{"uuid": "15ed9bf1-997e-4602-b803-9d296a1439a5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-0796", "type": "seen", "source": "https://gist.github.com/zuwant3/20bc55344a737b9f67b77ad37ffddf1b", "content": "# \u65e0\u5751\u90e8\u7f72 Metasploit\uff1a\u4ece\u96f6\u5230\u80fd\u8dd1\n\n\u641e\u6e17\u900f\u6d4b\u8bd5\uff0cMetasploit \u51e0\u4e4e\u662f\u7ed5\u4e0d\u5f00\u7684\u5de5\u5177\u3002\u8fd9\u7bc7\u4e3b\u8981\u8bb2\u600e\u4e48\u5728\u5e72\u51c0\u7684\u7cfb\u7edf\u4e0a\u642d\u8d77\u6765\uff0c\u987a\u5e26\u804a\u804a\u5bb9\u6613\u7ffb\u8f66\u7684\u5730\u65b9\u3002\n\n## \u7248\u672c\u517c\u5bb9\u6027\n\n\u88c5\u4e4b\u524d\u5148\u770b\u7cfb\u7edf\u3002Ubuntu 20.04/22.04 \u548c Debian 11/12 \u6700\u7a33\uff0c\u7528 `apt` \u5b89\u88c5\u7684\u7248\u672c\u4e00\u822c\u6bd4\u8f83\u65b0\u3002\u4f46\u6ce8\u610f\uff0cKali \u81ea\u5e26\u7684\u662f\u6eda\u52a8\u7248\uff0c\u65e5\u5e38\u7528\u6ca1\u95ee\u9898\uff0c\u53ea\u662f\u5076\u5c14\u4f1a\u8e29\u5230\u4f9d\u8d56\u51b2\u7a81\u7684\u5751\u3002\n\n## \u5b89\u5168\u8003\u8651\n\n\u522b\u7528 root \u8dd1\u3002Metasploit \u7684 payload \u751f\u6210\u548c handler \u76d1\u542c\u9700\u8981\u666e\u901a\u7528\u6237\u6743\u9650\uff0croot \u8dd1\u53cd\u800c\u4f1a\u89e6\u53d1\u67d0\u4e9b\u7cfb\u7edf\u9632\u62a4\u3002\u53e6\u5916\uff0c\u751f\u4ea7\u73af\u5883\u4e0a\u88c5\u5b8c\u8bb0\u5f97\u6539\u9ed8\u8ba4\u6570\u636e\u5e93\u5bc6\u7801\u3002\n\n## \u6838\u5fc3\u6982\u5ff5\n\n\u6a21\u5757\u5316\u7684\u6846\u67b6\u3002exploit\u3001payload\u3001auxiliary\u3001post \u8fd9\u4e9b\u76ee\u5f55\u5404\u53f8\u5176\u804c\u3002\u7406\u89e3 `LHOST` \u548c `LPORT` \u7684\u610f\u4e49\u6bd4\u80cc\u547d\u4ee4\u91cd\u8981\uff0c\u5f88\u591a\u65b0\u4eba\u5361\u5728\u53cd\u5411\u8fde\u63a5\u4e0a\u5c31\u662f\u56e0\u4e3a\u8fd9\u4e24\u4e2a\u6ca1\u914d\u5bf9\u3002\n\n## \u5e38\u89c1\u95ee\u9898\n\n\u88c5\u5b8c\u8dd1 `msfconsole` \u62a5\u6570\u636e\u5e93\u8fde\u4e0d\u4e0a\uff1f\u591a\u534a\u662f PostgreSQL \u6ca1\u542f\u52a8\u3002\u68c0\u67e5 `systemctl status postgresql`\uff0c\u518d\u8dd1 `msfdb init` \u91cd\u5efa\u3002\u8fd8\u6709\u4e2a\u5751\u662f Ruby \u7248\u672c\u592a\u65e7\uff0cMetasploit 6 \u4ee5\u4e0a\u9700\u8981 Ruby 2.7+\u3002\n\n## \u8fdb\u9636\u7528\u6cd5\n\n\u8d44\u6e90\u811a\u672c\u5f88\u597d\u7528\u3002\u5199\u4e2a `.rc` \u6587\u4ef6\uff0c\u628a `use exploit/multi/handler`\u3001`set PAYLOAD