WinXP Embedded and MS08-067
I ran a rather routine Nessus scan of a network and noticed in the report that one of the devices was flagged as being vulnerable to MS08-067. Upon closer inspection I found out that this was an embedded device (sorry, not providing specifics on what it was). I thought it was rather interesting so I decided to use MetaSploit to confirm.
After starting msfconsole I selected the ms08-067 exploit (windows/smb/ms08_067_netapi) with the meterpreter payload (windows/meterpreter/reverse_tcp) and sure enough I could pop the box. All the meterpreter commands I ran worked just like an XP box. I could have run anything I wanted, such as a keylogger to capture credentials.
I tried the VNC payload (windows/vncinject/bind_tcp) and sent the exploit again. After a few seconds I had a view of the desktop. Lots of nice information would be there.
As a test I tried to write a file to the file system and then rebooted the box. When it came back up and I exploited the box again the file was gone. The "no write" option prevented my attack from persisting, but it didn't stop it from happening. How often does an embedded device get rebooted anyhow? Once it was popped it would probably only be booted during a power failure and for all intents and purposes could be considered persistent.
All I have left to do is figure out how to patch it.
After starting msfconsole I selected the ms08-067 exploit (windows/smb/ms08_067_netapi) with the meterpreter payload (windows/meterpreter/reverse_tcp) and sure enough I could pop the box. All the meterpreter commands I ran worked just like an XP box. I could have run anything I wanted, such as a keylogger to capture credentials.
I tried the VNC payload (windows/vncinject/bind_tcp) and sent the exploit again. After a few seconds I had a view of the desktop. Lots of nice information would be there.
As a test I tried to write a file to the file system and then rebooted the box. When it came back up and I exploited the box again the file was gone. The "no write" option prevented my attack from persisting, but it didn't stop it from happening. How often does an embedded device get rebooted anyhow? Once it was popped it would probably only be booted during a power failure and for all intents and purposes could be considered persistent.
All I have left to do is figure out how to patch it.
Did you identify the root cause? I haven't run into this scenario specifically, but I have friend who is fighting this issue on XP embedded. At a glance, I thought he had overlooked something obvious - but the symptoms he reported are the same. Did you identify a path-forward?
Reply to this
In my case, the embedded device allowed the image to be unlocked and we could modify the firewall and block all services. Since it was a terminal we didn't need to allow any services to be accessible. Why it was enabled in the first place, I just don't know.
Reply to this