Nmap :端口扫描探测工具,用于探测端口开放情况,本次使用其端口扫描和漏洞扫描功能
mestasploit :开源的渗透测试框架软件、综合型漏洞利用工具,本次实验使用其漏洞利用模块、meterpreter组件
漏洞原理简述
MS17-010漏洞出现在Windows SMB v1中的内核态函数 srv!SrvOs2FeaListToNt 在处理 FEA (File Extended Attributes)转换时,在大非分页池(Large Non-Paged Kernel Pool)上存在缓冲区溢出。
函数 srv!SrvOs2FeaListToNt 在将 FEA list转换成 NTFEA (Windows NT FEA) list前会调用 srv!SrvOs2FeaListSizeToNt 去计算转换后的FEA lsit的大小,因计算大小错误,而导致缓冲区溢出。
曾经NSA工具箱泄露时,我们已经对永恒之蓝这个工具的使用做过讲解! 【NSA黑客工具包】Windows 0day验证实验 。
然而,该工具的使用环境比较苛刻,而且 *** 作较为复杂,现在msf已经加入该系列工具,使用方法更便捷。接下来,就开始 *** 作吧!
打开Kali终端,使用Nmap对目标机开放端口进行扫描
目标机开放了 135 139 445 3389 等端口,且目标机系统为Windows7,
我们使用用扫描模块,判断该漏洞是否可利用
终端内输入
打开 metasploite 命令行客户端,使用 search 命令查找ms17-010漏洞的相关模块
如下是相关可用模块
使用 use 命令选择我们要使用的扫描模块
在运行该模块之前,需要设置相关选项,我们使用 show options 查看配置信息
需要设置目标地址,设置命令:
设置完成后,执行 run 或 exploit 命令,等待执行结果
从上一步骤可以看出,该漏洞是可被利用的,接下来,我们祭出漏洞利用模块
步骤同上,查看配置信息,并设置标记为yes的属性
show options
目标机host地址:172.16.12.2
set RHOST 172.16.12.2
之后,选择载荷 payload ,也就是 shellcode ,此处我们选择回连至控制端 shell 的 payload
同样,载荷也需要进行配置, show options 查看配置信息
配置中缺少本地主机 RHOST,设置一下
完成配置后,运行 exploit 或者 run ,开始执行漏洞利用模块
成功获取来自目标主机的Session会话
我们已经成功的获取Session会话了,本次我们继续介绍meterpreter后渗透模块的其他功能
运行 sysinfo 查看目标机器相关信息
执行 help 命令可以帮助我们了解meterpreter有哪些功能
接下来,我们获取目标机hash值
执行 hashdump
mimikatz 是一个知名的密码提取神器。它支持从Windows系统内存中提取明文密码、哈希、PIN码和Kerberos凭证等, meterpreter 中正集成了这款工具。
执行 load mimikatz 即可加载该工具,其命令与 mimikatz 一样
运行命令 msv ,导出hash
然后执行 kerberos 即可获得目标机账号密码
获取了目标机的账号密码,我们结合nmap的扫描结果,可以远程登陆目标机 但是现实中,防火墙一般会拦截外来3389端口的访问请求,这种情况下该怎么解决呢?
我们可以使用端口转发工具,将端口转发到访问者本地机器的某个端口,从而进行连接
运行命令
此处,我们将远程目标的3389端口,转发到本机 172.16.11.2的3389上
如此,我们只要执行
即可登陆远程目标机器
通过本次实验,我们熟悉了从发现漏洞、到验证漏洞、再到利用漏洞这一过程,并进一步学习了Metasploit的后渗透模块的其他使用案例。
通过结合实例去学习MSF的使用,反复训练,相信大家一定能熟能生巧,彻底掌握这一工具。
溢出漏洞是一种计算机程序的可更正性缺陷。 溢出漏洞的全名:缓冲区溢出漏洞 因为它是在程序执行的时候在缓冲区执行的错误代码,所以叫缓冲区溢出漏洞。 它一般是由于编程人员的疏忽造成的。 具体的讲,溢出漏洞是由于程序中的某个或某些输入函数(使用者输入参数)对所接收数据的边界验证不严密而造成。 根据程序执行中堆栈调用原理,程序对超出边界的部分如果没有经过验证自动去掉,那么超出边界的部分就会覆盖后面的存放程序指针的数据,当执行完上面的代码,程序会自动调用指针所指向地址的命令。 根据这个原理,恶意使用者就可以构造出溢出程序。 http://zhidao.baidu.com/question/28345167.html?fr=ala0Solaris fs.auto远程缓冲区溢出漏洞严重程度:高
威胁程度:普通用户访问权限
错误类型:边界检查错误
利用方式:服务器模式
受影响系统
Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
Sun Microsystems Solaris 2.6 (Sparc/Intel)
Sun Microsystems Solaris 7 (Sparc/Intel)
Sun Microsystems Solaris 8 (Sparc/Intel)
Sun Microsystems Solaris 9 (Sparc)
Sun Microsystems Solaris 9 Update 2 (Intel)
详细描述
Sun Microsystems的"X Window Font Service"实现是X WINDOWS的组件,用于输出字体数据给所有X WINDOWS网络沙锅内的计算机,其中fs.auto守护程序实现存在缓冲区溢出。
远程攻击者可以利用这个漏洞在系统上执行任意代码。XFS字体服务程序fs.auto中的Dispatch()程序对用户提交的数据缺少检查,远程攻击者可以伪造特殊XFS请求而使守护程序崩溃,也存在执行任意代码的可能。不过一般以'nobody‘权限。
测试代码
尚无
解决方案
在/etc/inetd.conf文件中注释:
#fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
并重新启动INET进程。
补丁下载:
http://sunsolve.sun.com
相关信息
Advisories
ISS X-Force Security Advisory
November 25, 2002
Solaris fs.auto Remote Compromise Vulnerability
Synopsis:
ISS X-Force has discovered a vulnerability in the Sun Microsystems
implementation of the "X Window Font Service", or "XFS". The XFS service was
designed as a component of the X Windows systems to establish a common
mechanism to export font data to all computers on an X Windows network. A
buffer overflow vulnerability exists within the XFS service (fs.auto).
Impact:
Remote attackers can exploit the buffer overflow vulnerability to run
arbitrary commands on a target system. Attackers must exploit this
vulnerability in conjunction with another attack to gain "root" access,
because the fs.auto service does not run with superuser privilege. The Solaris
