as it needs
to be as well, comparing it to back when computers first came out and how vulnerable they
were. These days it seems a thing on computers to always have security measures on
computers such as the likes of the software of “MacAfee etc.’ The summary of my attack in
general was that it was a straight forward attack which allowed me to a stack buffer
overflow in the RPCSS service. This was using the main pieces of software of kali Linux, and
Oracle to host my Vms.

References
{Bibliography}[1] “Kali Linux,” Wikipedia. 23-Nov-2017.
[2] Metasploit, “Exploit.” [Online]. Available: https://www.exploit-
db.com/exploits/16749/. [Accessed: 26-Nov-2017].
[3] BetaFred, “Microsoft Security Bulletin MS03-026 - Critical.” [Online].
Available: https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2003/ms03-026. [Accessed: 24-Nov-2017].