MS08-067 / SMB Version / Language Detection

[hdm at metasploit.com (H D Moore)]

Hello,

First off, thanks to everyone who sent in new exploit targets for the 
MS08-067 module. I am still behind on integrating them all, but we should 
be able to support more non-english locale's off the bat in the future.

I spent some time on the auxiiary/scanner/smb/version module this weekend. 
This module is designed to sweep a network (RHOSTS) and tell you the 
operating system and service pack of every machine with port 139 or 445 
open. This is tricky to do without credentials, especially in the case of 
service pack changes on Windows XP. The latest version of this module can 
almost always tell the difference between XP SP0/SP1 and XP SP2/SP3 and 
it does a much better job of detecting SP2 vs SP3 when possible. 
Additionally, I added matches for all of the new Windows 2008 and Vista 
versions floating around. 

The biggest change, however, is support for remote language pack 
detection. I finally gave up on my previous idea and implemented the 
method outline by Immunity Inc. The good news is that it works really 
well for 2000 and XP targets, the bad news is now it needs alot more 
testing across a much wider range of languages. Eventually, all of the 
code in this module will be converted into an API call that SMB exploits 
can use to autotarget the right OS, SP, and language.

I currently have signatures for the following language packs:

English, Spanish , Italian , French , German , Portugese - Brazilian , 
Portguese , Hungarian , Finnish , Dutch , Swedish , Polish , Turkish , 
Japanese , Chinese - Traditional , Chinese - Traditional / Taiwan  , 
Korean , Russian

What I need help with is testing -- I am pretty sure the Chinese language 
packs are mixed up (Chinese - Traditional may be Simplified). 

When using this module against an XP or 2000 system that is not in the 
signature array, it will print out a big block of text. This block 
represents the output of the EnumPrinters() call and combined with the 
name of the actual language pack, can be used to write a new signature.

To get started, update your framework. Unix users should 'svn update' 
inside a checked out copy of the 3.2-testing tree. Windows users should 
switch[2] their tree to 3.2-testing and use the Online Update feature.

Once updated, open a console (Control+O in MSFGUI, msfconsole on Unix) and 
run the following commands against any network where you know the 
language pack of the installed machines and you have the legal right to 
do security testing against it.

$ msfconsole
msf> use auxiliary/scanner/smb/version
msf auxiliary(version) > set THREADS 256
msf auxiliary(version) > set RHOSTS A.B.C.0/24
msf auxiliary(version) > run

If any machines print out a fingerprint block, send them via email to 
msfdev[at]metasploit.com, along with the known language pack of that 
machine. Feel free to remove the IP address listed for privacy.

If you are trying to figure out which of the *many* targets to use for 
MS08-067, this module is also a great way to sort that out. Keep in mind 
that when the OS is listed as "Windows XP Service Pack 2+", it doesn't 
know whether it is 2 or 3.

The ms08-067 module has been enhanced with a 'check()' method, so you can 
now verify that your target is unpatched before running the exploit. A 
scanner version of this has been added and can be used to sweep your 
local subnet for unpatched systems. This module is called:
  
 auxiliary/scanner/smb/ms08_067_netapi

Credit for the technique used by the scanner module and the check method 
in the exploit should be given to Bernardo Damele A. G.

Have fun,

-HD

1.http://immunityinc.com/downloads/Remote_Language_Detection_in_Immunity_CANVAS.odt

2.http://metasploit.com/dev/trac/wiki/Metasploit/Windows/Upgrade_to_SVN