20155324 Experiment 5 Basic application of MSF

Others 2022-04-22 16:09:19 views: 0

20155324 Experiment 5 Basic application of MSF

ms08_067

Use the search command to search for modules related to ms08_067, as shown in the figure:

服务器信息块(SMB)是一个网络文件共享协议,它允许应用程序和终端用户从远端的文件服务器访问文件资源。

The description says that this is a relative path stack corruption vulnerability in Microsoft Server Services.

The specific principle is not clear, anyway, it is a server service related vulnerability.

2. Use the info command to view information about exploit/windows/smb/ms08_067_netapi. You can see the type of target host with this vulnerability. The selected target host is Windows XP SP3 English, as shown in the figure.

NX是一种CPU技术,用来把存储器区域分隔为只供存储处理器指令集单元,或只供数据使用单元。任何使用NX技术的存储器,代表仅供数据使用,因此处理器的指令集并不能在这些区域存储。

NX technology prevents most buffer overflow attacks.

Use the show payloads command to view available payloads. Select the general class (generic), tcp back connection.

4. Setting parameters, there is a problem that a session cannot be established.

First, I checked the network connection and found that the machine is in bridge mode. After changing to NAT mode, the two hosts are connected and the attack is successful, as shown in the figure:

ms11_050

The search command searches for modules related to ms11_050.

image

According to the description, ms11_050 is a vulnerability related to cobjectelement in mshtml.

mshtml is the name of the typesetting engine of IE browser. It is a COM component of Microsoft Corporation. This component encapsulates all elements and their attributes in the HTML language. Through the standard interface provided by it, you can access all elements of a specified web page.

Use the info command to view detailed information.

image

As shown in the figure, you can see that there are IE browsers and corresponding operating systems that can be attacked, as well as basic options, such as server-side addresses and ports.

  • Use the use command to enter the module.

  • Set the payload to windows/meterpreter/reverse_http and view the options with show options.

image

After many attempts and analysis, I found that SRVHOST and SRVPORT in Module options are the same as LHOST and LPORT in Payload options.

When using the set of addresses, ports, and URIs of SRVHOST and SRVPORT, although the connection is not successful, the reply is as follows:

image

When using the addresses of LHOST and LPORT, there was no success, but the URI could not be found under this port, and only the host could be located. The reply obtained is as follows:

[image]https://images2018.cnblogs.com/blog/1071233/201804/1071233-20180427193636427-800496387.png)

It can be seen that in fact, you only need to specify SRVHOST and SRVPORT, and you can attack without specifying LHOST and LPORT. SRVHOST and SRVPORT will be automatically transmitted to LHOST and LPORT.

Attack on Adobe Reader

Use the windows/fileformat/adobe_cooltype_sing module. show options to view the parameters, set the machine as the listening host, the default port is 4444, the default pdf file name is msf, and the msf file is successfully generated, as shown in the figure:

Copy msf.pdf to the attacked machine, and then enable the local monitoring module. As soon as you click on the pdf, you will be recruited, as shown in the figure:

An exploit targeting browsers, MS10_002_aurora exploit

Explain what is exploit, payload, encode in your own words.
  • An exploit refers to an attack by an attacker or penetration tester by exploiting a security vulnerability in a system, application or service, including exploiting buffer overflows, exploiting web application vulnerabilities, and exploiting configuration errors. According to the location of the exploited security vulnerability, it is divided into active penetration attack (attacking a system service) and passive penetration attack (attacking a client application).
  • Payload: The attack payload is a piece of code or shellcode that the target system executes after being penetrated.
  • encode: Encoder to ensure that there are no "bad characters" that should be avoided in the penetration attack process in the attack payload; change the signature code to perform "kill-free" processing on the attack payload to avoid firewalls and intrusion detection

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325127639&siteId=291194637
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com