windows/x64/meterpreter/reverse_tcp` \u8fd9\u4e9b\u547d\u4ee4\u653e\u8fdb\u53bb\uff0c\u6bcf\u6b21\u542f\u52a8\u76f4\u63a5 `-r script.rc` \u52a0\u8f7d\u3002\n\n## \u5de5\u5177\u7247\u6bb5\n\n\u4e0a\u9762\u63d0\u5230\u8d44\u6e90\u811a\u672c\uff0c\u5176\u5b9e\u4e5f\u53ef\u4ee5\u7528 Lua \u5199\u8f85\u52a9\u811a\u672c\u6765\u5b9a\u4e49\u6570\u636e\u7ed3\u6784\u3002\u4e0b\u9762\u8fd9\u4e2a\u7c7b\u578b\u5b9a\u4e49\u63cf\u8ff0\u4e86\u4e00\u4e2a\u7b80\u5355\u7684\u6f0f\u6d1e\u626b\u63cf\u7ed3\u679c\u6761\u76ee\uff1a\n\n```lua\n-- Vulnerability scan result entry\nlocal vuln_entry = {\n  ip = \"192.168.1.1\",\n  port = 445,\n  protocol = \"tcp\",\n  service = \"smb\",\n  cve = \"CVE-2020-0796\",\n  risk_level = \"high\",\n  confirmed = false,\n  notes = \"SMBv3 compression vulnerability\"\n}\n```\n\n`confirmed` \u5b57\u6bb5\u6807\u8bb0\u662f\u5426\u5df2\u4eba\u5de5\u9a8c\u8bc1\uff0c\u907f\u514d\u5168\u81ea\u52a8\u626b\u63cf\u7684\u8bef\u62a5\u6c61\u67d3\u7ed3\u679c\u3002`notes` \u91cc\u53ef\u4ee5\u5199\u4e34\u65f6\u5907\u6ce8\uff0c\u65b9\u4fbf\u56e2\u961f\u534f\u4f5c\u65f6\u5bf9\u9ad8\u5371\u6f0f\u6d1e\u505a\u6807\u8bb0\u3002\n\n## \u5bf9\u6bd4\u66ff\u4ee3\u65b9\u6848\n\n\u8ddf Cobalt Strike \u6bd4\uff0cMetasploit \u5f00\u6e90\u514d\u8d39\u3001\u793e\u533a\u5e9e\u5927\uff0c\u4f46\u540e\u671f\u6743\u9650\u7ef4\u6301\u548c\u56e2\u961f\u534f\u4f5c\u529f\u80fd\u5f31\u4e00\u4e9b\u3002\u8ddf Empire \u6bd4\uff0cMetasploit \u7684 exploit \u5e93\u66f4\u5168\uff0c\u4f46 Empire \u7684 PowerShell payload \u5728 Windows \u73af\u5883\u4e0b\u66f4\u9690\u853d\u3002\n\n## \u8c03\u8bd5\u9a8c\u8bc1\n\n\u88c5\u5b8c\u8dd1 `msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf &gt; test.elf` \u751f\u6210\u4e00\u4e2a\u6d4b\u8bd5 payload\uff0c\u518d\u7528 `msfconsole` \u5f00 handler\uff0c\u770b\u80fd\u5426\u6210\u529f\u5efa\u7acb\u8fde\u63a5\u3002\u5982\u679c\u6536\u4e0d\u5230 session\uff0c\u5148\u68c0\u67e5\u9632\u706b\u5899\u548c SELinux\u3002\u5173\u4e8e\u8fd9\u4e9b\u57fa\u7840\u64cd\u4f5c\uff0c\u76db\u4e16\u4f53\u80b2 \u4e0a\u6709\u4e9b\u793e\u533a\u6574\u7406\u7684\u7b14\u8bb0\u53ef\u4ee5\u53c2\u8003\uff0c\u867d\u7136\u4e0d\u662f\u4e13\u95e8\u7684\u5b89\u5168\u7ad9\uff0c\u4f46\u73af\u5883\u914d\u7f6e\u601d\u8def\u662f\u901a\u7684\u3002\n\n\u6700\u540e\u5f3a\u8c03\uff1a\u6d4b\u8bd5\u73af\u5883\u5efa\u8bae\u7528\u865a\u62df\u673a\u9694\u79bb\uff0c\u522b\u5728\u771f\u5b9e\u751f\u4ea7\u7f51\u4e71\u641e\u3002\n", "creation_timestamp": "2026-06-22T11:58:49.000000Z"}