Infiltration experiment based on ms08-067 loophole under backtrack

(1). MS08067 Vulnerability Description

ms08-067 vulnerabilities are all called "Windows Server service RPC request buffer overflow vulnerabilities".

If a user receives a specially crafted RPC request on an affected system, the vulnerability could allow remote code execution.

On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems,

An attacker could exploit this vulnerability without authentication to run arbitrary code that could be used for worm attacks.

There is already a worm that exploits this vulnerability. Firewall best practices and standard default firewall configuration

Helps protect network resources from attacks originating outside the enterprise, and by default it establishes an empty connection.

(2) exploit of the loophole

This experiment in the LAN experiment, obtain the computer owner's consent to only carry out the test. The target system is Windows Server 2003.

First, you need to collect information about your goals. Using the Nmap Scan Tool, Nmap is a powerful scanning tool that detects dangerous vulnerabilities on the target.

We called the Nmap plug-in--script=smb-check-vulns in the Metasploit. Scan parameters:-ss refers to the secret TCP SYN scan (-st is a stealth TCP connection scan, with this parameter to enumerate the most reliable port),-A is the advanced system detection function, the hint to a specific service for a deeper flag and fingerprint grab, can provide us with more information.

The results of the NAMAP Scan report found ms08-067:vulnerable. This is a hint that we might be able to penetrate the host, then we found the attack module of the vulnerability in Metasloit and tried to attack the target machine. Ms08-067 is a very high vulnerability to the operating system version, so here we just need to manually specify the target to ensure that the correct overflow code is triggered.

Using Windows ms80067 Vulnerability, set the attack load, here the bounce command line shell as the attack load, this payload after the successful attack, will launch a rebound from the target host connection to the Lhost IP address, This bounce-back connection allows you to bypass inbound traffic protection from the incoming firewall or penetrate the Nat gateway.

Set remote target and local listening IP address, execute overflow after the attack parameter configuration is complete

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/