7 Attacking unpatched services

 

This chapter covers

  • The exploit development life cycle
  • MS17-010: Eternal Blue
  • Using Metasploit to exploit an unpatched system
  • Using the Meterpreter shell payload
  • Generating custom shellcode for Exploit-DB exploits

Before moving on, let’s take a moment to revisit our friends, the Hollywood movie heist crew, who are by now getting pretty deep into their target facility. The crew has just reached a new floor in the complex, and they’re staring down a long hallway with doors on either side: red doors on the left (Linux and UNIX systems) and blue doors on the right (Windows systems). As expected, all of the doors are locked using sophisticated keycard access control panels.

The crew’s keycard door lock specialist (let’s pretend that’s a real thing) determines that the panels have an older model card reader--and this particular model has a design flaw that can be used to bypass the locking mechanism. The details of the bypass aren’t important; but if you need to visualize something to appreciate the scenario, imagine that there are eight tiny holes on the bottom of the card reader, and if you poke a bent paper clip into two specific holes at just the right angle and apply pressure in just the right way, the door unlocks.

7.1 Understanding software exploits

7.2 Understanding the typical exploit life cycle

7.3 Compromising MS17-010 with Metasploit

7.3.1 Verifying that the patch is missing

7.3.2 Using the ms17_010_psexec exploit module

7.4 The Meterpreter shell payload

7.4.1 Useful Meterpreter commands

7.5 Cautions about the public exploit database

7.5.1 Generating custom shellcode

Summary