ms17-010 漏洞复现-主要用来学习交流(32位系统)
文章目录
一.漏洞原理
1.简介
- 永恒之蓝漏洞是方程式组织在器漏洞利用框架中一个针对SMB服务进行攻击的漏洞,该漏洞导致攻击者在目标系统上可以执行任意代码.
- 注: SMB服务的作用:该服务在Windows与unix系列OS之间搭起一座桥梁,让两者的资源可互通有无,SMB服务详解:点击查看
2.漏洞原理代码详解
下面两篇文章从实际代码详细分析了漏洞原理
- http://blogs.360.cn/post/nsa-eternalblue-smb.html#toc-772
- https://blog.csdn.net/qq_27446553/article/details/73480807
二.漏洞复现
1.目标信息收集
- 通过Python脚本
自己编写Python 端口扫描脚本, 扫描445端口来收集目标
我这里推荐我自己随便用的多线程端口扫描脚本代码
import telnetlib
import threading
import time
import queue
class PortScan(threading.Thread):
def __init__(self,que,port_runner):
threading.Thread.__init__(self)
self.port_runner = port_runner
self.que = que
def scan_thread ( self ,Ip_Port) :
ip_port = Ip_Port.split(":")
ip = ip_port[0]
port = ip_port[1]
server = telnetlib.Telnet ( )
try :
server.open ( ip , port )
self.port_runner.port_threadLock.acquire ( )
print ( Ip_Port)
self.port_runner.port_threadLock.release ( )
except Exception as err :
pass
finally :
server.close ( )
def run(self):
while not self.que.empty ( ) :
ip = self.que.get()#取ip和端口
self.scan_thread(ip)
#print(ip)
class ThreadClass():
def run( self ):
ports = input("请输入端口号:")
port_thread_count = int(input("请输入线程数:"))
port_threads = [ ]
self.port_threadLock = threading.Lock ( )
port_Queue = queue.Queue ( )
for x in range ( 1 , 255 ) :
for y in range ( 1 , 255 ) :
host = "192.168.{}.{}".format ( x , y )
port_Queue.put ( host + ":" + ports )
for i in range (port_thread_count ) :
port_threads.append ( PortScan (que = port_Queue ,port_runner=self ) )
print ( '[*]Starting port_scan thread...' )
for i in range ( port_thread_count ) :
port_threads [ i ].start ( )
for i in range ( port_thread_count ) :
port_threads [ i ].join ( )
print ( "port_scan_test end of run" )
if __name__ == '__main__':
scan = ThreadClass()
scan.run()
- 使用nmap扫描
在msf也可以使用nmap进行扫描进行信息收集,示例如下:
扫描版本服务
msf5 auxiliary(scanner/smb/smb_ms17_010) > nmap -sV 192.168.242.133
[*] exec: nmap -sV 192.168.242.133
Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-12 18:23 CST
Nmap scan report for 192.168.242.133
Host is up (0.00042s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 00:0C:29:03:4D:C3 (VMware)
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.83 seconds
若扫描出来有可能存在的漏洞的服务,可以search 该服务,查看可以利用的攻击模块
这里从收集信息来看目标主机445端口开放,可以尝试使用ms17-010(永恒之蓝)来攻击
- 使用nmap 脚本来扫描是否存在ms17-010漏洞
nmap --script=vuln targetip
C:\Users\admin\Desktop>nmap --script=vuln 192.168.242.133
Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-12 17:22 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.242.133
Host is up (0.0028s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:03:4D:C3 (VMware)
Host script results:
|_samba-vuln-c