I ran a rather routine Nessus scan of a network and noticed in the report that one of the devices was flagged as being vulnerable to MS08-067. Upon closer inspection I found out that this was an embedded device (sorry, not providing specifics on what it was). I thought it was rather interesting so I decided to use MetaSploit to confirm.

After starting msfconsole I selected the ms08-067 exploit (windows/smb/ms08_067_netapi) with the meterpreter payload (windows/meterpreter/reverse_tcp) and sure enough I could pop the box. All the meterpreter commands I ran worked just like an XP box. I could have run anything I wanted, such as a keylogger to capture credentials.

I tried the VNC payload (windows/vncinject/bind_tcp) and sent the exploit again. After a few seconds I had a view of the desktop. Lots of nice information would be there.

As a test I tried to write a file to the file system and then rebooted the box. When it came back up and I exploited the box again the file was gone. The "no write" option prevented my attack from persisting, but it didn't stop it from happening. How often does an embedded device get rebooted anyhow? Once it was popped it would probably only be booted during a power failure and for all intents and purposes could be considered persistent.

All I have left to do is figure out how to patch it.