Building a Vulnerable XP SP3 Machine

One of the biggest challenges I run into doing evaluations with Metasploit Pro (or any Metasploit for that matter) is getting an exploit to run successfully. Though Pro is the most efficient way to run a penetration test, there are always still obstacles to getting a successful session.

One way to increase the odds of getting a session is to know the device you’re testing against is vulnerable, and the best way to make sure a device is vulnerable is to make it vulnerable, so here’s a quick and easy way HD taught me to do just that.

The challenge with vulnerability exploitation is there are only so many variables you can control. In order for a successful session to spawn all of these variables must be in the correct state. For example, different parameters will have to be modified on Metasploit if a host firewall or endpoint protection is enabled on the target. When I first set up the test environment I went for the gusto with a bunch of devices with tough vulns to exploit without any success. After hours of frustration I gave myself a reality check and eliminated as many variables as I could. Once I was able to get a successful session open I started introducing other variables into the equation. There were 2 reasons why this was a good idea: One, it boosted my confidence and two, it was as valid sanity check. Without eliminating the variables and actually executing a session, there wasn’t any proof that my network was set up for it.

The easiest way to make an XP machine vulnerable (with a reliable exploit) if you don’t have one available with SP2 is to enable the print spooler vulnerability (details here http://support.microsoft.com/kb/2347290). This exploit for this vulnerability is extremely reliable, so if you’re able to connect to the machine correctly and your variables are in check, you should be able to get a session.

Here’s the actual exploit: http://www.metasploit.com/modules/exploit/windows/smb/ms10_061_spoolss (keep in mind, this isn’t meant to be done on production devices)

Step 1: Open up the XP machine or VM and open up the “Printers and Faxes” menu.

Step 2: Add a local printer. Click next, choose “Local Printer Attached to this Computer”. Click Next.

Step 3: For “Use The Following Port” select “FILE: (Print to File)”. Click Next.

Step 4: Choose a printer type (doesn’t matter what type)

Step 5: Set the printer as a default printer.

Step 6: Share the printer, choose a share name and you’re done.

To exploit this vulnerability, you can run an automated exploitation (after a scan of course) under the “Excellent” category or you can run the individual module 67988 (the OSVDB number). Keep in mind, this exploit takes approximately 2 minutes to execute properly, so if you’re getting impatient, just give it a minute =].

If all your other variables are under control, you should get a Meterpreter session opened.

This was a great first step for me to get things rolling with not only my test environment, but with my understanding of exploitation, variables, and networks. Obviously I wouldn’t want to intentionally make something vulnerable while on an engagement for a client, but for a litness test, or purely for a sanity exercise, it helps out quite a bit.

2 thoughts on “Building a Vulnerable XP SP3 Machine

  1. Attack is only possible with a limited set of printer models:
    http://support.microsoft.com/kb/2347290
    Fechas de fabricación Impresora
    1998-2000 Lexmark 3200 Color Jetprinter
    1997-2000 Lexmark 5700 Color Jetprinter
    1999-2000 Lexmark Z11 Color Jetprinter
    2000-2001 Lexmark Z12 Color Jetprinter
    2000-2002 Lexmark Z22-Z32 Color Jetprinter
    1999-2000 Lexmark Z31 Color Jetprinter
    2000-2001 Lexmark Z42 Color Jetprinter
    1999-2000 Lexmark Z51 Color Jetprinter
    2000-2001 Lexmark Z52 Color Jetprinter
    1999-2000 Impresora Compaq IJ300 Inkjet
    2000-2002 Impresora Compaq IJ600 Inkjet
    1997-2000 Impresora Compaq IJ700 Inkjet
    1999-2000 Impresora Compaq IJ750 Inkjet
    1997-2000 Impresora Compaq IJ900 Inkjet
    2000-2001 Impresora Compaq IJ1200 Inkjet

    1. The attack isn’t on the printer itself actually, it’s on the driver installed on XP. The exploit takes advantage of the flaw in the printer service on XP, not the actual printer.

Leave a Reply to admin Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>