Update avaliable. Click RELOAD to update.
目录

使用exploit-db搜索特定平台漏洞的使用方法

在渗透测试和黑客攻击时,往往是先对目标进行指纹识别,然后针对识别结果是哪种平台进行有针对性的攻击渗透。

可以在搜索引擎中搜索解决方案,但往往是太过零散也不容易找到。也可以通过在线的exploit-db.com上搜索特定平台的漏洞使用方法。

其实在kali系统中已经包含了离线的漏洞数据库,它的存储位置是/usr/share/exploitdb/platforms目录中

[root@kalibook 09:48:51 ~]# ls /usr/share/exploitdb/platforms/
aix      bsd       freebsd         immunix    linux        minix       openbsd      php      sh4            ultrix    xml
android  bsdi_x86  freebsd_x86     ios        linux_mips   mips        openbsd_x86  plan9    solaris        unix
arm      bsd_ppc   freebsd_x86-64  irix       linux_ppc    multiple    osx          python   solaris_sparc  unixware
asp      bsd_x86   generator       java       linux_sparc  netbsd_x86  osx_ppc      qnx      solaris_x86    win32
atheos   cfm       hardware        jsp        lin_x86      netware     palm_os      sco      system_z       win64
beos     cgi       hp-ux           lin_amd64  lin_x86-64   novell      perl         sco_x86  tru64          windows

如何在此目录下的众多文件中找到相应漏洞,这里可以使用kali提供的searchsploit命令

# 搜索windows平台下smb漏洞
[root@kalibook 09:52:26 ~]# searchsploit windows smb
----------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                 |  Path
                                                                                               | (/usr/share/exploitdb/platforms)
----------------------------------------------------------------------------------------------- ----------------------------------
Microsoft Windows SMB - Authentication Remote Exploit                                          | ./windows/remote/20.txt
Microsoft Windows - (SMB) Transaction Response Handling Exploit (MS05-011)                     | ./windows/dos/1065.c
Microsoft Windows 2000/XP - (Mrxsmb.sys) Privilege Escalation PoC (MS06-030)                   | ./windows/local/1911.c
Microsoft Windows - WRITE_ANDX SMB command handling Kernel DoS (meta)                          | ./windows/dos/6463.rb
SmbRelay3 NTLM Replay Attack Tool/Exploit (MS08-068)                                           | ./windows/remote/7125.txt
VideoLAN VLC Media Player 0.9.9 smb:// URI Stack BoF PoC                                       | ./windows/dos/9029.rb
VLC Media Player 0.8.6f smb:// URI Handling Remote BoF Exploit                                 | ./windows/remote/9303.c
VLC Media Player 0.8.6f smb:// URI Handling Remote BoF Exploit (univ)                          | ./windows/remote/9318.py
VLC Media Player 1.0.0/1.0.1 smb:// URI Handling BoF PoC                                       | ./windows/dos/9427.py
Windows Vista/7 SMB2.0 Negotiate Protocol Request Remote BSOD Vuln                             | ./windows/dos/9594.txt
VLC Media Player 1.0.2 smb:// URI Stack Overflow PoC                                           | ./windows/remote/9816.py
VLC Media Player 1.0.3 smb:// URI Handling Remote Stack Overflow PoC                           | ./windows/dos/10333.py
Windows - SMB Client-Side Bug Proof of Concept (MS10-006)                                      | ./windows/dos/12258.py
Windows 7/2008R2 SMB Client Trans2 - Stack Overflow 10-020 PoC                                 | ./windows/dos/12273.py
Windows SMB2 Negotiate Protocol (0x72) Response DoS                                            | ./windows/dos/12524.py
Microsoft SMB Server Trans2 Zero Size Pool Alloc (MS10-054)                                    | ./windows/dos/14607.py
Microsoft Windows - SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050)     | ./windows/remote/14674.txt
VLC Media Player < 1.1.4 - (.xspf) smb:// URI Handling Remote Stack Overflow PoC               | ./windows/dos/14892.py
Microsoft Windows SMB Relay Code Execution                                                     | ./windows/remote/16360.rb
Microsoft Windows SRV2.SYS SMB Negotiate ProcessID Function Table Dereference                  | ./windows/remote/16363.rb
Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)                                   | ./windows/remote/16366.rb
VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow                                         | ./windows/local/16678.rb
Microsoft Windows NT <= 4.0 SP5_Terminal Server 4.0 - _Pass the Hash_ with Modified SMB Client | ./windows/remote/19197.txt
Microsoft Windows 95/WfW smbclient Directory Traversal Vulnerability                           | ./windows/remote/20371.txt
Microsoft Windows 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (1)        | ./windows/dos/21746.c
Microsoft Windows 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (2)        | ./windows/dos/21747.txt
Microsoft SMB Driver Local Denial of Service Vulnerability                                     | ./windows/dos/28001.c
----------------------------------------------------------------------------------------------- ----------------------------------

searchsploit的结果列表中,找到漏洞使用描述文件,查看使用方法cat /usr/share/exploitdb/platforms/windows/dos/21747.txt

source: //www.securityfocus.com/bid/5556/info

Microsoft Windows operating systems use the Server Message Block (SMB) protocol to support services such as file and printer sharing. A buffer overflow vulnerability has been reporting in the handling of some malformed SMB requests.

An attacker may send a malformed SMB request packet in order to exploit this condition. It has been reported possible to corrupt heap memory, leading to a crash of the underlying system.

It may prove possible to exploit this vulnerability to execute arbitrary code and gain local access to the vulnerable system. This possibility has not, however, been confirmed.

Reportedly, this vulnerability may be exploited both as an authenticated user, and with anonymous access to the service.

It has been reported, by "Fabio Pietrosanti \(naif\)" <[email protected]>, that disabling the NetBIOS Null Session will prevent exploitation of this vulnerablity.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/21747.zip
版权所有,本作品采用知识共享署名-非商业性使用 3.0 未本地化版本许可协议进行许可。转载请注明出处:https://www.wangjun.dev//2016/05/exploit-db-use/

Related posts