operating system is configured to run the fs.auto service by default. It is
bound to a high TCP port, which is normally blocked on perimeter firewalls.
Networks that are not filtering high TCP ports, and internal networks are
potentially at risk.
Affected Versions:
Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
Sun Microsystems Solaris 2.6 (Sparc/Intel)
Sun Microsystems Solaris 7 (Sparc/Intel)
Sun Microsystems Solaris 8 (Sparc/Intel)
Sun Microsystems Solaris 9 (Sparc)
Sun Microsystems Solaris 9 Update 2 (Intel)
Description:
The XFS protocol is used by computers on an X Windows network to share font
information. The X Windows system implemented an extensive and scalable font
capability. This capability requires that all X Windows clients and servers
have a mechanism to access font data, which may be distributed throughout an
X Windows network.
Solaris implemented the XFS font server in the daemon, fs.auto. A flaw exists
within the fs.auto Dispatch() routine. Adequate bounds-checking is not
conducted on user-supplied data within the vulnerable function. This flaw can
allow remote attackers to formulate a specific XFS query to either crash the
service, or execute arbitrary code under the privilege of the "nobody" user.
This privilege level is similar to that of any normal user.
Recommendations:
The following ISS updates and product releases address the issues described
in this advisory. These updates are available from the ISS Download Center
(http://www.iss.net/download):
RealSecure Network Sensor XPU 20.7
Internet Scanner XPU 6.22
X-Force recommends that administrators disable the fs.auto service unless it
is explicitly required. Administrators can disable fs.auto by editing the
inetd configuration file (/etc/inetd.conf) and then restart the inetd process
by following the steps below:
1. Comment out the line corresponding to fs.auto. It should read:
#fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
2. Restart the inetd process
# ps ?ef |grep inetd
root 138 1 0 Oct 15 ? 0:00 /usr/sbin/inetd ?s
# kill ?HUP 138
Administrators should inspect their network perimeters to insure that strong
packet filtering rules are in place. The XFS protocol uses TCP port 7100.
This port should be blocked on all network perimeters.
Vendor Notification Schedule:
Vendor confirmed patches would be available on 11/25/2002, and has since
rescheduled the patch release after the publication of this advisory.
Please contact Sun for more information.
Initial vendor notification: 10/16/2002
Initial vendor confirmation: 10/17/2002
Final release schedule agreement: 11/18/2002
Additional Information:
SunSolve Online
http://sunsolve.sun.com
X-Force Database
http://www.iss.net/security_center/static/10375.php
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2002-1317 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
Credit:
This vulnerability was discovered and researched by Neel Mehta of the ISS
X-Force.
______
About Internet Security Systems (ISS) Founded in 1994, Internet Security
Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software
and services that protect critical online resources from an ever-
changing spectrum of threats and misuse. Internet Security Systems is
headquartered in Atlanta, GA, with additional operations throughout the
Americas, Asia, Australia, Europe and the Middle East.
Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce@iss.net for
permission.
Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.
X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)