目录
使用exploit-db搜索特定平台漏洞的使用方法
在渗透测试和黑客攻击时,往往是先对目标进行指纹识别,然后针对识别结果是哪种平台进行有针对性的攻击渗透。
可以在搜索引擎中搜索解决方案,但往往是太过零散也不容易找到。也可以通过在线的exploit-db.com上搜索特定平台的漏洞使用方法。
其实在kali系统中已经包含了离线的漏洞数据库,它的存储位置是/usr/share/exploitdb/platforms目录中
[root@kalibook 09:48:51 ~]# ls /usr/share/exploitdb/platforms/
aix bsd freebsd immunix linux minix openbsd php sh4 ultrix xml
android bsdi_x86 freebsd_x86 ios linux_mips mips openbsd_x86 plan9 solaris unix
arm bsd_ppc freebsd_x86-64 irix linux_ppc multiple osx python solaris_sparc unixware
asp bsd_x86 generator java linux_sparc netbsd_x86 osx_ppc qnx solaris_x86 win32
atheos cfm hardware jsp lin_x86 netware palm_os sco system_z win64
beos cgi hp-ux lin_amd64 lin_x86-64 novell perl sco_x86 tru64 windows
如何在此目录下的众多文件中找到相应漏洞,这里可以使用kali提供的searchsploit命令
# 搜索windows平台下smb漏洞
[root@kalibook 09:52:26 ~]# searchsploit windows smb
----------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
----------------------------------------------------------------------------------------------- ----------------------------------
Microsoft Windows SMB - Authentication Remote Exploit | ./windows/remote/20.txt
Microsoft Windows - (SMB) Transaction Response Handling Exploit (MS05-011) | ./windows/dos/1065.c
Microsoft Windows 2000/XP - (Mrxsmb.sys) Privilege Escalation PoC (MS06-030) | ./windows/local/1911.c
Microsoft Windows - WRITE_ANDX SMB command handling Kernel DoS (meta) | ./windows/dos/6463.rb
SmbRelay3 NTLM Replay Attack Tool/Exploit (MS08-068) | ./windows/remote/7125.txt
VideoLAN VLC Media Player 0.9.9 smb:// URI Stack BoF PoC | ./windows/dos/9029.rb
VLC Media Player 0.8.6f smb:// URI Handling Remote BoF Exploit | ./windows/remote/9303.c
VLC Media Player 0.8.6f smb:// URI Handling Remote BoF Exploit (univ) | ./windows/remote/9318.py
VLC Media Player 1.0.0/1.0.1 smb:// URI Handling BoF PoC | ./windows/dos/9427.py
Windows Vista/7 SMB2.0 Negotiate Protocol Request Remote BSOD Vuln | ./windows/dos/9594.txt
VLC Media Player 1.0.2 smb:// URI Stack Overflow PoC | ./windows/remote/9816.py
VLC Media Player 1.0.3 smb:// URI Handling Remote Stack Overflow PoC | ./windows/dos/10333.py
Windows - SMB Client-Side Bug Proof of Concept (MS10-006) | ./windows/dos/12258.py
Windows 7/2008R2 SMB Client Trans2 - Stack Overflow 10-020 PoC | ./windows/dos/12273.py
Windows SMB2 Negotiate Protocol (0x72) Response DoS | ./windows/dos/12524.py
Microsoft SMB Server Trans2 Zero Size Pool Alloc (MS10-054) | ./windows/dos/14607.py
Microsoft Windows - SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050) | ./windows/remote/14674.txt
VLC Media Player < 1.1.4 - (.xspf) smb:// URI Handling Remote Stack Overflow PoC | ./windows/dos/14892.py
Microsoft Windows SMB Relay Code Execution | ./windows/remote/16360.rb
Microsoft Windows SRV2.SYS SMB Negotiate ProcessID Function Table Dereference | ./windows/remote/16363.rb
Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB) | ./windows/remote/16366.rb
VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow | ./windows/local/16678.rb
Microsoft Windows NT <= 4.0 SP5_Terminal Server 4.0 - _Pass the Hash_ with Modified SMB Client | ./windows/remote/19197.txt
Microsoft Windows 95/WfW smbclient Directory Traversal Vulnerability | ./windows/remote/20371.txt
Microsoft Windows 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (1) | ./windows/dos/21746.c
Microsoft Windows 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (2) | ./windows/dos/21747.txt
Microsoft SMB Driver Local Denial of Service Vulnerability | ./windows/dos/28001.c
----------------------------------------------------------------------------------------------- ----------------------------------
在searchsploit的结果列表中,找到漏洞使用描述文件,查看使用方法cat /usr/share/exploitdb/platforms/windows/dos/21747.txt
source: //www.securityfocus.com/bid/5556/info
Microsoft Windows operating systems use the Server Message Block (SMB) protocol to support services such as file and printer sharing. A buffer overflow vulnerability has been reporting in the handling of some malformed SMB requests.
An attacker may send a malformed SMB request packet in order to exploit this condition. It has been reported possible to corrupt heap memory, leading to a crash of the underlying system.
It may prove possible to exploit this vulnerability to execute arbitrary code and gain local access to the vulnerable system. This possibility has not, however, been confirmed.
Reportedly, this vulnerability may be exploited both as an authenticated user, and with anonymous access to the service.
It has been reported, by "Fabio Pietrosanti \(naif\)" <[email protected]>, that disabling the NetBIOS Null Session will prevent exploitation of this vulnerablity.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/21747.zip
版权所有,本作品采用知识共享署名-非商业性使用 3.0 未本地化版本许可协议进行许可。转载请注明出处:https://www.wangjun.dev//2016/05/exploit-db-use/