Windows 7 Exploitation

November 22, 2013 by

Warlock

Microsoft Windows 7 is much more secure than Microsoft Windows XP. The Windows XP operating system has lots of OS vulnerabilities and the malware infection rate is also very high compared to other operating systems. According to the Microsoft Security Intelligence Report, which details in depth the state of software vulnerabilities, exploits, security breaches, and malware in 2010 is shown in the figure below.

As per the above graph, Microsoft found that Windows 7 64-bit had the lowest number at 2.5, while the 32-bit version had 3.8 per 1000 computers. Windows XP with SP3 came in with 15.9 infections per 1,000, while XP with SP2 had the highest number at 19.3. Windows Vista's infection rate was considerably lower than that for XP but still turned out to be double that for Windows 7.

Now we will see the two major vulnerabilities of the Windows 7 64-bit operating system and their exploitation methods.

Microsoft Windows 7/Server 2008 R2 SMB Client Infinite

Loop: This exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. Basically, it crashes the remote kernel. Metasploit Framework has a module for exploiting this vulnerability. To trigger this bug, run this module as a service and it forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (HOSTsharesomething) into a web page if the target is using Internet Explorer, or a Word document otherwise. An attacker can remotely crash any Windows 7/Server 2008R2 on a LAN or via IE.

Tutorial: Now we are going to see how to exploit this vulnerability by using Metasploit Framework. Open the terminal and run msfconsole, then type in: use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop

After that, type in show options to check all the available options for this module.

As we can see in the above figure, there are some options for this module. We can see here that the options that are required are showing "yes." The first option is SRVHOST, which refers to the server host address; it means we have to set our local machine address here. The second options is SRVPORT, the server port address, which is showing 445; this means that port no. 445 must be enabled to successfully run this module.

Let us set the all required options: Type in set SRVHOST 192.168.0.3:

Now we are ready to run this module, so type run:

As we can see in the above figure, after typing the "run" command, the msfconsole shows the messages, "Starting the malicious SMB service" and "To trigger, the vulnerable client should try to access: 192.168.0.103."

So we are going to access this IP from the Windows 7 system.

After accessing this IP from "Run," my Windows system just hung that time and I was not able to do anything on that system. Then I immediately opened my task manager to check the CPU usage and it was on peak.

MS12-020 Microsoft Remote Desktop Use-After-Free DoS

Multiple vulnerabilities in the Windows Remote Desktop Protocol (RDP) could allow attackers to take complete control of affected systems or cause a denial-of-service. The Remote Desktop Protocol provides a graphical interface for users to establish a virtual session to other hosts on the network. Successfully exploiting this vulnerability would then allow the attacker to install programs; view, change, or delete data; or create new accounts with full user rights. This could also result in producing a denial of service condition on targeted systems.

The vulnerability is triggered when accessing a freed memory object (use-after-free) and does not require authentication. An attacker could exploit this vulnerability only if RDP is enabled and:

Tutorial: Now we are going to see how to exploit this vulnerability by using Metasploit Framework. Before that, we will run an nmap scan on our target to check whether or not the RDP is enabled.

After completing the scan, we can see in the above figure that port 3389 is enabled on the target system and now we can run our Metasploit module. Open the terminal and run msfconsole, then type in: use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

After that, type in show options to check all the available options for this module.

As we can see in the above figure, there are some options for this module. We can see that the options that are required show "yes." The first option is RHOST, which refers to the remote host address; it means we have to set our target machine address here. The second option is RPORT, meaning the remote port address, which shows 3389; this means that port no. 3389 must be enabled to successfully run this module.

Let us set the all required options type in set RHOST 192.168.0.3:

Now we are ready to run this module, so type run:

Now we can see on the left-hand side of the above figure my Metasploit machine and, after triggering the "run" command, the message shows in the terminal, "210 bytes sent, Checking RDP status" and on the right side, my Windows 7 system is crashed and the blue screen of death is showing there.

Recommendation

The best practice is have automatic updating enabled and we will not need to take any action because this security update will be downloaded and installed automatically. But those who are not using automatic updates can download the security updates from here: http://technet.microsoft.com/en-in/security/bulletin/MS12-020 . Now I am using this patch in my vulnerable system and again we will try to attack to see if that patch is working or not.

Just download the patch and install it in the system.

Wait for few moments and it's done. Now we are going to try another attack on this system. Just run the same module with same steps as shown above.

As we can see in above figure the module ran successfully, but there is no effect on the Windows 7 system.

References

http://www.rapid7.com/db/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop

http://www.rapid7.com/db/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids

http://news.cnet.com/8301-1009_3-20063220-83.html