tags: System Vulnerabilities windows microsoft security breach
The MS08-067 vulnerability will affect all Windows systems except Windows Server 2008 Core, including: various versions of Windows 2000/XP/Server 2003/Vista/Server 2008, and even Windows 7 Pro-Beta in the testing phase.
Description: Microsoft Security Bulletin KB958644
Impact of the vulnerability: A vulnerability in the Server service could allow remote code execution
Release date: 2008/10/22
Download Size: Varies by OS.
Affected Operating Systems: Windows 2000;XP;Server 2003;Vista;Server 2008;7 Beta
Summary
This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if a user received a specially crafted RPC request on an affected system. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability to run arbitrary code without being authenticated. This vulnerability could be used for worm attacks. Firewall best practices and standard default firewall configurations help protect network resources from attacks originating from outside the enterprise. You can help protect your computer from harm by installing this update from Microsoft. After installation, you may have to restart your computer.
Severity level: Windows 2000; XP; Server 2003 is critical, Windows Vista; Server 2008; 7 Beta is important.
KB958644:
The biggest security hole in 2008 (KB958644), affecting almost all mainstream Windows operating systems. Hackers can use this vulnerability to launch large-scale remote attacks.
On the afternoon of October 24, 2008, it was reported that various operating systems of Microsoft exposed the biggest security hole in 2008 (KB958644), affecting almost all mainstream operating systems including Windows XP SP3, Windows 2000, Windows Server 2003, and Windows Vista. Hackers can use this vulnerability to launch large-scale remote attacks, and the actual effect can be similar to viruses such as "Shockwave" and "Sasser".
According to security experts, although Microsoft has released a patch for this vulnerability, due to the impact of the "black screen" event, many users have turned off the system's automatic patch update function, which is likely to cause serious harm.
Security experts said that the vulnerability exists in the RPC module of the operating system. If the user's computer receives a specially crafted RPC request, the attacker can bypass the system's authentication and run arbitrary code remotely. The "Shockwave" and "Sasser" viruses used the same RPC vulnerability at the beginning, so this vulnerability is likely to cause similar large-scale worm attacks.
Experts suggest that for individual users, it is best to patch all the computers to prevent such worm attacks; corporate users should make corresponding preventive configurations on their servers and firewalls to avoid the impact of this vulnerability. own normal work.
The error "Generic Host Process for Win32 Services has encountered a problem and needs to be closed" may appear several times after booting;
During the running of the system, "svchost.exe application error 0x7ffa0eb8 instruction refers to 0x7ffa0eb8 memory. This memory cannot be written."
If users in the local area network have "multiple times "Generic Host Process for Win32 Services has encountered a problem and needs to be closed" error", it is very likely that they will not be able to enter the intranet server, and the network domain behind the complete computer name The suffix will also disappear.
The security of the Windows operating system is once again severely challenged! In the early morning of October 24, 2008, Microsoft urgently released an important security update (KB958644), involving most versions of desktop operating systems such as Windows 2000/XP/Vista. Its degree of harm is not inferior to the "Shock Wave" virus that affected more than 80% of Windows users back then.
Microsoft announced that hackers can use this vulnerability to send remote specially crafted RPC requests to computers on the network, and execute remote code arbitrarily on the computers without authentication. This means that even if your computer is set with an administrator password, it is only at the mercy of hackers.
A worm virus (Win32/MS08067.gen!A) exploiting this vulnerability has appeared on the Internet. According to the analysis of security experts, the harm of this vulnerability is extremely serious. Hackers can launch attacks at will based on the IP address. It can pop up advertisements at will, steal user accounts, and can also control the machine to attack other users, so that the destructive power continues to amplify. Once a LAN user is infected, the virus will spread rapidly.
It is reported that this is the first time in the past year and a half that Microsoft has broken the practice of regular monthly security bulletins and released updates. The only solution is to patch the system with KB958644.
Next, we started to use this vulnerability for local testing
First prepare the target machine and exploit tools
What I am using here is the target system of windowsXP and the penetration testing system of kalilinux
We want both of their machines to be in the same network segment
ip address of kalilinux

ip address of windowsXP

After the preparations are ready, you can start testing the vulnerability
First, we open the kalilinux command window and type msfconsole to enter the msf penetration testing framework
If it is the first time to open msf, you need to execute the msfdb start command to initialize msf

Here I am the 2021 version of kali, and the version of the msf framework is 6.
exploits (exploitation module), auxiliary (auxiliary module), post (post penetration attack module), payloads (attack load), encoders (encoder module), nops (empty instruction module), evasion (kill-free module)
After a brief understanding of msf, we began to conduct penetration attacks on the windowsXP system
Let's search for the vulnerability exp of ms08-067

We choose this exploit code module
Then we use the info command to see his detailed information

info This command can see detailed information about this vulnerability
Let's set his ip address and payload information


After setting, it can be executed. Note here that in the msf6 version, the vulnerability can be directly executed for remote code execution, but in the version before msf6 (not including the msf6 version), you need to set the payload by yourself

After setting, you can start to execute exp

The rebound is successful, and you can enter the other party's system by typing shell
Vulnerabilities exploited successfully, directly into the opponent's windowsXP system
Well, this is the end of this explanation, friends who like it, please like, collect and follow me. the
#windowsxpsp3 system MS08-067 vulnerability test Vulnerability description The full name of the MS08-067 vulnerability is "Windows Server Service RPC Request Buffer Overflow Vulnerability". ...
lab environment kali linux2.0 win-xp sp3 Steps 1. Execute in the Kali Linux command line 2. Query MS08067 Vulnerability 3. Using Exploit / Windows / SMB / MS08_067_Netapi and view Options 4. Using Pay...
ms08-067 introduction The MS08-067 vulnerability will affect all Windows systems except Windows Server 2008 Core, including: Windows 2000/XP/Server 2003/Vista/Server 2008 versions, and even Windows 7 ...
MS08-067 Remote Overflow Vulnerability Brief description of the vulnerability principle The attacker uses the default open SMB service port 445 of the victim host to send a special RPC (Remote ...
1. Find ms08-067: 2. Use: 3. Select the payload: (At the beginning, there is a difference between windows / shell / ... and windows / meterpreter / reverse_tpc) 4. View options (yes is required): 5. E...
0x01 experimental environment Attack machine: kali linux ip:10.10.10.131 Target machine: windows server 2003 ip:10.10.10.130 0x02 configure exploit msf > use exploit/windows/smb/ms08_067_netapi&nbs...
Put the previous experiments and written in the note in the cloud, put it on the CSDN First, an experimental environment Target: Windows XP SP3 Professional (Close Windows self-contained firewall!!!) ...
MS08-067 Vulnerability: It is a vulnerability in a remote process call (RPC) service. When calling the NetPathCanonicalize function in the SMB channel, the vulnerability is triggered, causing the use ...
Articles directory Foreword Introduction Second, influence Third, vulnerability harm Fourth, local reproduction Five, patch number 6. Windows Server 2003 SP2 Chinese version Utilization method 7. Deep...
nmap scanning system for vulnerabilities, scanning system information nmap --script = vuln 192.168.64.137 Check for common vulnerabilities nmap -O detection system version Start msfconsole, search for...