Attacking an Unpatched Windows 2008 Server

Thursday, October 28, 2010

Bozidar Spirovski

E973b16363b3de77b360563237df7e32

Microsoft cannot stress enough the importance of keeping your systems patched. And yet, server systems tend to drift from best practice, for several reasons:

  • The patch may fail the application that the server is running
  • The patch will require reboot, which may cause unwanted downtime
  • It's simply a hassle

But non-patched systems are a great target for an attacker. Even if the attacker doesn't gain permanent access to the network, he/she can cause nasty Denial of Service (DoS) on an unpatched server.

Here is the attack scenario

We will use a Windows 2008 target for this demonstration. The Win2008 is a good example because even if it was released in 2008, and we now have the R2 version, a lot of companies are just starting to implement it.

The attack is based on two well known vulnerabilities of Win2008 based on SRV2.SYS driver. In Metasploit, these exploits are know as:
  • ms_09_050_smb2_negotiate_pidhigh
  • ms_09_050_smb2_session_logoff

Both are Denial of Service type of attacks, so we'll use them without a payload.

To use these exploits, just fire up the msfconsole and type:

msf > use exploit auxiliary/dos/windows/smb/ms_09_050_smb2_negotiate_pidhigh
msf auxiliary(ms_09_050_smb2_negotiate_pidhigh) > set rhost (Target IP address)
msf auxiliary(ms_09_050_smb2_negotiate_pidhigh) > exploit


You can do the same with the second exploit.

Here is the end result from a Metasploit command line point of view.

And here is the end result from a Windows 2008 Console point of view.

Conclusion

Although this is just a demo type of exploit, it provides an excellent example of what happens to an unpatched server. Imagine that this was the web server running your Web Site.

Now go and patch your systems!

Cross-posted from ShortInfosec

Possibly Related Articles:
24422
Operating Systems
Windows Hacking Attacks
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.