Update:
This complete attack, including the DHCP server, has been incorporated into Metasploit. Update and enjoy. The module is auxiliary/server/pxexploit
PXE booting has been around for over a decade and is supported by most system BIOSs. And I have also seen it left on in production environments. Although it is very convenient for mass OS installs, etc, if left unsecured; it gives full system control to any attacker on the LAN who can run a DHCP+TFTP server. This has been discussed before, but no tools for the pentester have been released as far as I can tell. So I am releasing pxexploit to provide this ability: a number of files and a patch to add to metasploit that provides a DHCP server and slightly modifies the TFTP server to serve a series of files to a client to own any PXE-booting client.
Here's how it works:
Client PXE environment issues a DHCPDISCOVER answered by pxexploit's DHCPOFFER; Client sends DHCPREQUEST; pxexploit answers with DHCPRESPONSE.
The responses point to the system running pxexploit as the TFTP boot server, with a filename of update1, and pxelinux-specific options that specify a config file named update2.
Client PXE environment downloads update1, which is really pxelinux.0; renamed so that what is occurring is not readily apparent to someone sitting at the keyboard.
pxelinux takes over client's system, and downloads the config file update2, which specifies an immediate boot using a kernel named update3 and an initrd named update4
Screen shows loading of update3 and update4 (the kernel and initrd)
pxelinux transfers execution to the kernel, and a small, fast initrd takes over.
The initrd's init file executes, and iterates through each hard drive partition it can access, including ntfs-3g drivers. If it detects a windows partition, it swaps svchost.exe with a small exe that runs the old svchost.exe with the same command line and also runs a script that installs metsvc, adds an admin user, and disables the firewall, then replaces svchost.exe and reboots. For a linux partition, it adds a uid 0 user with username metasploit and password metasploit. Then the initrd reboots the system, letting the system boot from hard disk. (the DHCP server does not answer a second time to the same client)
To get working, apply this diff: http://scriptjunkie1.110mb.com/security/pxexploit.diff and add these new files: http://scriptjunkie1.110mb.com/security/pxexploitNewFiles.zip update metasploit
The initrd is based off the LGPL'd puppy linux initrd.